The Biden Administration has committed to making cybersecurity a top priority and is now turning its focus towards energy infrastructure, which is widely recognized as vulnerable to cyberattack due to grid control systems. The U.S. Department of Energy (DOE) has launched a 100-day initiative to “advance technologies and systems that will provide cyber visibility, detection, and response capabilities for industrial control systems of electric utilities.”
Since the initiative was announced on April 20, 2021, Colonial Pipeline reportedly became the victim of a ransomware attack that forced a precautionary shutdown of the pipeline. Colonial Pipeline supplies almost fifty percent of the East Coast’s gasoline, diesel and jet fuel. The attack was one of the most successful cyberattacks on oil infrastructure in the U.S. to date and highlights the vulnerability of critical U.S. infrastructure.
DOE’s initiative outlines four primary areas of focus: (1) encouraging the implementation of measures that increase “detection, mitigation, and forensic capabilities; (2) setting “concrete milestones” designed to “enable near real time situational awareness and response capabilities”; (3) supporting and increasing the “cybersecurity posture of critical infrastructure information technology (IT) networks”; and (4) establishing a voluntary program “to deploy technologies to increase visibility of threats in ICS and OT systems.”
In addition to the 100-day initiative, the DOE also recently issued a Request for Information (RFI) seeking input on supply chain security in U.S. energy systems. This follows Trump’s Executive Order 13920, which concentrated on securing the United States bulk-power system supply chain and is set to expire on May 1, 2021. The RFI is intended for DOE to “evaluate new executive actions to further secure the nation’s critical infrastructure” and “strengthen the domestic manufacturing base.” The RFI also represents a key opportunity for stakeholders to address concerns and implementation problems that arose under EO 13920. Responses to the RFI are due by 5:00 pm on Monday, June 7, 2021.
Beyond the foregoing Executive Branch actions, Congress has also demonstrated a renewed interest in addressing these issues. Three bills focused on improving the electric grid’s resilience to cyberattack (H.R. 360, H.R. 359, and H.R. 362) were introduced in the last congress but none of them became law. In the last month, new versions of all three of these bills have been introduced. On April 30th, Bob Latta (R-OH) and Jerry McNerney (D-CA) introduced two bills, the “Cyber Sense Act and the Enhancing Grid Security through Public-Private Partnerships Act” and the “Enhancing Grid Security through Public Private Partnerships Act.” Then on May 11th Bobby Rush (D-IL) and Tim Walberg (R-MI) introduced the “Energy Emergency Leadership Act” to consolidate responsibility for energy emergencies and cybersecurity in the DOE. Although the last Congress’s legislative efforts were unsuccessful, the increased focus on cybersecurity coupled the notoriety of the Colonial Pipeline attack may lead to a different result this time around.