How the Energy Department Can Improve Industry Cybersecurity – By Tasha Jhangiani and Madison Lockett (Defense One) / Aug 5 2021
Practical steps include educating direct actors like electricians or IT professionals on basic cybersecurity priorities, concerns, and best practices.
This year has been a pivotal year for malicious cyber actors—particularly those interested in targeting U.S. critical energy infrastructure. In February, a hacker trying to infiltrate a water treatment plant in Florida attempted to adjust the sodium hydroxide levels to alarmingly dangerous levels. Just a few months ago, the ransomware attack on Colonial Pipeline disrupted one of the largest refined gasoline pipelines in the United States for almost a week, and states across the Eastern Seaboard felt the effects.
The federal government cannot afford to idly sit by and leave U.S. energy infrastructure vulnerable. The Energy Department, as the sector risk management agency for the energy industry, has an obligation to protect both public and private energy interests on critical infrastructure. One of the key ways Energy can fulfill this obligation is by providing incentives for private-sector companies to adopt regulations and best practices, like testing software supply chains, to further protect U.S. critical infrastructure.
Barriers Impeding Progress
There are several barriers currently impeding progress in protecting critical energy infrastructure. First, demand signals for cybersecurity in Energy changes with each administration. As a result, there is little clarity and consistency for private companies in the energy sector. There needs to be a deeper understanding of demand signaling from the government on what is specifically needed for the private sector to comply with government regulations.
Second, updating Federal Energy Regulatory Commission guidelines is an incredibly slow process. FERC regularly issues guidelines for industries to ensure “regulatory certainty” for relevant stakeholders, including government agencies and private companies. Because it takes a significant amount of time for FERC to update these standards, it leads to a long tail of investment, which in turn leads to lags in investment cycles in the private sector. Standards can be rendered obsolete after a single event, which then renders the investment obsolete. This hinders the effectiveness of FERC’s guidelines for energy sector cybersecurity.