“Cyber-Ninja Force” Being Developed to Protect Energy, Gas Grid
Protecting the U.S. electrical grid and the gas pipeline system from cyberattacks has drawn increased attention from Congress as the threats to infrastructure become more prevalent globally.
Successful cyberattacks on Saudi Arabia’s energy infrastructure in 2012 and Ukraine’s electrical grid in 2015 have spurred coordination between U.S. utilities, national laboratories and state governments like never before, according to testimony before a Senate panel earlier this month.
The concern is also heightened by a general understanding of the ubiquity of wireless electronics in Americans’ daily lives. Continued growth of the “Internet of Things” in the coming years means the most mundane of objects throughout one’s home – such as water heaters and refrigerators – will soon be connected to the Internet and be at risk of cyberattack.
“If you have ‘energy’ in your title or name, you’ve been attacked for a long time,” said Dave McCurry, president and CEO of the American Gas Association, speaking before the Senate Energy and Natural Resources Committee last week. “You’ve been surveilled, you‘ve been mapped. You have to assume that you’ve been penetrated and go from there. And I know Congress is much more acutely aware than it was a few years ago.”
To date, cyberattacks have not knocked out power to any U.S. customers, but experts attribute that to luck as much as to any security protections. Attention in the United States to the grid’s vulnerability increased dramatically after a Dec. 23, 2015 cyberattack left 230,000 people in Ukraine without electricity for up to six hours. Hackers alleged to be part of Russian group known as “Sandworm” remotely switched off 30 substations operating parts of the Ukrainian electrical grid.
According to the Department of Energy, roughly $250 million has been invested in the past five years to create 35 new tools and technologies to combat cyberattacks on the U.S. grid. Several experts said public-private partnerships such as the Cybersecurity Risk Information Sharing Program (CRISP) have dramatically improved the sharing of real-time threat information. Nearly 80 percent of all U.S. electricity customers get their power from utilities that are part of this group.
Something comparable is being attempted in terms of cyber expertise, with the creation of a mutual-support network known colloquially as the “cyber-ninja force.” It operates in a similar fashion to emergency responder crews that travel to help overwhelmed utilities with major weather outages.
“There is a cyber-ninja force; it’s just at a very early stage,” said Duane Highley, president and CEO of the Arkansas Electric Cooperative Corporation (AECC) during the Senate energy panel hearing. “The cyber mutual assistance program operates parallel to the utilities and has 93 members. It sends IT professionals to assist with the restoration” of systems.
But federal policies crafted by Congress are lagging behind, according to those giving testimony and other experts. Neither the legislative nor executive branch has yet officially defined what constitutes an act of war in cyberspace, nor has the government been able to speed security clearances for utility experts across the country to better handle cyberattacks. Burden-sharing in terms of manpower and financial obligations has also not yet been reckoned with.
“First and foremost, let’s agree on what are the short-term priorities, things that we can do right away without much difficulty to build a more resilient grid,” said Jim Cunningham, president of Protect Our Power (POP), a Florida-based public advocacy group focusing on getting Congress to pass more cybersecurity legislation, in an interview with RealClearEnergy. “The second thing is, how are we going to pay for it?”
While there is no consensus on how the government and private sectors should share costs to upgrade cyber-protection nationwide, there is some movement on priorities. A bill sponsored by Sen. Angus King (I-Maine), the Securing Energy Infrastructure Act, has four bi-partisan co-sponsors and would establish a pilot program within the Energy Department to identify cybersecurity vulnerabilities in the energy sector. The measure calls for the $10 million program to be completed in two years.