Written by Sean Lyngaas
A major supplier of U.S. electrical equipment has joined a Department of Energy-funded research program to defend industrial infrastructure from hacking, the Biden administration announced Thursday.
As part of the program, Schweitzer Engineering Laboratories, which makes gear that helps power the grid, will submit products for testing to the Idaho National Laboratories (INL). The Department of Energy-backed INL hosts some of the U.S. government’s most talented penetration testers of industrial equipment.
The program is “especially [important] now with nation-states paying particular interest to the electric sector,” David Whitehead, Schweitzer’s chief executive, said in an interview.
The vulnerability-testing initiative is known as the Cyber Testing for Resilient Industrial Control System (CyTRICS) program, and has been in the works for at least two years. But it has taken on greater importance amid reports of a growing number of foreign hacking groups probing industrial control systems, the hardware and software that underpin energy systems. And it comes as officials at the Department of Homeland Security have pledged to invest greater resources in ICS security following a breach at a Florida water treatment facility, in which an unidentified attacker reportedly tried to change chemical settings to a potentially dangerous level.
Schweitzer will start by submitting the company’s protective relays, which are devices that monitor electric voltage, for testing. But Whitehead said he hopes to expand the testing program to include equipment such as programmable automation controllers, which engineers use to track the performance of power plants.
Whitehead described the program as an opportunity to boost the security testing of a number of vendors’ products, and to more rapidly alert other vendors of those flaws so they can fix them.
“The government [is] really good at collecting information,” Whitehead said. “But they just don’t have the capability or the capacity to understand just how that might impact” all of the products in the industrial control systems’ sector, he said.
Schweitzer’s participation in the program follows that of Schneider Electric, another big maker of energy equipment. Schneider Electric makes the safety systems that were targeted by the so-called Trisis malware, which an advanced hacking group deployed against a Saudi petrochemical plant in 2017, causing it shut down.
A Department of Energy spokesperson did not respond to a request for comment on how much federal money is behind the CyTRICS program.
Cybersecurity experts say U.S. industrial organizations have improved their security practices in recent years in part because they have better visibility into their digital assets. And more rigorous testing is a key piece of those defenses.
Virginia Wright, CyTRICS program manager at INL, said the next phase of the program is “further evidence of the growing recognition and need to secure our nation’s critical energy infrastructure from cyber and supply-chain threats.” Other Department of Energy-backed research centers, such as Sandia National Laboratories in New Mexico, are involved in the testing initiative, according to Wright.
But as the Department of Energy announced the next phase of the CyTRICS program, a U.S. government watchdog advised the department in a new report to focus more on the cybersecurity risks of the electricity distribution system.
“Unless DOE more fully addresses risks to the grid’s distribution systems in its updated plans, federal support intended to help states and industry improve distribution systems’ cybersecurity will likely not be effectively prioritized,” the Government Accountability Office report concluded.
To that end, the National Rural Electric Cooperative Association, which represents 900 small-scale utilities, said this week it is contracting with private firms to give smaller power firms access to cybersecurity tools. The program is backed by a $6-million grant from the Department of Energy.