On January 20, President Joseph Biden issued Executive Order (E.O.) 13990 to help protect U.S. bulk power organizations. This Order enacted a 90-day suspension of E.O. 13920 which was set by the previous administration. The new executive order empowered the Secretary of Energy (“Secretary”) to publish new criteria around pre-qualifying vendors of electric equipment, as well as to devise rules for helping U.S. entities replace electric devices at risk of sabotage. With those functions suspended, E.O. 13990 directed the Secretary and the Director of the Office of Management and Budget (OMB) to consider “that a replacement order be issued.” The Department of Energy (DOE) took up this command by issuing a Request for Information (RFI) to electric utilities, government agencies, and other stakeholders on how to best secure the bulk power grid.
Why the RFI Is Necessary
The electric power system is vital to the nation’s energy security. It supports national defense, emergency services, critical infrastructure, and the economy. Together, these functions make it essential for bulk power organizations to ensure the availability and reliability of their systems and equipment.
The changing nature of electric entities’ environments has made security a challenge, especially since many critical national infrastructure (CNI) organizations are now undergoing digital transformations. This means they are oftentimes connecting their operational technology (OT) assets to their information technology (IT) assets for the purpose of maximizing industrial operations. The problem is that many of those OT assets are older, legacy systems that lack the necessary security measures to stand up to today’s IT security threats. As a result, digital attackers can leverage successful attacks against bulk power organizations’ IT environments to then pivot to their OT environments.
These types of threats aren’t theoretical. On the contrary, the DOE is aware of attempts by foreign adversaries to target U.S. critical national infrastructure in the energy sector. Take the most recent ransomware attack on a pipeline operator. This incident didn’t directly affect the electricity sector, but as noted by POWER Magazine, it did put the North American Reliability Corporation’s Electricity Information Sharing and Analysis Center (E-ISAC) on notice. Members of E-ISAC shared a bulletin with bulk power organizations describing the attack and identifying measures they could take to secure their systems. Meanwhile, the Federal Energy Regulatory Commission (FERC) used the incident to highlight the importance of taking action to protect U.S. energy infrastructure against digital attacks and the White House put out an open letter to industry advising companies on how to handle ransomware.
Digital attackers have also made headlines by targeting other segments of critical infrastructure. In the beginning of February, for instance, an attacker gained remote control of an analyst’s computer at a Florida water treatment plant. They then tried to elevate the amount of lye in the water to potentially dangerous levels. Four months later, NPR reported that the REvil gang was responsible for a ransomware attack that affected production at JBS SA, one of the world’s largest meat processing companies.
Tripwire’s Support of the RFI
Tripwire applauds the Department of Energy’s (DOE) engagement of public and private contributors, operators, and benefactors of the Critical Electric Infrastructure (CEI) with their RFI to better secure the United States electrical grid. Tripwire and its parent company Belden have over 20 years of experience in developing and offering leading global IT-OT cybersecurity solutions, not to mention over 100 years in supporting the government’s critical infrastructure sectors. It’s this experience that’s helped inform our recommendations for addressing the supply chain concerns raised in the RFI. This thinking has also been shared with the DOE as part of the formal submission process.
First, the basics of asset inventory and visibility are a critical first step to fully understanding the composition, architecture, and assets on the CEI network. This is an informal and often manual process for many organizations. However, there are technological solutions available today that are capable of automatically gathering and assembling a proper CEI inventory. These types of tools are not only capable of saving security personnel time. When configured correctly, they can also minimize human error in crafting as accurate of an asset inventory as possible.
Second, it’s important that bulk power organizations implement security solutions that are capable of properly assessing existing cyber and/or supply chain risks, identifying vulnerabilities for each, and providing additional information to construct and execute remediation plans. These efforts are especially effective when they take place within a vulnerability management program. Such a framework should be flexible and scalable so that organizations can protect new assets as their environments continue to grow and evolve.
Finally, organizations need solutions that can provide additional supply chain configuration management functions. Such information is imperative for shortening the time it takes to detect malicious actions from threat actors. Organizations can then use that time advantage to catch and limit the damage of a potential attack.
A Focus on Security Fundamentals
The three recommendations discussed above are all fundamental security measures. Bulk power organizations can’t protect their assets if they don’t know what needs protecting. Hence the need for an accurate asset inventory. From there, they need to proactively monitor for configuration changes and implement patches. Doing so will help to prevent malicious actors from exploiting common attack vectors as a means of establishing a foothold in their networks.
Bulk power organizations and other critical infrastructure providers can learn more about how to safeguard their systems against digital attackers by clicking here.