By Peter Sopher
This past month, as a member of Wharton Energy Club career treks in London and New York, I engaged in discussions with 18 different energy infrastructure finance firms regarding sector trends. In virtually every meeting, the threat of cybersecurity drew significant attention.
And for good reasons.
From the 2012 Shamoon virus that destroyed 30,000 Saudi Aramco hard drives, to the 2015 Russian-perpetrated attack on the Ukranian power grid, the energy sector has already endured many of the world’s most destructive cyberattacks to date.
Two points render cybersecurity especially scary as it relates to energy:
- To date, cyber offense has always been ahead of defense
- Digitalization of core energy sector infrastructure is accelerating rapidly
Given the gravity of this issue, this article addresses the following research question:
How well does the Department of Energy’s (“DOE”) 2018-2020 cybersecurity approach achieve its mission?
This article conducts a strengths-weaknesses analysis of current DOE policies and makes four recommendations to improve identified weaknesses.
DOE cyber policy strengths
The cornerstones of DOE’s cybersecurity agenda are the March 2018 Multiyear Plan for Energy Sector Cybersecurity, which outlines goals for the U.S. energy sector, and the June 2018 DOE Cybersecurity Strategy, which establishes an internal DOE cyber policy.
For context, as best practices, IEA’s 2017 digitalization report identifies four pillars to energy security:
- Resilience: An entity’s ability to adapt to changing contexts and shocks while continuing operations.
- Hygiene: Key aspects include software update protocols, secure network configurations, and training to promote robust cultures regarding cybersecurity.
- Design: Cybersecurity should be an integral aspect of system design, not an add-on afterwards.
- Tech and System Architecture: Existing on the cutting edge of technology and system design for defending against cyberattacks is imperative.
What’s strong about the DOE’s current agenda is how comprehensively it accomplishes the resilience, hygiene, and technology objectives, above. Another strength of the Multiyear Plan is that it does not get too specific; the cybersecurity landscape is evolving so quickly that mandating specific protocols would be premature. However, the DOE’s internal cyber strategy provides an excellent template for more specific best practices, namely its emphases on dynamic improvement and quick responses to minimize damage.
Recommendations
RECOMMENDATION 1 – DESIGN: The U.S. should mandate the procurement of corruptible infrastructure exclusively from parties that have neither present nor potential incentives to disrupt U.S. systems.
The most obvious weakness of the DOE cyber agenda is its lack of emphasis on design-phase incorporation of security objectives, as IEA (2017a) and cyber expert Dan Geer both recommend. It is difficult to mandate specifics for such protocol, as the variety of types of infrastructure the energy sector comprises is massive. One necessary policy, though, is to ban digital components of critical energy infrastructure for which the supply chain involves an entity owned by a foreign government.
RECOMMENDATION 2 – OFF-GRID OPERABILITY: DOE should conduct a comprehensive cost-benefit assessment to evaluate whether it is prudent to mandate off-grid operability for critical energy infrastructure.
DOE fails to outline solutions for ensuring functional backup systems if a breach is especially destructive. To this end, Dan Geer advocates that off-grid backup is essential for critical infrastructure. The reason Ukraine was able to minimize damage to its power grid from an especially potent Russian attack was that its relatively antiquated grid had manual operation capabilities. Counterintuitively, the same Russian attack would have caused more harm in many more developed grids than in Ukraine because more developed grids often lack robust manual operating capabilities.
Implications of mandating off-grid backup capabilities, however, include drawbacks. For example, requiring manually operable backup for smart grids implies that employees will be trained to operate complex power grids and paid to be available in case the automated grid management system is hacked. Such a scenario is expensive and limits key benefits of smart grids.
RECOMMENDATION 3 – TALENT: To tap premium private sector talent pools, DOE should leverage cybersecurity-related public-private-partnerships to work with private sector experts on securing critical energy infrastructure.
Becoming a cyber expert requires years of rigorous study to understand the coding nuances and implications behind various types of attacks; it’s not expertise that can be gained via a series of seminars. True cyber experts, however, command very high private sector salaries against which DOE has difficulty competing. As such, accessing the best cybersecurity talent requires tapping the private sector. To do this, DOE should develop partnerships with private tech companies where their experts are deployed at DOE for year-long sabbaticals that promote cross-pollination in a mutually beneficial manner.
RECOMMENDATION 4 – PRIVACY: DOE must increase its priority on securing individuals’ data privacy related to energy usage as energy infrastructure becomes increasingly digital.
Lastly, a missing point of emphasis in the DOE’s cyber agenda relates to privacy of individuals’ and entities’ data deriving from the energy sector’s increased digitalization. According to IEA (2017a), “Privacy and data ownership are becoming a major concern as more and more detailed data are collected.” The White House expressed similar sentiment in 2016.
Conclusion
The intersection of energy and cybersecurity is becoming an increasingly relevant issue as the energy sector becomes more digitized.
Strongpoints of the DOE cyber agenda are how it addresses the issues of resilience, hygiene, and technology. The cyber agenda is also appropriately vague for such a dynamically evolving field, and it is appropriately non-prescriptive.
Weaknesses, however, relate to the DOE agenda’s lack of emphasis on security as a core element of critical infrastructure design. In addition, the DOE agenda does not focus enough on: (1) the process of recovering from cyberattacks; (2) how DOE will access strong cybersecurity talent; and, (3) how DOE will ensure privacy of energy-oriented data.
While cybersecurity best practices are sure to continue to evolve, a truism to date is that offense is always ahead of defense. As such, the ability to react and remain resilient during a breach is crucial.
