Biden orders voluntary cybersecurity performance goals for electric utilities, other critical sectors

Dive Brief:

Electric utilities and other critical infrastructure sectors could soon be asked to meet voluntary cybersecurity "performance goals" set by the federal government, according to a national security memorandum signed Wednesday by President Joe Biden.
The memorandum also expands on an effort piloted by the electric sector to protect industrial control systems (ICS) through the installation of sensors and monitoring equipment. More than 150 electric utilities are working through the effort to raise ICS security, and the president's action plan calls for similar initiatives for other sectors later this year, according to a White House fact sheet.
There is growing acknowledgement that adversaries of the U.S. have the capability to shut down portions of the bulk power system. Russia, China, Iran, North Korea and a variety of criminal groups "all view the U.S. electrical grid as a priority target," Rep. Stephen Lynch, D-Mass., chairman of the House Subcommittee on National Security, said Tuesday during a hearing on grid security.

Dive Insight:

The public-private initiatives announced Wednesday by the White House are voluntary, but a senior administration official made clear that participation is vital to national security.

"The federal government cannot do this alone. Securing our critical infrastructure requires a whole-of-nation effort, and industry has to do their part," the official said in a Tuesday briefing with reporters ahead of the security memorandum announcement. "These may be voluntary, but we hope and expect that all responsible critical infrastructure owners and operators will apply them."

"Our current posture is woefully insufficient given the evolving threat we face today," the official said.

The president's memorandum directs the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Commerce's National Institute of Standards and Technology (NIST), to develop cybersecurity performance goals for critical infrastructure including power, water and transportation.

Preliminary goals for control systems will be issued by the Secretary of Homeland Security by Sept. 22, with final cross-sector and sector-specific goals set within a year of Wednesday's national security memorandum, according to its text.

The performance goals will help to develop "actionable items" for bulk electric system security and all sectors, Tobias Whitney, VP of industry relations and regulatory affairs at Fortress Information Security, said in an email.

"It's a challenge to develop clear performance goals, but I think when done well ... they can be very effective," Whitney said, pointing to the North American Electric Reliability Corp.'s (NERC) Critical Infrastructure Protection (CIP) standards as an example.

"We have an environment today where there are many organizations throughout this country and across sectors of critical infrastructure that have not universally deployed the strong security controls and managed known security weaknesses that we know our adversaries have the intent and capability to exploit," Eric Goldstein, CISA executive assistant director for cybersecurity, told lawmakers Tuesday in the House subcommittee grid hearing.

"This puts us in a position where a highly damaging cybersecurity intrusion affecting a national critical function such as the provision of electricity is certainly a possibility," Goldstein said.

Experts say the electric sector has some of the strongest security in place, among critical sectors, in part due to the mandatory CIP standards set by NERC, which focus on operational technology. And there are ongoing initiatives at the Federal Energy Regulatory Commission considering strengthening and broadening their requirements, and to align them with the existing NIST cybersecurity frameworks, which also include IT requirements.

"It will be very interesting to see with chemicals, water, pipelines and how those sectors respond," Whitney said. Performance goals should be sector specific, he said, "but there is a lot each sector can learn from the work that the energy companies have done to secure themselves.”

Some of that work was done as part of CISA and the U.S. Department of Energy's Industrial Control System Cybersecurity Initiative, which launched with the electric sector as a pilot and is now being expanded. Biden's memorandum formally establishes the initiative, which launched in April. An action plan for natural gas pipelines is also underway.

The Edison Electric Institute, which represents investor-owned utilities, said in a statement that more than 85% of the group's member companies are participating in the initiative and deploying additional monitoring equipment "will provide additional insights and enhance the government-industry partnership."

"We have long maintained that grid security is a shared responsibility, and addressing dynamic threats to the energy grid requires vigilance and coordination that leverages both government and industry resources," EEI President Tom Kuhn said in a statement on the security memorandum.

Tuesday's House subcommittee hearing included a discussion of the NERC CIP and NIST security frameworks, and whether efforts to align them would result in better security for the electric sector. However, because the question is the subject of an open FERC proceeding, the commission's representative to the hearing was unable to answer lawmakers' questions.

"As a staff member, I cannot comment on the merits and timing of that active proceeding," Joseph McClelland, director of FERC's Office of Energy Infrastructure Security, told subcommittee members.

"I'm a little bit frustrated that we can't get at these answers because we have a proceeding elsewhere," Lynch said. "We're going to have to have you back."