On Tuesday, July 31, 2018, the Department of Homeland Security (DHS) hosted a National Cybersecurity Summit, featuring the nation's top homeland, national security and law enforcement officials. The event featured Vice President Mike Pence, DHS Secretary Kirstjen Nielsen, Department of Energy (DOE) Secretary Rick Perry, Federal Bureau of Investigation (FBI) Director Christopher Wray, Commander, U.S. Cyber Command and Director, National Security Agency (NSA) General Paul M. Nakasone, DHS National Protection and Programs Directorate (NPPD) Under Secretary Chris Krebs, U.S. Secret Service Director Randolph Alles, and DHS NPPD Assistant Secretary Jeanette Manfra.
The summit focused on the importance of collective defense between and amongst the critical infrastructure sectors as well as the importance of public-private partnerships. It featured CEOs and speakers from a number of large investor-owned utilities, oil/natural gas companies, rural electric coops and large energy trade associations, as well as Fortune 500 CEOs, presidents of higher education institutions and other key trade associations. Sectors represented included energy, banking/financial services communications, IT, transportation and insurance.
DOE Secretary Perry focused on the increasing cyber risks to the energy sector as well as the role of the new Office of Cybersecurity, Energy Security, and Emergency Response (CESER) at DOE created earlier in 2018. His remarks were consistent with the directives of the May 2017 White House Executive Order (EO) 13800. The EO included a stand-alone section focused solely on concerns to cyber risks to the grid, entitled "Assessment of Electricity Disruption Incident Response Capabilities," which resulted in a report that discussed the vulnerabilities to the grid and the challenges the electric utility sector would have in event of a major cybersecurity attack. More information from prior posts that discuss the new DOE office and the EO can be found on the Holland & Knight Energy and Natural Resources Blog.
At the summit, DHS announced the creation of a National Risk Management Center that will work in conjunction with the National Cybersecurity and Communications Integration Center (NCCIC). The center will look at the cyber risks to the critical infrastructure, focusing on the nation's vital functions and the impacts of a cybersecurity attack on them. It will also provide a focal point for companies and sectors to discuss cross-sector risk issues and identify better ways for key sectors to work together, as well as create joint action plans to manage and test responses to cyber-attacks. This center will have a series of actionable work plans that will be structured in different 90-day sprints to ensure concrete plans are created and implemented.
The first project will focus on what Secretary Nielson called the "tri-sector model," which will include energy/electric utilities, banking/financial services, and communications. The center will look at and work with other critical infrastructure sectors for similar projects as well.
DHS also announced the creation of an Information and Communications (ICT) Supply Chain Risk Management Task Force. It will function under the umbrella of the center and focus on the communications and information technology sectors, looking specifically at cyber supply chain risk as well as vendor/third party risks. Federal Energy Regulatory Commission (FERC) and North American Electric Reliability Corporation (NERC) have also been looking at cyber risk to the supply chain specifically for the electric utility sector for some time. The task force will look at creating policy structures to manage the risk and to work collaboratively with the private sector to manage the risk.
The summit included sessions on:
-
Securing Our Supply Chain
-
Building an American Cybersecurity Workforce
-
Delivering Cybersecurity Solutions-ICT Industry Perspective
-
Protecting National Critical Functions
-
Cybersecurity Information Sharing and Partnerships
-
Protecting National Critical Functions: Analyzing Systemic Risk
-
Emerging Issues in Cyber Law and Policy
It is expected that DHS, DOE, FERC, NERC and state public utility commissions (PUCs) will continue to drill down into cyber risk to the energy sector overall. There are continued discussions on how cyber risk should be managed within the larger energy sector including for wind, nuclear, oil and natural Gas (ONG) and pipelines.