New technologies enhance the capabilities and efficiency of the energy industry. But these technologies also bring increasing cyber risks to the industry, the economy, and national security. Recognizing that critical energy infrastructure is a national concern, both the executive and legislative branches have been pushing for increased cybersecurity efforts among industry participants.[1]
In January, for example, the Quadrennial Energy Review (QER) Task Force—an interagency effort of the executive branch—released a report underscoring the gravity of the risk, warning that cyberattacks to the energy industry are not only imminent but “increasing in sophistication, magnitude, and frequency.”[2] While the report calls for additional government resources to address cybersecurity, it also highlights the ever-growing need for private-sector companies to implement their own cyber-risk management practices.
Also in January, the National Institute of Standards and Technology (NIST) released its highly anticipated draft amendments to the Framework for Improving Critical Infrastructure Cybersecurity (“the Framework”).[3] Developed in 2014 pursuant to executive order, the Framework has proven influential in just a short period of time. The new version of the Framework introduces the concept of “cybersecurity measurement,” which seeks to drive home the seriousness of cyber threats by tying cybersecurity risk-management practices to business outcomes.[4]
Juxtaposing the QER report with the NIST Framework amendments demonstrates the importance of private-sector vigilance against cyber risks. Below we discuss the report’s key findings related to cybersecurity, highlighting the importance of developing a cybersecurity plan. Then we discuss how already-available resources, particularly the recently updated NIST Framework, can offer a starting place for companies looking to develop or enhance their cybersecurity efforts.
QER 1.2 and the Need for Cybersecurity
The President established the QER Task Force in 2014 to provide “an integrated view of, and recommendations for, Federal energy policy in the context of economic, environmental, occupational, security, and health and safety priorities.”[5] The Task Force includes representatives from a number of agencies, including the Department of Energy (DOE), the Department of Homeland Security (DHS), and the Small Business Administration (SBA). The QER’s first report, released in April 2015, focused on infrastructure challenges for the energy industry.
On January 6, 2017, the Task Force released a second version of the QER report, QER 1.2. Entitled, “Transforming the Nation’s Electricity System,” QER 1.2 builds on the first installment of the report but “focuses on the electricity system and its role as the enabler for accomplishing three key national goals: improving the economy, protecting the environment, and increasing national security.”[6] The report concludes that “the U.S. grid faces imminent danger from cyber attacks, absent a discrete set of actions and clear authorities to inform both responses and threats.”[7]
Although it focuses on the electricity subsector, QER 1.2 makes clear that the cybersecurity of the electricity system is truly a matter of national security. “Critical infrastructures like oil, gas, transportation, and water all depend on electricity, and the electricity system depends on them.”[8] In the U.S., a large-scale cyber attack on the electricity system could be devastating. A cyber attack causing “[w]idespread disruption of electric service . . . could undermine U.S. lifeline networks, critical defense infrastructure, and much of the economy; it could also endanger the health and safety of millions of citizens.”[9]
The December 2015 cyber attack on Ukraine’s electricity systems illustrates the threat and potential consequences of a coordinated cyber attack on the electricity system. In that attack, “[t]hree of Ukraine’s regional electricity distribution companies experienced simultaneous cyber attacks on their computer and control systems, precipitating the disconnection of multiple electricity substations.”[10] The resulting outages “caused approximately 225,000 customers in three different distribution-level service territories to lose power for hours.”[11]
Cyber attacks have the potential to replace conventional attacks, and may create new opportunities for combined threats to the grid. For example, “an intelligent attacker may plan to use the occurrence of one naturally occurring . . . event to amplify the impact of a physical, cyber, or electromagnetic pulse attack.”[12] In light of these concerns, one of the major objectives identified in the QER 1.2 is ensuring the reliability, security, and resilience of the electricity system. The QER report includes recommendations for executive and legislative actions, research and development programs, and additional analytical tools and data needed to support policy development and implementation.[13] Government involvement is crucial to this effort, and the report recommends that Congress amend the Federal Power Act to affirm DOE’s authority “to develop preparation and response capabilities that will ensure it is able to issue a grid-security emergency order to protect critical electric infrastructure from cyber attacks” and other threats.[14]
But the responsibility for securing the electricity grid from cyber threats cannot rest entirely on government actors. Much of the system relies on both the government and the private sector, including both large and small companies. Because utilities depend on each other, “sector-wide improvements in grid security” are “essential and require collective action both within the industry itself and with government.”[15] QER 1.2 highlights the need for “a combination of cost-benefit analyses, standards, and collaboration across industry, state, local, and federal stakeholders” to mitigate the challenges faced by the industry.[16]
The report acknowledges that new information and communications technologies provide more “efficient and resilient grid operations, as well as opportunities for consumers to interact with the electricity system in new ways.”[17] However, increasing connectivity presents new opportunities for cyber attacks on or through the grid, making cybersecurity a system-wide concern. “With the rapid deployment of IoT [Internet of Things] devices worldwide, including smart printers, home routers, monitors and cameras, and thousands of others, the opportunity for hackers to disrupt the flows of electricity is growing significantly.”[18] Additionally, “[p]ublic networks carry with them risks of being conduits through which cyber attacks can be executed – where impacts can spread through grids as well as through customer assets that are part of the IoT.”[19]
According to QER 1.2, private-sector participants must confront “a complex set of changes and challenges” head on.[20] The key question is how. QER 1.2 identifies a gap between “rapidly evolving threats and vulnerabilities” and “slower-moving prioritization and deployment of defense measures.”[21] In the context of the electricity system, this gap “is exacerbated by difficulties in addressing vulnerabilities in operational technologies that cannot easily be taken offline for upgrades, and the presence of significant legacy systems, as well as components that lack computing resources to incorporate new security fixes.”[22] The report also calls out the shortage of skilled personnel to address cybersecurity in the context of the complex power grid system, and indicates that mitigation and response efforts “are hampered by inadequate information-sharing processes between government and industry. . . and challenges associated with multi-jurisdictional threats and consequences,” among other things.[23]
In short, QER 1.2 shows that all energy-industry stakeholders, including private-sector companies, must be cognizant of cybersecurity and develop plans and procedures to mitigate and respond to cybersecurity risks. Failure to do so could expose companies to potential liability for losses resulting from a cybersecurity incident or from an ill-planned response to such an incident. As QER 1.2 highlights, these losses could be significant as a loss of power may impact not only customer productivity but also the health and safety of customers and the broader community. Additionally, weaknesses in cybersecurity could compromise the security not only of the grid itself but also of customer assets and information connected to the grid. Companies are increasingly expected to guard against these risks, and they must do so for the sake of their businesses, their customers, and the public at large.
Strategic Principles for Cybersecurity and the NIST Framework
The NIST Framework for cybersecurity and risk management provides a helpful resource for companies that wish to build on proven security practices. It provides a mechanism for companies and organizations to take common cybersecurity standards and practices and tailor them to their specific needs. It consists of three components: the Framework core (a set of common “cybersecurity activities, desired outcomes, and applicable references”); Framework implementation tiers (which offer “context on how an organization views cybersecurity risk and the processes in place to manage that risk”); and a Framework profile (which “represents the outcomes based on business needs that an organization has selected” from framework categories and subcategories).[24]
The “framework core” is comprised of four elements—the core functions, categories, subcategories, and informative references. At the highest level, the core revolves around the following five functions:
-
“Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.”
-
“Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.”
-
“Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.”
-
“Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.”
-
“Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.”[25]
Although it was developed primarily to protect critical infrastructure, the NIST framework is flexible and can be used by almost any organization in any industry. It can be used to enhance and evaluate existing cybersecurity practices, or it can be used to develop such practices where none exist.
QER 1.2 points to a set of strategic principles published by DHS in November 2016, which further points to the NIST Framework as “a starting point for considering risks and best practices” for cybersecurity.[26] The DHS report identifies the following six principles: incorporate security at the design phase; advance security updates and vulnerability management; build on proven security practices; prioritize security measures according to potential impact; promote transparency; and connect carefully and deliberately.[27] Although the DHS principles cited by QER 1.2 were drafted for IoT security, they “offer stakeholders a way to organize their thinking about how to address” cybersecurity in general.[28] In particular, the need to develop and build on proven security practices is common across all sectors and industries in the cyber realm, and as DHS points out the NIST Framework offers a resource for doing just that. In 2015, the DOE also issued guidance to help the energy sector apply the NIST framework.[29]
The January 2017 proposed amendments to the NIST Framework illuminate where private-sector companies have been lagging in cybersecurity implementation. Most notably, the proposed amendments introduce the concept of “cybersecurity measurement” to the Framework. Cybersecurity measurement allows companies to employ specific metrics to assess otherwise unclear impacts of cyber risk management practices on business outcomes. As NIST’s program manager for the framework explained, “[m]easurements will be critical to ensure that cybersecurity receives proper consideration in a larger enterprise risk management discussion.”[30] Second, the proposed amendments seek to develop a shared vocabulary to facilitate third-party risk management.[31] Supply chain risk management has been, at times, an underappreciated source of cyber risk. Yet these risks can be contracted around if companies work together on identifying shared cybersecurity needs.
Conclusion
QER 1.2 should be understood as a call to action for energy industry participants. Cybersecurity threats to critical energy infrastructure are expected only to proliferate. Meanwhile, the draft update to the NIST Framework reflects growing concerns about private-sector buy-in to the need for cybersecurity risk management practices, particularly in third-party dealings. Although the government has not yet imposed mandatory, broadly applicable cybersecurity standards on the industry as a whole, the discussions and guidelines in QER 1.2 and the NIST Framework may inform the legal standard of care.[32] Ignoring these guidelines or failing to properly plan for and protect against cybersecurity incidents could leave companies exposed to liability for the consequences of such an incident.
With the government’s increased focus on cybersecurity and growing awareness of the potential risks and consequences of a cybersecurity incident, now is the time for companies to develop practices and procedures to prevent, assess, and respond to cybersecurity events. Although the task of updating or implementing cybersecurity practices may seem daunting, consulting with experienced counsel to adapt and adopt public resources like the NIST framework is a good, cost-effective place to start.
