The Department of Energy’s proposed $96 million Office of Cybersecurity, Energy Security, and Emergency Response (CESER) signals a bold step in the Department’s efforts to improve its coordination and response to threats to critical energy infrastructure, including cyber-attacks, physical attacks, and natural disasters.  

While the 2017 hurricane season provided a stark example of US energy infrastructure’s vulnerability to extreme weather, CESER’s cyber security mandate is notable because it marks the Agency’s strongest ever foray into the cyber domain. This is a positive indicator that the Trump Administration will focus much-needed attention on cybersecurity risks to national energy infrastructure. However, without effective coordination between a growing chorus of federal agencies monitoring cyber risk—FBI, DHS, NSA, DOD, CIA, DOS, and DOT—DOE will merely be another voice in a worryingly discordant approach to US cyber security.

A July 2017 FBI-DHS report identified several spear-phishing attempts targeting the emails of several senior US nuclear engineers and designated the infrastructure threat at level “Amber,” the second-highest level of severity for these risk reports. An alert by the US Department of Homeland Security issued in October noted spear-phishing is just one of several tactics used in persistent attempts to compromise the networks of energy, water, aviation, nuclear, and critical manufacturing sectors since May of last year.

Cyberattacks on physical energy infrastructure have also become an increasing reality. The 2010 Stuxnet virus, reportedly initially inserted via a contaminated USB drive, copied itself onto pre-designated operating systems and eventually caused irreparable harm to Iranian nuclear centrifuges. A 2014 attack against a German steel mill manipulated environmental controls to cause a furnace to explode. An attack on a safety system at a Saudi Aramco installation last fall briefly shut down an unspecified industrial process and, in 2012, Aramco was also the victim of a targeted virus which wiped the data of nearly 30,000 of its internal computers. During the Senate Permanent Select Committee on Intelligence’s 2018 annual hearing on Global Threats, Director of National Intelligence Dan Coats outlined the extent of Russian attacks against the Ukrainian power sector, which resulted in some of the first-ever documented hacking-induced blackouts.

The consequences of similar attacks against US critical infrastructure could be catastrophic. Significant damage to the electric grid of a major financial center would be unimaginable—upwards of $1 trillion according to a 2015 Lloyd’s study. The potential cost of an attack on the grid or a nuclear reactor would be on the scale of a massive natural disaster—both in loss of life and the damage to non-energy infrastructure.

Thus far, the lack of bandwidth to cover the vast array of possible cyber threats has left the defense of critical infrastructure fairly reactive, with existing cyber authorities playing a merely supportive, monitoring role in improving cyber resiliency. Federal Agencies are designed to self-monitor their own cyber-sanitation, but they can be left without a complete picture of new, often classified potential threats unless they are communicated from externally-focused authorities such as DHS or NSA. For example, existing authorities like DHS’ Computer Emergency Readiness Team (CERT) may become aware of a cyber-attack and inform the target to help with mitigation, but bandwidth to support training, active updates of software, and hardening of existing cyber infrastructure is limited.  

Moreover, major energy infrastructure projects such as the electric grid, nuclear plants, and power transmission systems are inherently private-public partnerships. These major projects will have federal or state regulatory oversight, but site management is the responsibility of the private sector operator. As a result, a major problem in cyber-risk mitigation efforts is the lack of trust and existing institutions to ensure that a) the operator fully discloses its exposure to risk and b) the public monitor consistently shares the intelligence and tools to mitigate that risk.  

This is where DOE’s proposal can have the most significant impact. Given DOE’s role as a trusted federal partner in energy infrastructure projects, CESER should serve as a ‘connective tissue,’ working laterally with its counterparts in the federal government to monitor the threat landscape while also working downwards to build cyber resiliency into energy infrastructure. 

For example, rapid digitization of baseload power and distribution networks has resulted in complicated, overlapping networks of electronic and physical systems in single infrastructure operators—a symptom identified last year by the Nuclear Technology Institute. As a result, critical systems designed to have physical stand-off space between them and the internet, referred to as air-gapping, or those on independent networks can be unknowingly connected. CESER could help map and streamline these networks, monitor them for potential attacks, or identify and resolve vulnerabilities.

Implementing cyber best practices at critical infrastructure sites has also previously been beyond the bandwidth of existing cyber-monitoring bodies, and should be a part of CESER’s prospective portfolio. Employee training is particularly critical—the spear-phishing attempts against Wolf’s Creek Nuclear Company were disguised as emailed employment inquiries with malware embedded in attached resumes. In addition, the aforementioned NTI study documented the use of USB drives to transmit data, another vulnerability for external data packets to enter secure networks. Simple cyber training, which could mitigate all but the most sophisticated attacks, is often overlooked.

CESER could also play a role in protecting softer targets, such as the National Labs, which, while not representing an immediate physical or financial threat, could be targeted by state actors to steal information on any number of classified projects that they currently manage.  

While CESER can execute these responsibilities, a lack of active coordination across the federal government is likely to limit its effectiveness. The dynamism of the cyber domain—the ever-evolving means of an attack, types of targets, and range of attackers—provides a considerable advantage to the aggressor. Though last week’s Global Threats hearing emphasized these challenges, it also illustrated the number of agencies cyber operating space, from counterintelligence, to defense, to law enforcement. Adding another layer of federal cyber-monitoring without appropriate coordination to share intelligence on new tactics, software vulnerabilities, and sources of a possible attacks would leave CESER with only half the picture—or less.

CESER is a noteworthy example of allocating resources where they matter most and its proposal should be taken seriously as Congress considers the administration’s FY19 budget. But without effective coordination around it, the Administration risks assigning a significant responsibility to DOE without the tools to carry it out effectively. DOE and CESER might be best positioned, have the best understanding of the target, and have the private sector partnerships to implement positive changes, but expecting it to successfully mitigate the growing risks to energy infrastructure on its own in an ever-complex cyber domain will only set it up for failure.   

Reed Blakemore is an associate director of the Atlantic Council Global Energy Center. You can follow him on Twitter @reed_blakemore

Related Experts: Reed Blakemore