Event recap

On December 13, 2021, the Atlantic Council Global Energy Center hosted a discussion on securing the energy and critical infrastructure sectors from cyberattacks. Opening remarks were delivered by Jeh Johnson, former Secretary of Homeland Security and partner at Paul, Weiss, Rifkind, Wharton, & Garrison LLP.The panel featured Andrea Brackett, vice president of cybersecurity at the Tennessee Valley Authority; Megan Samford, chief product security officer for energy management at Schneider Electric; Leo Simonovich, vice president and global head of industrial cyber and digital security at Siemens Energy; and Tom Warrick, former deputy assistant secretary for counterterrorism policy at the US Department of Homeland Security and nonresident senior fellow at Atlantic Council. The event was moderated by Andy Bochman, senior grid strategist at Idaho National Laboratory’s national and homeland security directorate.

Secretary Johnson began his keynote by drawing attention to the ubiquity and complexity of cyberattacks on infrastructure, from state actors to hacker groups, and warning that this problem is only getting worse. “Cyberattacks are replacing kinetic attacks. Covert actors are replacing conventional state actors. A cyberattack on our nation’s energy sector or any other sector of critical infrastructure must be viewed as an attack on the nation itself, warranting a national response,” Secretary Johnson warned. Summing up his remarks, Secretary Johnson identified several actions to take to shore up the nation’s cyber defenses. These include raising awareness of spear phishing, ensuring redundancy in systems, the creation of national minimum standards for critical infrastructure cybersecurity standards by Congress,  mandatory reporting to the federal government of certain categories of cyber incidents, recognizing cyberattacks on infrastructure can cause as much damage as a natural disaster, encouraging education, recruitment and retention of a cyber workforce, and making sure the world knows the US views a cyberattack as grounds for a military response.

The panel was undecided about how much money is needed to shore up cyber defenses. Secretary Johnson praised the bipartisan infrastructure bill’s allocation of $2 billion to Homeland Security’s Cybersecurity and Infrastructure Security Agency. Warrick noted that in theory, companies do not want to overspend on cybersecurity because that money is wasted, but the moment a company or business fall short, the amount of damage done can be catastrophic. The panel agreed that there is a role for the insurance industry to play in helping encourage good cyber hygiene to help make the case to CFOs and CEOs for more investment in cybersecurity. Simonovich added that funding is ultimately about the multiplier effect and that it cannot be a one-time investment, but pointed toward the importance of money cascading down and innovation cascading up.

In the same vein, Warrick also mentioned that cybersecurity does not happen alone. The Department of Homeland Security must work together with the private sector. Simonovich also emphasized that public-private partnerships are important in building resiliency because of faster detection and information sharing, as well as mutual aid. Warrick and Brackett added that operators and owners should have good working relationships with their local, state, and federal government representatives, as well as equipment manufacturers, in order to be able to make calls quickly in emergencies.

Brackett pointed out that training and preparation for natural disasters makes for great practice to prepare for cyberattacks, and Simonovich stressed that fuller cyber wargaming and scenarios preparation will be key. Simonovich also underscored that resiliency is important, but what resiliency entails is constantly evolving as the cyber and physical worlds are converging. GridEx was brought up as a fantastic way to test and improve critical infrastructure cybersecurity.

Another theme that the panel tackled was upgrading equipment. Samford wanted to see tax incentives for the private sector to enable owners and operators to upgrade their fleets. Brackett pointed out that smaller entities and operators need to be taken into account as well and incentivized in other ways because of how they are funded and regulated.  Simonovich added that the funding model and policy piece to encourage modernization of older equipment is not clear. Finishing off this topic, Bochman underscored upgrades are not just a tick-the-box exercise; they need to be configured and maintained.

Regarding standards, upgrades and equipment, Samford noted that vulnerabilities are a trailing metric, giving a good indication of industrial control systems security five or ten years ago, but that newer products are being built intentionally following security standards like IEC 62443. At the same time, she noted, standards need to be horizontal and cover the supplier, integrator, and asset owner in order to cover the whole supply chain and ecosystem. She and Bochman identified NERC’s Critical Infrastructure Protection standards as a good example of this, in addition to IEC 62443.

Jordan Bekenstein is a Fall 2021 Young Global Professional at the Atlantic Council Global Energy Center.

Agenda

Remarks by

Sec. Jeh Johnson
Secretary of Homeland Security (former)
US Department of Homeland Security;
Partner
Paul, Weiss, Rifkind, Wharton, & Garrison LLP

A conversation with

Andrea Brackett
Vice President, Cybersecurity
Tennessee Valley Authority

Megan Samford
Chief Product Security Officer, Energy Management
Schneider Electric

Leo Simonovich
Vice President and Global Head, Industrial Cyber and Digital Security
Siemens Energy

Tom Warrick
Deputy Assistant Secretary for Counterterrorism Policy (former)
US Department of Homeland Security;
Nonresident Senior Fellow
Atlantic Council

Moderated by

Andy Bochman
Senior Grid Strategist, National and Homeland Security Directorate
Idaho National Laboratory

Learn more about the Global Energy Center