Shaun Courtney and Michael Riley (Bloomberg) -- A White House plan to rapidly shore up the security of the U.S. power grid will begin with a 100-day sprint, but take years more to transform utilities’ ability to fight off hackers, according to details of a draft version of the plan confirmed by two people.
The plan is the policy equivalent of a high-wire act: it provides incentives for electric companies to dramatically change the way they protect themselves against cyber-attacks while trying to avoid political tripwires that have stalled previous efforts, the details suggest.
Among its core tenets, the Biden administration’s so-called “action plan” will incentivize power utilities to install sophisticated new monitoring equipment to more quickly detect hackers, and to share that information widely with the U.S. government.
It will ask utilities to identify critical sites which, if attacked, could have an outsized impact across the grid, according to a six-page draft of the plan, which was drawn up by the National Security Council and described in detail to Bloomberg News.
And it will expand a partially classified Energy Department program to identify flaws in grid components that could be exploited by the country’s cyber-adversaries, including Russia, Iran and China.
The plan marks the first step in a broad push to protect utilities from cyber-attacks that could leave millions without power, water or gas. A final version of the plan could be released as soon as this week, according to a person familiar with the timing.
“It makes sense in a plan like this to start with grid operations,” said Christopher Painter, who was the highest ranking cyber official in the State Department during the Obama administration.
“Everything goes down if you don’t have power: the financial sector, refineries, water. The grid underlies the rest of the country’s critical infrastructure,” Painter, now with the Global Commission on the Stability of Cyberspace, added.
Experts say initiatives to enhance the security of the U.S. electrical grid are years behind better-known efforts to improve the security of data centers and corporate computer systems. At the same time, hackers from Russia, China, Iran and North Korea are launching increasingly aggressive attacks on U.S. power companies, hoping to pre-position malware that could leave U.S. cities and towns in the dark.
The recent weather-related outages in Texas, while not the result of a cyber-attack, were a stark demonstration of the potential for devastation. People froze in their homes, struggled to access drinkable water and lost communications because their mobile phones couldn’t charge as grid operators struggled for days to restore power.
The White House plan lays out the need for a broad effort to secure the highly specialized computers used not just by electric companies, but also municipal water utilities, gas pipeline operators and others.
Two people familiar with the administration’s thinking said power companies were chosen to begin with because they already have a strong record of working with the U.S. government on security threats. While private companies are usually loath to share computer network data widely with the government, some power companies already do so as part of existing pilot programs, one of the people said.
The White House plan, which is voluntary, lays out a series of possible incentives to get power companies to sign on, a less politically precarious route than mandating their participation through regulation.
Smaller utilities such as rural co-ops may get government funding to cover the cost of new security equipment and software, for example. The government will explore whether participation could be covered under the Safety Act, which provides liability protection for anti-terrorism products and services, according to the plan -- although it’s far from clear that services provided by an electric utility would qualify.
Many of the details around budgets and incentives will be worked out later, through a process coordinated by the National Security Council and others, according to the draft.
Utilities’ decisions to participate will hinge on how those details eventually get resolved, cybersecurity experts said. For example, the plan addresses long-standing concerns over sharing details about cyber-attacks automatically with the government by prohibiting “sensitive data” from being collected or stored outside the utilities.
But the plan doesn’t yet define what counts as sensitive data, and it makes clear that any data collected must be widely sharable across the federal government.
The plan will also expand the role of an Energy Department program that scans grid equipment for flaws or hidden components that hackers could use to attack utilities. Aspects of that program, known as CyTRICS, are classified because they involve efforts by foreign intelligence agencies to intentionally weaken grid technology, according to a person familiar with it. (CyTRICS stands for Cyber Testing for Resilient Industrial Control Systems.)
While utilities have supported similar efforts in the past, the creation of an approved vendor list could increase costs for equipment manufacturers that would be required to make their products more secure -- a proposal likley to draw resistence from U.S. and foreign manufacturers, one person familiar with the industry said.
In order to succeed, the plan will have to overcome challenges that have derailed earlier efforts, including interagency turf wars and questions over how much of a role U.S. intelligence agencies should have in protecting the country’s critical infrastructure.
The power sector effort will be led by the Energy Department rather than the Cybersecurity and Infrastructure Security Agency, or CISA, part of the Department of Homeland Security, according to the summary.
That could raise concerns about CISA losing its existing authorities and possibly ceding the program entirely to the Energy Department, according to current and former DHS officials, as well as an aide on the House Homeland Security Committee. That panel approved a bipartisan bill in March to solidify CISA’s lead role in protecting the country’s industrial control systems (H.R. 1833).
“The risk you take in not having CISA do everything is that information doesn’t get where it needs to be,” according to Suzanne Spaulding, who led CISA’s predecessor, the National Protection and Programs Directorate, under the Obama administration and now works at the Center for Strategic and International Studies.
As the White House plan was quietly circulated to officials recently, Homeland Security Secretary Alejandro Mayorkas reiterated what he believed was CISA’s primary role in a policy speech in late March.
After lauding the administration’s cybersecurity plans, he added, “As some have said, the government needs a quarterback on its cybersecurity team. CISA is that quarterback.”