Administration’s cyber defense plan stresses 'Made in USA'
- By Derek B. Johnson
- Jun 08, 2020
To shore up the security of the energy sector, Department of Energy officials said they plan to replace foreign-made parts in U.S. bulk power systems that may pose a national security or economic risk.
Under a May executive order declaring foreign cybersecurity threats to bulk electric power systems to be a national emergency, a federal task force has been charged with developing energy infrastructure procurement policies and procedures for federal agencies.
"We will be looking at identifying equipment, isolating it, monitoring it as appropriate, and where we find undue risk to the bulk power system, we will replace equipment as necessary," Charles Kosak, deputy assistant secretary for the Office of Electricity at Energy, said at a web event hosted by the McCrary Institute at Auburn University.
Sean Plankey, assistant deputy secretary for DOE's Office of Cybersecurity, Energy Security and Emergency Response , said his office will also look to better engage with the roughly 4,000 smaller electric carriers, last mile providers and distribution providers spread out across the United States, many of whom are stretched thin in terms of both money and human resources.
"None of them are big business, a lot of them … are run by taxpayers in a municipality type of environment, and many of those [entities] in fact also own the water," said Plankey.
Those small organizations are often ill-prepared to defend their systems and networks against foreign military or intelligence services. In some cases, Plankey said, their systems can be connected to other critical infrastructure and rely on the same personnel, equipment and manufacturers, creating a single point of failure.
The Energy Department is spending $6 million this year to boost support for rural and municipal utility cooperatives. It is also sharing research and development and supply chain information with the Environmental Protection Agency to develop better security models for cities and towns where their energy and water infrastructure overlap. Energy officials must also deal with the budget reality that many smaller towns and companies face, particularly in the wake of a pandemic and recession that has wrought havoc on state and local budgets. That means cybersecurity employees might be overstretched and wearing several different hats at the same time.
Other federal agencies, like the Cybersecurity and Infrastructure Security Agency, have worried about the rising convergence of IT systems with the operational technology required to physically control engines, conveyers and other machines within critical infrastructure. In addition to providing support for IT officials and CISOs, Plankey said his office was also trying to engage more with non-tech executives in the C-suite to ensure they understand that while connecting the two environments may save a few dollars on the front end, it also makes their entire enterprise more vulnerable if they're compromised by hackers.
"It's going to be a necessity to understand that interplay, to understand where your protocol handoffs are, to understand why you might want to connect your IT environment," he said. "Because you have your CFO and your business players on one side thinking, 'I can do this faster and cheaper if I connect my IT systems so I can draw efficiencies from my industrial control system environment,' but then you have your security aspect, which is slower and make things harder, so those things don't always agree."
This article was first posted on FCW, a sibling site to GCN.
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.