The White House unveiled on Tuesday a 100-day plan intended to protect the U.S. power grid from cyber-attacks, mainly by creating a stronger relationship between U.S. national security agencies and the mostly private utilities that run the electrical system.
The plan is among the first big steps toward fulfilling the Biden administration’s promise to urgently improve the country’s cyber defenses. The nation’s power system is both highly vulnerable to hacking and a target for nation-state adversaries looking to counter the U.S. advantage in conventional military and economic power.
“The United States faces a well-documented and increasing cyber threat from malicious actors seeking to disrupt the electricity Americans rely on to power our homes and businesses,” Secretary of Energy Jennifer Granholm said.
Although the plan is billed as a 100-day sprint — which includes a series of consultations between utilities and the government — it will likely take years to fully implement, experts say. It will ask utilities to pay for and install technology to better detect hacks of the specialized computers that run the country’s power systems, known as industrial control systems.
The Edison Electric Institute, the trade group that represents all U.S. investor-owned electric companies, praised the White House plan and the Biden administration’s focus on cybersecurity. “Given the sophisticated and constantly changing threats posed by adversaries, America’s electric companies remain focused on securing the industrial control systems that operate the North American energy grid,” said EEI president Tom Kuhn.
While an early draft had proposed helping small utilities and rural co-ops pay for the new monitoring, the final version is more vague about whether the money will come from the federal government or be passed to customers in the form of higher utility bills. Large utilities often have sophisticated security teams and pay for cutting edge monitoring technology, but it’s unclear how enthusiastically smaller utilities will take on the cost of additional security.
The government will take suggestions from utilities within 21 days about ways to incentivize participation in the voluntary effort, according to details of the plan described by a person familiar with it.
The final plan also drops the draft’s proposal for enhancing supply chain security for grid components by calling for a list of recommended equipment vendors. Now, the administration plans to ask utilities for suggestions for improvement.
Experts say initiatives to enhance the security of the U.S. electrical grid are years behind better-known efforts to shield data centers and corporate systems. At the same time, hackers from Russia, China, Iran and North Korea are launching increasingly aggressive attacks on U.S. power companies, hoping to install malware that could leave cities and towns in the dark.
Under the new plan, owners and operators of electricity networks are now expected to “enhance their detection, mitigation and forensic capabilities,” according to the Department of Energy statement. They would also need to share information with the federal government if something happens to their systems. Priority sites will need to identify and report their technology capabilities, gaps and requirements within 45 days of the launch.
CISA, the Cybersecurity and Infrastructure Security Agency, will establish a team of government and agency representatives to coordinate analysis between the government and private sector.
“The safety and security of the American people depend on the resilience of our nation’s critical infrastructure,” said acting CISA director Brandon Wales, in a statement. The partnership would “prove a valuable pilot as we continue our work to secure industrial control systems across all sectors.”
–With assistance from Shaun Courtney and Josh Saul.