3rd Party Risk Management , Business Continuity Management / Disaster Recovery , Critical Infrastructure Security
Senators Raise Concerns About Energy Dept. Cybersecurity
Concern Rises as DOE Continues to Investigate SolarWinds Attack's ImpactEleven U.S. senators are raising concerns about the Department of Energy's cybersecurity readiness as the department continues to investigate a breach related to the SolarWinds supply chain attack.
In a letter to Energy Secretary Jennifer Granholm, the bipartisan group of senators urges the department to prioritize cybersecurity and to keep the leadership of the Office of Cybersecurity, Energy Security and Emergency Response, aka CESER, in place to ensure that the department can respond to security threats, including those that target the U.S. electrical grid.
See Also: Gartner Guide for Digital Forensics and Incident Response
CESER was established in 2018 by former Energy Secretary Rick Perry to address both cyber and physical threats to U.S. critical infrastructure. It's designed to work with other federal agencies, as well as state and local governments, to help minimize any energy disruptions caused by a possible attack.
The DOE was one of nine federal agencies targeted by the SolarWinds supply chain attack (see: SolarWinds Attack Illustrates Evolving Russian Cyber Tactics).
When DOE discovered the attack in December 2020, it said that while malicious code was found on certain business networks, it was not discovered on infrastructure that supports classified data or national security functions, such as the National Nuclear Security Administration.
Sens. Jim Risch, R-Idaho, and Angus King, I-Maine, who took the lead in writing the letter, note that the nation's electrical infrastructure is increasingly vulnerable to cyberthreats and disruptions.
"We urge you … to continue to prioritize cybersecurity by preserving the CESER office and upholding its leadership at the assistant secretary level," the letter states. "It is imperative that the department does not march backward on its responsibilities to the energy sector and the protection of our critical infrastructure, given the persistent, growing, and significant threat cyberattacks pose to our nation’s economy and national security."
DOE Response
A spokesperson for the Department of Energy tells Information Security Media Group that the department has made no changes to the CESER office, but declined to comment further about security issues raised in the letter.
In an interview with E&E News earlier this month, Granholm said that cybersecurity remains a priority within the DOE and that CESER would oversee that effort.
"CESER will continue to run. We are going to make sure it has the staff necessary to ensure that we at DOE and [National Nuclear Security Administration] are safe, but most importantly, that the grid is safe," Granholm said.
In the interview, Granholm also said: "We have been working with our utility partners on this [SolarWinds attack investigation]. It is a full-on effort with all players that have been affected. … We have to make sure we have the right protections around the grid and certainly around our national security efforts to make sure we are not at risk."
Cybersecurity Concerns
An audit released by the U.S. Government Accountability Office earlier this month urged the DOE to do more to protect the national electrical grid's distribution systems that deliver electricity directly to customers (see: GAO: Electrical Grid's Distribution Systems More Vulnerable).
That report recommended that the Energy Department incorporate the grid's distribution systems into its cybersecurity strategy that already includes the generation and transmission systems.
"Recent news reports have illustrated that our adversaries are actively seeking to exploit holes in U.S. internet networks and control systems, which leaves our electric grid and other critical infrastructure vulnerable to foreign surveillance and potential disruption," the lawmakers note in their letter.
The Role of Other Agencies
While it's important for the Energy Department to focus on cybersecurity issues, responsibility for the security of the nation's electric grid should also be shared by other government agencies, such as the Cybersecurity and Infrastructure Security Agency, says Phil Reitinger, a former director of the National Cyber Security Center within the Department of Homeland Security. He's now president and CEO of the Global Cyber Alliance.
"Threats, both run-of-the-mill and sophisticated, continue to skyrocket, and the electric grid is one of the most important assets for any country or region," Reitinger says. "So DOE should pay more attention this year than last, and next year more than this year. I'd also note that this isn't only a requirement for DOE but for supporting organizations like North American Electric Reliability Corporation and coordinating agencies like CISA."
Reitinger says lawmakers should make more money available to address cyber issues. "This is a requirement for Congress, which must give these agencies the resources and authorities to be effective. Appropriations are more important than a letter."