The President’s FY 19 Proposed Budget, issued on Feb. 12, 2018, featured a heavy focus on the cybersecurity risks to the nation’s critical infrastructure and included budget increases for cyber specific missions within agencies who support Critical Infrastructure (CI). On Feb. 14, 2018, in support of this effort, DOE Secretary Rick Perry announced the creation of a new office, the Cybersecurity, Energy Security, and Emergency Response (CESER), as a means to better focus on and realign the mission of DOE, to address cyber risks in the energy sector.
The FY 19 Proposed Budget recommends $96 million in funding to the CESER office which is tasked with “early-stage activities that improve cybersecurity and resilience to harden and evolve critical grid infrastructure. These activities include early-stage R&D at national laboratories to develop the next generation of cybersecurity control systems, components and devices including a greater ability to share time-critical data with industry to detect, prevent and recover from cyber events.”
There are two offices within CESER, the Cybersecurity for Energy Delivery Systems (CEDS) and the Infrastructure Security and Energy Restoration (ISER) office. CEDS has a proposed budget of $70 million for cybersecurity for energy delivery systems and will focus on cyber threat and vulnerability sharing, supply chain risks and component vulnerabilities and R&D efforts to create more secure systems. ISER has a proposed budget of $18 million and its mission includes a focus on working with state and local governments “to secure the U.S. energy infrastructure against all hazards, reduce impacts from disruptive events and recover from energy disruptions.”
The proposed budget also includes $35 million for DOE’s CyberOne program, focused on managing its own cybersecurity enterprise risk and identify authentication systems.
Consistent with the May 2017 White House Executive Order (EO) 13800, the increase in funding and realignment of DOE programs takes a more focused approach on cybersecurity risks and provides funding opportunities to help the energy industry focus on new tools to combat the cyber risk. The EO included a stand-alone section focused solely on concerns to cyber risks to the grid entitled the “Assessment of Electricity Disruption Indecent Response Capabilities” which required a report to be issued to the president by August 2017. More information on the EO is here.
DOE also recently issued a final rule on Jan. 10, 2018 that established procedures for the DOE Secretary to issue emergency orders as a result of a Presidential Declaration of a Grid Security Emergency. Public Law 114-94 gave the president new authorities in the event of grid security emergency, defined as a cybersecurity attack, electromagnetic pulse, physical attack or geomagnetic storm event, to direct the owners and operators of critical electric or defense critical electric infrastructure to take certain actions.
At the same time, the new slate of Federal Energy Regulatory Commissioners have also expressed concerns over cybersecurity risks to the grid. In December 2017, FERC Chairman Kevin McIntyre stated “Cyber security is critical to protecting the nation’s energy infrastructure and we need to be vigilant and proactive in doing so.” At that time, FERC voted to modify existing cyber incident reporting requirements under the North American Electric Reliability Corporation (NERC) CIP Reliability Standard (CIP-008-5.) More information about that action is here. Earlier, FERC Order 829 mandated that NERC address cybersecurity risks in the supply chain. On Jan. 18, 2018, FERC issued a Notice of Proposed Rulemaking (NOPR) to accept part of NERC’s supply chain rules and to direct them to expand the proposal to other essential areas that FERC believed that NERC missed.
The Trump Administration views cybersecurity as a key national security concern and on Dec. 18, 2017 issued “A New National Security Strategy for a New Era” establishing cyber risk as a mainstay within that lens. Those in the energy sector (electric utilities, oil and natural gas, nuclear etc.) should expect this trend to continue with an increased focus on how the sector is addressing and managing cyber risk; a potential uptick in audits and enforcement can be expected as well as an increased focus on how the executive branch can partner with the energy sector to manage and protect against cyber risk. Looking at cybersecurity risk as an Enterprise Risk Management issue throughout the energy sector is going to be critical and should include a focus on the ability to manage preparedness, response and recover.