On May 30, 2018, the White House released a key report, entitled "Assessment of Electricity Disruption Incident Response Capabilities," which was required by the May 2017 White House Cybersecurity Executive Order 13800 discussed in a prior blog. The report, written by the U.S. Departments of Homeland Security (DHS) and Energy (DOE), reviews the state of preparedness by the electricity sector and its ability to manage cybersecurity attacks, with a focus on how such respective attacks would impact other sectors. The level of risk to the U.S. was reviewed using three levels of evaluation looking at impacts on 1) the economy, 2) national security and 3) public health and safety.
Importantly, the report states that the "electric grid is reliable" and cites to the maturity of the industry's traditional emergency plans and response mechanisms for physical emergencies, as well as the current stakeholder incident response capabilities. However, it does state that "power restorations following a significant cyber incident could be more challenging than previously experienced." The report refers to concerns that the industry would be "stressed" by any major cybersecurity incident and uses the cybersecurity attack against the Ukraine as a case study to illustrate the risks.
The report identifies the potential for a large impact on the economy where "blackouts of large scale or long duration can easily result in economic costs of many billions of dollars." It defines the power grid as "vital to the U.S. national defense and homeland security" with national security risks that can impact the communications, transportation, health and emergency service sectors. The loss of power is cited as impacting public health and safety, including the ability of the health care sector, water, sewage and food storage to function beyond limited periods of time.
The report focuses on six gaps in assets and capabilities of the sector and thirty-two major recommendations that direct DHS, DOE and state officials/regulators to work with the private sector to take action. The gaps include:
- Cyber Situational Awareness and Incident Impact Analysis
- Roles and Responsibilities under Cyber Response Frameworks
- Cybersecurity Integration into State Energy Assurance Planning
- Electricity Cybersecurity Workforce and Expertise
- Supply Chain and Trusted Partners
- Public-Private Cybersecurity Information Sharing
It is important to note that this report kicks off a longer effort that will be led by DHS and DOE to both assist the electricity sector manage its cyber risk as well as how the potential for a cyber outage could impact other lifeline sectors. DHS recently issued its 2018 Cybersecurity Strategy, which will govern the energy sector and other Critical Infrastructure Sectors. DOE also recently released an Integrated Strategy to Reduce Cyber Risks to the U.S. Energy Sector. All three documents provide a guide post for actions that will be taken and should be reviewed in detail. For more information, please contact the author of this blog.