U.S. Energy Firms to Receive $45M to Boost Cybersecurity, But What Will It Fix?

The Department of Energy announced this week that it’s investing $45 million to protect the power grid from cyber attacks.

Energy Secretary Jennifer Granholm said in a statement that the money will be used to fund up to 15 research projects that will “create, accelerate, and test technology” to bolster energy company’s security systems.

She added: “As [Department of Energy] builds out America’s clean energy infrastructure, this funding will provide the tools for a strong, resilient, and secure electricity grid that can withstand modern cyberthreats and deliver energy to every pocket of America.”

The funding will also establish and strengthen existing partnerships with energy sector utilities, vendors, and universities.

Where will the money be spent?

The research project has proposed six topics for investment:

  1. Automated Cyber Attack Prevention and Mitigation, which will develop tools and technologies that help energy systems recognize and prevent cyberattacks.
  2. Security and Resiliency by Design, which will help organizations embed cybersecurity and cyber resilience into tools and technology.
  3. Authentication Mechanisms for Energy Delivery Systems, which will develop tools and technologies that strengthen user authentication.
  4. Automated Methods to Discover and Mitigate Vulnerabilities, which will develop tools and technologies that address technical vulnerabilities in energy delivery control system applications.
  5. Cybersecurity Through Advanced Software Solutions, which will develop software tools that can be used in a holistic testing environment.
  6. Integration of New Concepts and Technologies with Existing Infrastructure, in which applicants will partner with energy asset owners and operators to demonstrate cybersecurity technologies that can be embedded into existing infrastructure.

Is this the answer?

Cybersecurity investments are always a positive, given the threat of data breaches that organizations face. There were more than 1,200 publicly disclosed information security incidents in 2021, with critical infrastructure such as energy suppliers being particularly at-risk.

As the U.S. saw with the ransomware attack on Colonial Pipeline, disruption to essential services can lead to immediate disruption and financial costs.

But when the causes of cyber attacks are so complex, the solution is rarely as simple as financial investment. The technologies proposed in this bill will no doubt help energy firms prevent cyber attacks, but they must be supported with a cultural shift in the way cybersecurity is practised.

In addition to technical solutions, organizations must implement effective policies and processes, and they should educate their employees on the threat.

Organizations in the European Union are well aware of this. The introduction of the GDPR (General Data Protection Regulation) four years ago created an umbrella set of rules that dictated how organizations should approach information security.

The U.S. has been more hesitant in its approach to legislation, with countless state-level bills being proposed and subsequently rejected.

Meanwhile, only months ago, Congress failed to pass legislation that would have required organizations in critical sectors such as energy and transportation to alert the government when they suffered cyber attacks.

This was despite 93% of people in a Washington Post expert panel favouring such mandates.

Similar requirements were later adopted in the Cyber Incident Reporting for Critical Infrastructure Bill, which President Joe Biden signed into law on March 15, 2022.

Its rules mirror the GDPR in requiring covered organizations to report certain cyber incidents to the Cybersecurity and Infrastructure Agency of the U.S. Department of Homeland Security within 72 hours.

It also requires covered organizations to report when they have paid ransomware payments within 24 hours.

Even with these requirements, the U.S. is still a long way behind the European Union in its cybersecurity legislation. However, when coupled with financial investment into cybersecurity technology, the country is taking positive steps in recognizing and addressing the threat.

How the NIST Cybersecurity Framework can help

Organizations in the energy sector that are looking to bolster their cybersecurity don’t need to rely on major financial investment. The NIST (National Institute of Standards Technology) Cybersecurity Framework provides practical guidance on steps organizations can take to bolster their defences.

The voluntary framework is primarily designed help critical infrastructure organizations manage cybersecurity risk, and is based on existing standards, guidelines, and practices.

Our free guide, Implementing Cybersecurity – The case for the NIST CSF, describes the main components of the framework and how they fit together.

It also explains how the framework can strengthen your organization’s security measures and help you comply with U.S. and international cybersecurity laws.