The federal government is seeking to increase cybersecurity in critical infrastructure industries through the implementation of a voluntary Industrial Control Systems Cybersecurity Initiative (Initiative), while the US House of Representatives (House) concurrently focuses on the same goal by passing three bills aimed at enhancing cybersecurity. While it’s currently voluntary, it’s likely the Initiative—along with its performance goals issued in conjunction— may become mandatory for companies that own or operate critical infrastructure facilities.
In order to focus on strengthening the nation’s cybersecurity within the energy industry, the House recently passed the Energy Emergency Leadership Act (HR 3119), the Enhancing Grid Security through Public-Private Partnerships Act (HR 2931) and the Cyber Sense Act (HR 2928).
On July 28, 2021, shortly after the House passed the above three bills, the Biden Administration released a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems (Memorandum). The Memorandum affirmatively recognized the “[p]rotection of our Nation’s critical infrastructure is a responsibility at the Federal, State, local, Tribal and territorial levels and of the owners and operators of that infrastructure.” In order to protect such infrastructure, the administration provides that it is their policy “to safeguard the critical infrastructure of the Nation, with a particular focus on the cybersecurity and resilience of systems supporting National Critical Functions…”
As a result, the administration established the voluntary Initiative between the federal government and the critical infrastructure community with the primary objective of defending the United States’ critical infrastructure through facilitating the deployment of technologies and systems that will increase cybersecurity. The Memorandum further instructs the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the US Department of Commerce’s National Institute of Standards and Technology (NIST) to develop cybersecurity performance goals for critical infrastructure. The US Secretary of Homeland Security will issue initial goals for control systems no later than September 22, 2021, with cross-sector and sector-specific goals to be issued within a year of the Memorandum.
On May 7, 2021, just before 5 am, an employee in the Colonial Pipeline Co.’s control room found a ransom note sent by hackers demanding cryptocurrency. In response, Colonial Pipeline Co. Chief Executive Officer Joseph Blount shut down the entire pipeline by 6:10 am. This marked the first time in its 57-year history that Colonial Pipeline Co. shut down its entire gasoline pipeline system. Colonial Pipeline Co. paid the hackers, who were an affiliate of a Russia-linked cybercrime group known as DarkSide, a $4.4 million ransom shortly after the hack. However, the US Department of Justice announced it recovered $2.3 million of the ransom in June.
Only mere months after this significant breach of cybersecurity, the House approved HR 3119, which was introduced by US Representatives Bobby Rush (D-IL) and Tim Walberg (R-MI) to increase energy emergency and cybersecurity responsibilities as a core function for the US Department of Energy (DOE) and create a new assistant secretary position to specifically focus on these issues. In a statement released after the House approved HR 3119, Representative Rush stated, “[o]ur energy infrastructure is facing major, increasing threats from ransomware attacks, climate change, and bad actors – this reality has been thrown into stark relief in recent months….By creating a new assistant secretary position, the Energy Emergency Leadership Act will boost energy security as a core responsibility of the department.” He reasoned “[t]his is necessary given recent attacks, including on Colonial Pipeline, as well as ongoing threats to our energy infrastructure.” In another statement, Representative Walberg similarly provided that, “[t]hese cyberattacks pose a significant risk to our nation’s economy.”
HR 2931, sponsored by US Representatives Jerry McNerney (D-CA) and Bob Latta (R-OH), directs the US Secretary of Energy to create a program that facilitates and encourages public-private partnerships that will enhance the physical and cybersecurity of electric utilities. “The electric grid is the backbone of our economy and essential to almost everything in our lives,” Representative McNerney said. “It is imperative that we invest in grid modernization and security and address any vulnerable component or weakness that poses a threat to our physical and national security.”
HR 2928, which was also sponsored by Representatives McNerney and Latta, is designed to strengthen the US electric infrastructure by encouraging coordination between the DOE and electric utilities through establishing a Cyber Sense program that would test the cybersecurity of technologies intended for use in the bulk-power system. “Recent cyber-attacks on U.S. institutions and businesses like SolarWinds prove that Congress needs to act to ensure our grid remains strong and resilient,” Representative Latta stated. “The Cyber Sense Act and the Enhancing Grid Security through Public-Private Partnerships Act will collaboratively build a relationship between the DOE and utilities to strengthen our security efforts and keep us safe from domestic and foreign attacks.”
US House Committee on Energy and Commerce Chairman Frank Pallone, Jr. (D-NJ) and Energy Subcommittee Chair Bobby Rush (D-IL) jointly stated that, “[t]he three bipartisan pieces of energy cybersecurity legislation that passed today will enhance the security and resiliency of our energy system and represent the first legislative step toward addressing growing cybersecurity threats on our energy infrastructure.”
The DOE is similarly taking steps forward to enhance cybersecurity as it released Version 2.0 (V2.0) of the Cybersecurity Capability Maturity Model (C2M2), a tool created to assist companies of all types and sizes to evaluate and advance their cybersecurity capabilities. The release of C2M2 V2.0 progresses the administration’s 100-day plan to address cyber threats to systems that are essential to US national and economic security. “Through the release of C2M2 Version 2.0 and other activities under the 100-day Cyber Initiative, we are taking deliberate action to protect against cyber threats and attacks,” Puesh Kumar, Acting Principal Deputy Assistant Secretary for the DOE’s Office of Cybersecurity, Energy Security and Emergency Response (CESER), said.