cybersecurity
Subscribe to cybersecurity's Posts

Key Takeaways | Keeping the Lights On: Cyber Threat, Vulnerability and Oversight Considerations for the Energy Sector

During the latest webinar in our Energy Transition series, Partners Carl Fleming and Scott Ferber hosted PWC Principals Brad Bauch, US Power and Utilities Cybersecurity & Privacy Leader, and Mark Ray, Cybersecurity & Privacy, to discuss the cyber threat landscape that the energy sector currently faces, the US government’s oversight of cybersecurity and key considerations for building a robust compliance program.

Below are key takeaways from the webinar:

1. The Cyber Threat Landscape. Threat actors are continually evolving in the tactics, techniques and procedures they are deploying against their targets, making it a daunting threat landscape. Where nation state threat actors are involved, the risk of compromise is heightened. Ransomware continues to be, by far, the most prevalent issue organizations are contending with across all sectors and geographies—followed by supply chain attacks and zero-day exploits. Amid Russia’s invasion of Ukraine and the punishing sanctions being imposed, along with Russia’s demonstrated willingness to use malign cyber means against an array of targets, the energy sector should be on high alert for cyberattacks.

2. US Government Engagement. The US government is using a carrot-and-stick approach with the private sector to encourage and, in some instances, require robust cybersecurity, as well as information sharing. Bottom line, the government is expecting more of the private sector (particularly the energy sector) when it comes to dealing with cybersecurity.

3. Building a Robust Compliance Program. There are unique considerations when building a robust compliance program that encompasses both Information Technology (IT) and Operations Technology (OT) systems. As a starting point, companies should consider:

  • Benchmarking against cybersecurity compliance programs at peer companies and similar industries
  • Creating processes that are enterprise-wide, with a control standards-based approach
  • Avoiding program siloing
  • Ensuring active monitoring and controlled access of IT and OT systems
  • Developing strong protections for legacy OT software that is operationally essential.

To access past webinars in the Energy Transition series and to begin receiving Energy updates, including invitations to the webinar series, please click here.




Biden Administration Issues National Security Memorandum Shortly after the House Passes Three Bills Aimed at Cybersecurity in the Energy Industry

The federal government is seeking to increase cybersecurity in critical infrastructure industries through the implementation of a voluntary Industrial Control Systems Cybersecurity Initiative (Initiative), while the US House of Representatives (House) concurrently focuses on the same goal by passing three bills aimed at enhancing cybersecurity. While it’s currently voluntary, it’s likely the Initiative—along with its performance goals issued in conjunction— may become mandatory for companies that own or operate critical infrastructure facilities.

In order to focus on strengthening the nation’s cybersecurity within the energy industry, the House recently passed the Energy Emergency Leadership Act (HR 3119), the Enhancing Grid Security through Public-Private Partnerships Act (HR 2931) and the Cyber Sense Act (HR 2928).

On July 28, 2021, shortly after the House passed the above three bills, the Biden Administration released a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems (Memorandum). The Memorandum affirmatively recognized the “[p]rotection of our Nation’s critical infrastructure is a responsibility at the Federal, State, local, Tribal and territorial levels and of the owners and operators of that infrastructure.” In order to protect such infrastructure, the administration provides that it is their policy “to safeguard the critical infrastructure of the Nation, with a particular focus on the cybersecurity and resilience of systems supporting National Critical Functions…”

As a result, the administration established the voluntary Initiative between the federal government and the critical infrastructure community with the primary objective of defending the United States’ critical infrastructure through facilitating the deployment of technologies and systems that will increase cybersecurity. The Memorandum further instructs the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the US Department of Commerce’s National Institute of Standards and Technology (NIST) to develop cybersecurity performance goals for critical infrastructure. The US Secretary of Homeland Security will issue initial goals for control systems no later than September 22, 2021, with cross-sector and sector-specific goals to be issued within a year of the Memorandum.

On May 7, 2021, just before 5 am, an employee in the Colonial Pipeline Co.’s control room found a ransom note sent by hackers demanding cryptocurrency. In response, Colonial Pipeline Co. Chief Executive Officer Joseph Blount shut down the entire pipeline by 6:10 am. This marked the first time in its 57-year history that Colonial Pipeline Co. shut down its entire gasoline pipeline system. Colonial Pipeline Co. paid the hackers, who were an affiliate of a Russia-linked cybercrime group known as DarkSide, a $4.4 million ransom shortly after the hack. However, the US Department of Justice announced it recovered $2.3 million of the ransom in June.

Only mere months after this significant breach of cybersecurity, the House approved HR 3119, which was introduced by US Representatives Bobby Rush (D-IL) and Tim Walberg (R-MI) to increase energy emergency and cybersecurity responsibilities as a core function for the US Department of Energy (DOE) and create a new assistant secretary position to specifically focus on these issues. In a statement released [...]

Continue Reading




FERC Rejects Department of Energy Proposal Benefitting Coal and Nuclear

On January 8, 2018, the Federal Energy Regulatory Commission (FERC) rejected the Department of Energy’s (DOE) Proposed Rule, which would have required organized wholesale electricity markets run by independent system operators (ISOs) or regional transmission organizations (RTOs) to establish tariff mechanisms for purchasing energy from eligible “reliability and resilience resources” and mandated a recovery of costs plus a return on equity for such resources. Eligible reliability and resilience resources would have to be (1) located within an RTO/ISO, (2) able to provide essential reliability services, and (3) have a 90-day fuel supply on-site. Practically, these requirements would limit participation to coal and nuclear plants. (more…)




STAY CONNECTED

TOPICS

ARCHIVES