The Biden administration this week issued a new spate of actions to bolster the nation’s cybersecurity, though details of its 100-day plan issued last month to address risks to the U.S. bulk power system (BPS) remain scant.
In a May 11 notice, the president said his administration would continue, for one year, a national emergency declared by President Trump in May 2019 to secure the information and communications technology and services supply chain. And on May 12, Biden signed a lengthy executive order (EO) to modernize cybersecurity defenses of federal networks, improve public-private information sharing, and strengthen the U.S.’s ability to respond to cyberattack events.
Among the new EO’s key actions are that it requires IT service providers to share with the government certain breach information that could impact government networks. It also requires the federal government to secure cloud services and adopt a “zero-trust” security model. Significantly, it also establishes baseline security standards for software sold to the government, requiring developers to maintain more visibility into their software, and making security data publicly available.
Among the EO’s many requirements is that it spearheads development of an “Energy Star” type label under a pilot program to help the public quickly determine whether software was developed securely. “We need to use the purchasing power of the Federal Government to drive the market to build security into all software from the ground up,” the administration said. Another unique approach is that the EO establishes a “Cybersecurity Safety Review Board.” Co-chaired by government and “private sector leads,” the board will convene following a cyberattack to analyze the incident and make “concrete recommendations” for improving cybersecurity.
As notably, it creates a “standard playbook” that sets definitions for cyber incident response by federal agencies, essentially seeking to standardize the varying maturity levels of its response plans. The playbook “will also provide the private sector with a template for its response efforts,” the administration said. Finally, it seeks to improve federal detection, response, and remediation of malicious cyber activity.
Responding to a Spate of Concerning Cyber Incidents
The administration said the two actions this week respond to the recent SolarWinds, Microsoft Exchange, and the Colonial Pipeline cybersecurity breaches. Experts have told POWER all three incidents, and many others—including an attempt to infiltrate a Florida water treatment plant—over the past year, point to alarming lengths to which sophisticated adversaries will go to compromise U.S. networks.
“They will use never-seen-before techniques, exquisite tradecraft, and zero-day vulnerabilities to defeat our current cybersecurity architecture,” Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency (CISA), told lawmakers.
Wales, who testified on May 11 at the Senate Committee on Homeland Security and Governmental Affairs, warned that the SolarWinds supply chain compromise has been especially troubling because the federal government did not become aware of the “highly sophisticated operation” until December 2020—though it began in September 2019. Wales has said the “best-known” infection vector was through a supply chain compromise of the SolarWinds Orion network management system when malicious code was inserted into software updates, which were then made available to customers as trusted software patches.
According to SolarWinds, nearly 18,000 entities received a malicious version of the software with incidents that included compromises of U.S. government agencies, critical infrastructure entities, and other private-sector organizations. CISA suggests the primary objective of the threat actors—the Russian Foreign Intelligence Service (SVR)—“appears to be gaining access to sensitive but unclassified communications.” According to Wales, the U.S. government is also aware of additional victims with related Microsoft Office 365 compromises that pre-date the delivery of the SolarWinds back door. However, “in the few months since the [SolarWinds campaign], CISA has additionally led the national response to widespread exploitation of vulnerabilities in Pulse Connect Secure, a common Virtual Private Network technology used to connect remote workers to their organizational networks, and in Microsoft Exchange Servers,” he said on Tuesday.
The Colonial Pipeline incident, which involved a DarkSide ransomware attack on a 5,500-mile pipeline, which transports about 45% of all fuel consumed on the East Coast from refineries primarily in the Gulf Coast, meanwhile, raised the alarm about increasingly sophisticated cybercrime models. As experts told POWER this week, DarkSide operates a ransomware-as-a-service (RaaS) model, in which one criminal group develops the ransomware and hosts the infrastructure upon which it operates, then leases that capability to another criminal group to conduct an attack.
Biden Seeks More Industry Input on BPS Supply Chain Security Actions
Manny Cancel, a senior vice president at the North American Reliability Corp. (NERC) and CEO of the Electricity Information Sharing and Analysis Center (E-ISAC), in April told reporters that roughly a quarter of its membership of 1,500 bulk power system entities reported installing the infected SolarWinds software. “They had it in both their corporate or operational technology [OT], though for the OT networks, there was a minority of respondents that indicated they had it.”
However, an “overwhelming majority” did not experience any of the indicators of compromise, “meaning the command and control activity,” that other sectors saw, Cancel said. “The overwhelming majority was aware of the compromise, and again, credit goes out to the vendors, particularly FireEye, for getting the word out, and also the U.S. government—the Department of Energy (DOE) and Homeland Security—sensitized us to this very quickly and shared information very quickly, which we subsequently got to our members,” he said.
Still, Jim Robb, president and CEO of NERC—the entity that the Federal Energy Regulatory Commission has designated to serve as the nation’s electric reliability organization, and which issues and enforces mandatory critical reliability standards for BPS cybersecurity—told reporters the incidents are concerning because “the adversary solved the one-to-many problem.” Rather than “going after each individual asset or target, they corrupted an intermediary product that then had access to all sorts of targets for them, and that really has our attention as we think about the potential for a coordinated attack against the electric sector,” he said.
Grid Cybersecurity Strategy Takes a Different Approach
The Biden administration’s recent actions build on actions promulgated by the Trump administration, underscoring the risks cybersecurity threats pose to national security. However, the Biden administration appears to be taking a more industry-inclusive approach.
Especially notable is that as one of its first steps on Jan. 20, the Biden administration issued a 90-day suspension of President Trump’s “Securing the U.S. Bulk Power System” executive order (EO 13920). Declaring a national emergency over bulk power system (BPS) threats, that broad—and highly controversial measure—by the Trump administration essentially sought to ban the “acquisition, imports, transfers, or installation” of more than 20 risk-ridden BPS electric equipment categories in which a foreign adversary or a citizen of countries deemed adversaries has any interest, including “through an interest in a contract for the provision of the equipment.” In line with the order, the DOE in December 2020 also issued a “prohibition order” that barred utilities that supply critical defense facilities (CDF) at a service voltage of 69 kV from “acquiring, importing, transferring, or installing BPS electric equipment” that is supplied by Chinese entities.
However, on April 20, as the 90-day suspension expired, the Biden administration reinstated EO 13920—at least, until it expired on May 1—but it revoked the China-focused prohibition order. Instead, it issued a new request for information (RFI), for which it has invited comment until June 7, 2021. The administration said the measures would promulgate federal action that “appropriately balances national security, economic, and administrability considerations.”
The April 20 RFI is now the second issued by the federal government to tackle BPS supply chain security. While industry initially received the Trump executive order with significant confusion about how it would apply to power sector transactions, especially those that were already in the pipeline, responses from a wide array of BPS stakeholders to a previous RFI issued by the DOE in July 2020 suggest support for federal action on risks posed to the U.S. power system supply chain. However, nearly all submitters also urged much more clarity on how the DOE expects BPS facility owners, operators, and equipment vendors to assess and mitigate risks related to “foreign ownership, control, and influence (FOCI)” within their companies and suppliers.
The new RFI, notably, seeks industry input on the “development of a long-term strategy,” including how the federal government can address FOCI through time-limited emergency authorities. It asks, for example, “What actions can the [DOE] take to facilitate responsible and effective procurement practices by the private sector? What are the potential costs and benefits of those actions?” It also asks industry whether “prohibition orders” or other bans related to “at-risk” equipment are appropriate for electric infrastructure that serves the distribution system, other critical infrastructure sectors, and infrastructure that enables national critical functions.
The RFI, the administration says, will be used to inform “other potential actions by the DOE.” Yet, nearly three weeks since its issuance, if and how industry has responded is unclear: Though the DOE says on a dedicated page that it will share public comments submitted in response to the RFI, it has not yet publicized any comments.
A 100-Day Plan—but Little Visibility About What It Entails
As pivotally, on April 20 the Biden administration also declared the start of a “100-day” plan to “enhance the cybersecurity of electric utilities’ industrial control systems (ICSs) and secure the energy sector supply chain.” The agency says the 100-day plan is a “coordinated effort,” between the DOE (through its Office of Cybersecurity, Energy Security, and Emergency Response [CESER]), the power sector, and CISA, to “advance technologies and systems” that could provide greater cyber visibility, detection, and response capabilities for ICSs at electric utilities.
However, though the DOE said the 100-day initiative would include concrete milestones “for owners and operators to identify and deploy technologies and systems that enable near real-time situational awareness and response capabilities in critical ICS and operational technology (OT) networks,” three weeks after its declaration, details of the 100-day plan remain scant. POWER has asked for more clarity on specific directives, but it has not yet received a response from the agency.
Industry Generally Optimistic
Recent news from the industry indicates some progress. On May 10, the National Rural Electric Cooperative Association (NRECA) said it had been awarded $3.9 million by the Pacific Northwest National Laboratory (PNNL) to expand its Essence co-op pilot program. Essence, which garnered $6 million from the DOE last fall, is an NRECA-created IT and OT sensor platform that has advanced capabilities “to detect industrial control system anomalies and threats with speed and precision,” NRECA said. “As part of the deployment process, Essence systems will be the first ones to connect to PNNL’s Cybersecurity Risk Information Sharing Program (CRISP), which leverages DOE resources to analyze, and distribute actionable threat information to the energy sector.”
A key benefit that could emerge from the 100-day initiative is that it will highlight current vulnerabilities and help shape a good strategy to address them, Bryan Gwyn, senior director of solutions at Doble Engineering, told POWER. The BPS, he noted, has been developed over a number of years, but owing to rapid changes to accommodate renewables and decentralized systems, “we’ve had to move quickly to help our clients develop some solutions to mitigate [emerging cybersecurity] threats,” he said. A widespread collaboration that involves a “broad spectrum of agencies, academia, suppliers, and utilities” could deliver “some good roadmaps that will get us to a point where we’ll be able to develop some very good solutions to address these issues, improve resilience, and also enable us to educate the workforce,” Gwyn said.
The value of bringing all power stakeholders to the table is to emphasize each entity’s and individual’s responsibility, but it could also highlight crucial defense gaps, such as for Level 1 field devices—which control essential power plant operations systems and processes—along with the current emphasis on network protection, Doble Cyber Security Engineer Sagar Singam added. Strategies to address these longstanding issues could also yield certification of a cyber-maturity model, which would help stakeholders prioritize protection of their assets, he said.
Tobias Whitney, vice president at Fortress Information Security, in April told POWER the Biden administration’s RFI was also a step in the right direction because it puts a focus on “nuanced” aspects of grid security. It “kind of really refines where we left off with the previous administration’s EO and prohibition orders, and it is an acknowledgment that the supply chain area needs more context-specific [input] from various industry experts,” he said.
Asked about the potential uncertainty posed by the scrapped prohibition order and looming new rules that could govern BPS supply chain security, Whitney said industry has already made “real, measurable, demonstrative activities” since the Trump administration issued its EO. “More transparency in the supply chain procurement process is something that’s already happening,” he said.
Fortress, for example, hosts the Asset to Vendor Network, a mutual assistance platform that includes members like American Electric Power, Southern Co., and Hitachi ABB Power. The platform’s members recently “expressed, through a letter to over 220 manufacturers that all provide some technologies, either on the grid, for the power system, or the telecommunications infrastructure, to work with those manufacturers to provide a bill of materials on their products so that industry can have a better understanding to make decisions about 5G, as it relates to critical defense infrastructure, as it relates to just critical grid infrastructure,” said Whitney.
Recent actions could “encourage the suppliers to work more hand-in-hand, more transparently with their buyers,” he suggested. “To this point, with the EO and prohibition orders, a lot of suppliers have been asked just to provide attestations, saying, ‘Yes, we do not have major critical microprocessor-based components that are being sourced from China,’“ he added. “But attestation is one thing; being able actually to have to provide the evidence that supports that statement is a challenge. They’re starting to recognize that is going to be the reality sooner than later—to not only just provide an attestation that they’re doing their best to mitigate risks, but provide evidence, that software bill of materials, or a hardware bill of materials, to indicate through an objective way that their technology is not being sourced by these adversarial nations,” Whitney said.
Meanwhile, though it is not focused on the BPS, another takeaway from the Biden administration’s May 12 EO on improving the nation’s cybersecurity is that it “clearly acknowledges the value of government-industry partnership, and we support the stated national security goals that aim to improve coordination across government and with the private sector to prepare for and respond to threats from malicious cyber actors,” said Tom Kuhn, president of the Edison Electric Institute (EEI), an organization that represents all U.S. investor-owned electric companies.
“We have long maintained that grid security is a shared responsibility, and addressing dynamic threats to the energy grid requires vigilance and coordination that leverages both government and industry resources,” Kuhn added. “EEI and our member companies already are working closely with our government partners through the CEO-led Electricity Subsector Coordinating Council, and this EO complements this ongoing collaboration to protect America’s critical energy infrastructure.”