COMMENTARY
As the incoming administration prepares its list of priorities once President-elect Trump is sworn in for a second term on Jan. 20, 2025, it is a national security imperative that cybersecurity policy be sufficiently prioritized in a manner that enhances the security of America’s electric grids and the energy sector, as a whole. Shortly before the November election, the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University, where I serve as director, released a joint report with the Cyberspace Solarium Commission 2.0 in which a task force of leading, bipartisan cybersecurity experts outlined 40 recommendations for the next administration. The experts assembled for this task force brought collective experience spanning the last five presidential administrations, congress, the intelligence community, defense, law enforcement, and the private sector. We released this report before the election to underscore the bipartisan and objective nature of the recommendations. Now that the transition is well underway, it is critical that the report’s content be weighed by whoever assumes the helm at the nation’s key cyber agencies next month.
It is widely known that cyber adversaries regularly and increasingly target America’s critical infrastructure, and the threat facing the energy sector is only growing more severe. Ongoing fallout surrounding the Chinese Communist Party-linked threat actors, Salt Typhoon and Volt Typhoon, underscore the severity of the threat landscape. Recent reports indicate that cyber attacks against utilities were up 70% in 2024, with power utilities particularly vulnerable amidst efforts to expand service to meet rising demand. The energy sector also faces threats to both information technology (IT) and operational technology (OT) systems, with threat potential to cause serious disruptions to internal systems and data, not to mention service. What’s more, ransomware attacks are costing the energy, oil, and gas sectors more time and money than ever before, with more than half of utilities requiring at least a month to recover. Systems that utilities depend upon are becoming increasingly interconnected, and, hence, vulnerable to attack at the same time that nation-state actors and cyber-criminal organizations are increasing their targeting of electric utilities. This is all happening within the context of a regulatory environment that struggles to act cohesively and in a manner that keeps relevancy a priority above mere compliance. Industry is on the front lines of this threat environment and cannot go it alone. Government partners need to engage more effectively, by both improving collaboration with the private sector and by imposing costs and deterring cyber attackers.
Specifically, the report outlines eight themes demanding immediate attention for the next administration: harmonizing cybersecurity regulations; strengthening government coordination; cost imposition and deterrence; improving resilience; shaping the international environment; developing the cyber workforce; securing critical and emerging technologies; and resourcing efforts to secure the economy and ensure continuity of critical infrastructure sector operations. One recommendation of particular importance to power utilities and the energy sector is the need to streamline federal cyber requirements, which also includes the recommendation of improving government coordination. The next administration would enhance cybersecurity of grids if it alleviates the reporting and compliance burdens facing owners and operators in this sector. The energy sector would stand to be better prepared to defend against and respond to cyber attacks if the lines of both authority and communication were clearer among the Department of Homeland Security (DHS), the Department of Energy (DOE), and others. The U.S. government should create a mechanism of, not only feedback from the private sector, but also regular review and revision of cybersecurity regulations to guarantee they remain relevant in the face of evolving threats.
We can improve the cybersecurity of our power utilities and energy sector by enhancing the resiliency of our grids. The digitization of operational systems, as well as new threats in the software supply chain, present a wide array of potential vulnerabilities in OT/IT systems. One way the new administration can accomplish this would be to work with industry to refine and exercise sector-specific security standards for both IT and OT systems, considering both the distinct nature of each of these environments and the unique operational requirements of the sector. The federal government can incentivize adoption and improvement through measures like tax breaks, preferential contracting, or access to additional government resources and support.
The DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) has done some work to this effect with its Clean Energy Cybersecurity Accelerator (CECA) program; however, such initiatives should be both scaled and broadened beyond just clean energy. This would improve reach and effectiveness. Additionally, while not covered in the task force’s report, it is worth noting that the current administration effectively diminished CESER’s prominence by converting the position heading that office from one that was Senate-confirmed to a direct presidential appointment. I believe this has the net impact of limiting CESER’s accountability to the legislative branch, while also making the office less of an authority within the interagency and with the private sector. While administrations are typically loath to elevate Congress’s role, the new administration should revert to CESER’s director being a Senate-confirmed position.
The cybersecurity of America’s energy sector must take a prominent position atop the priority list for the second Trump administration. Otherwise, the U.S. economy—and the American people—will continue to face an unsustainable level of risk. By streamlining the rules directed at the energy sector, improving government coordination, and by improving the resiliency of electric grids, the federal government can make a marked impact on protecting Americans’ way of life and the economic security of the U.S.
—Frank Cilluffo directs the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University. He previously served as a commissioner on the U.S. Cyberspace Solarium Commission and as a special assistant to President George W. Bush for homeland security. Kyle Klein is the Institute’s deputy director for policy and partnerships, and previously served as the staff director of the U.S. House of Representatives Committee on Homeland Security.
