IIOT Power

McCrary Institute, ORNL Launch First U.S. Regional Cybersecurity Center to Protect Grid

A $12.5 million project to establish the first U.S. regional cybersecurity research and operations center focused on grid protection has garnered a $10 million Department of Energy (DOE) grant.   

Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security is partnering with Oak Ridge National Laboratory (ORNL) to create the Southeast Region Cybersecurity Collaboration Center (SERC3). Leveraging the newly announced funding, the pilot center “will bring together experts from the private sector, academia, and government to share information and generate innovative real-world solutions to protect the nation’s power grid and other key sectors,” Auburn University said in a statement on April 18.

Led by Southern Co. Director of Business Technology, Planning, and Strategic Initiatives James Goosby at McCrary and Tricia Schulz at ORNL, SERC3 plans to “run experiments” with industry partners to support the integration of new and existing security software and hardware into operational environments. The new initiative will also establish research labs at Auburn University’s Samuel Ginn College of Engineering and at ORNL in Oak Ridge, Tennessee. 

“The center will conduct critical research and provide real operational solutions to protect all of us as we address these challenges,” said Steve Taylor, Auburn University’s senior vice president for research and economic development. “We are thankful to Oak Ridge National Laboratory for partnering with us and Rep. Mike Rogers for his support in securing funding for this critical program.” 

Another SERC3 key mission will be to develop workforce and skills development. The initiative will notably include a mock utility command center to train participants in real-time cyber defense. “We’re combining our capabilities to partner with industry, develop new security technologies, and transfer those technologies to industry, all while developing the workforce that will operate these enhanced systems,” said ORNL Director Stephen Streiffer.

A Notable Regional Effort to Counter Rising Cyber Threats

SERC3 represents a innovative effort to bolster cybersecurity and boost cyber resilience in the power sector, a critical infrastructure industry that remains highly vulnerable to cyberattacks.

While the sector strives to comply with critical infrastructure protection (CIP) standards set by the North American Electric Reliability Corp. (NERC)—a quasi-governmental compliance enforcement authority—it is also guided by voluntary cybersecurity frameworks, including from the DOE and the National Institute of Standards and Technology (NIST).

However, the sector also banks heavily on public-private collaborations, like the 1999–launched Electricity Information Sharing and Analysis Center (E-ISAC), which is operated by NERC but is organizationally isolated from the NERC’s enforcement process. E-ISAC serves as a vehicle of rapid security information on how to mitigate complex and evolving threats to the grid. The organization also conducts cyber-resiliency testing through GridEx, the largest grid security exercise in North America, which takes place every two years.

Industry also relies on several other partnerships. In 2014, the DOE’s Office of Electricity launched the Cybersecurity Risk Information Sharing Program (CRISP), which essentially serves as an “open-source” cyber threat intelligence and government-informed portal, facilitating the timely bi-directional sharing of unclassified and classified threat information, and the development of situational awareness tools. CRISP is managed by E-ISAC and advised by the DOE Office of Cybersecurity, Energy Security, and Emergency Response (CESER). Its participants currently provide power to more than 75% of U.S. customers, the DOE said. 

Still, for now, CESER spearheads much of the nation’s cybersecurity research and development (R&D), leveraging the DOE’s national labs to test components and configurations based on feedback from the industry. That includes continuous monitoring tools and capabilities for information systems and control networks and identifying best practices.

As the first regional public-partnership, SERC3 will take on part of this task, presenting a new, important R&D channel. “A secure and resilient grid is a national and regional imperative,” noted Frank Cilluffo, director of the McCrary Institute.

A Growing Landscape of Insidious Threats

SERC3’s efforts are direly needed given the insidious rise of new threat actors, suggested Puesh Kumar, CESER director, on Thursday. “I applaud Auburn University and Oak Ridge National Laboratory’s collaborative effort to advance grid cybersecurity,” he said.

“Everyone must come together—industry, the national laboratories, academia, as well as State and Federal governments—if we are to succeed against the growing cyber threats facing the U.S. energy sector from malicious actors and nation-states like the People’s Republic of China. This partnership is a critical example of that.”

Earlier this month, Manny Cancel, senior vice president of NERC and CEO of E-ISAC, provided a sobering analysis of those threats as he laid out key learnings from GridEx VII, E-ISAC’s seventh grid security exercise, which took place in November 2023.

Already challenged by an increasingly complex grid environment, threats have been exacerbated by global geopolitical tensions, including from Russia’s intensifying aggression in Ukraine and the escalating Israel-Hamas conflict, Cancel said. “Obviously, the current geopolitical situation has significant ramifications for the North American grid,” he remarked, pointing to the involvement of state actors like China, Russia, Iran, and North Korea in cyber espionage and attacks. 

“The increase [in challenges] is really driven by a couple of things,” he explained. “One is the increase in vulnerabilities … in critical software platforms or even hardware platforms. NIST tracks vulnerabilities, and at the end of 2022, we had probably 22,000, 21,000 that were published. In 2023, it was 23,000 to 24,000. If you do that math quickly, it’s about 60-plus vulnerabilities a day.”

An emerging trend is that adversaries are attacking platforms that they know are vulnerable, effecting a “one-to-many” attack, rather than attacking organizations piecemeal, he said. “The last thing I would draw attention to is ransomware. While the energy sector isn’t as targeted as other sectors,” he said. “There’s definitely been an increase on that over the past couple of years.”

GridEx VII emphasized a stronger need for the industry’s evaluation and deployment of resilient voice and data communication measures, Cancel said. It also showed the urgency for enhanced operational frameworks amid prolonged disruptions in energy markets, and improved coordination and clarity between the industry and the federal governments of the U.S. and Canada.

Over 15,000 participants from around 250 organizations across North America, including the electric industry, gas and telecommunications sectors, and U.S. and Canadian government partners, engaged in the two-day exercise orchestrated by E-ISAC’s GridEx team in November last year.

“GridEx VII’s scenarios explored, or further explored, the challenges presented by a coordinated and prolonged cyber and physical attack against the grid and its market systems,” Cancel explained. He stressed the importance of implementing these lessons: “Lessons learned are great, but they’re of no use if we don’t put them into practice.”

Sonal Patel is a POWER senior editor (@sonalcpatel@POWERmagazine).


SHARE this article