Aperture Podcast: E-ISAC on Biden 100-Day Plan for Power Grid Cybersecurity
By Michael Mimoso | May 18, 2021
The Biden administration’s recently announced 100-day plan to improve cybersecurity in electric utilities comes at a time when critical infrastructure is reeling from recent high-profile incidents, including the Colonial Pipeline ransomware attack. The plan unites privately and publicly held electric utilities, the Department of Energy (DOE), and CISA in an effort to improve defenses at a time when not only nation-states but also criminal organizations operating online are taking targeted swipes at critical infrastructure.
In this episode of Claroty’s Aperture podcast, Manny Cancel, CEO of the Electricity Information Sharing and Analysis Center (E-ISAC) and a NERC senior vice president, discusses the 100-day plan and why this is a critical time for the electricity industry and critical infrastructure.
“What the plan is pushing for is a partnership with the electricity sector. It wasn’t super prescriptive, but that provides an opportunity for both the government and the sector to work collaboratively to decide how we can best address this critical risk we face,” Cancel said.
The plan instructs the DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) to partner with utilities to modernize cybersecurity defensive measures. The plan asks utility owners—many of whom are in the private sector—to improve detection, mitigation, and forensic capabilities, to lock down IT networks and improve visibility into operational technology (OT) networks and industrial control systems (ICS).
The plan also includes a request for information (RFI) from the DOE seeking input from the electricity industry—including academia, research labs, and other stakeholders—on recommendations to improve supply chain security.
“The biggest challenges come from the diversity of technologies we use across the sector. What do we bite off and chew first from a risk perspective is one of the first orders of business,” Cancel said. “The RFI is a great way to start this thing off where we’re not dictating what we’re going to do, but learn a little bit and try to address this in a risk-based way to make sure whatever we put in place really does a good job of providing a high level of protection for the sector.”
Cancel added that he’s encouraged to see the Biden administration push so early in its administration for cybersecurity improvements for the power grid, that he hopes to see a more deliberate focus on the security of OT and ICS systems.
“It’s where our greatest risk is,” he said. “Visibility into control systems and taking a more deliberate focus on the risk facing control systems is a paramount piece to this.”