The Biden administration has announced a 100-day initiative to secure the grid from hackers as concerns grow over the defense of critical infrastructure following several high-profile cyberespionage campaigns.
The 100-day plan unveiled today by the Department of Energy and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency aims to protect industrial control systems that manage the grid and their supply chains from cybersecurity threats.
The Biden administration also announced it would revoke a Trump-era order barring U.S. power utilities from buying certain equipment from China. That DOE ban came in response to an executive action from former President Trump last year meant to protect the electric sector supply chain from foreign nations deemed a security risk. DOE said the decision to revoke the agency’s December prohibition order was meant to create a "consistent and clear policy environment."
"The United States faces a well-documented and increasing cyber threat from malicious actors seeking to disrupt the electricity Americans rely on to power our homes and businesses," said Energy Secretary Jennifer Granholm. "It’s up to both government and industry to prevent possible harms — that’s why we’re working together to take these decisive measures so Americans can rely on a resilient, secure and clean energy system."
The DOE announcement said the initiative will "encourage" grid owners and operators to implement technologies that help with "detection, mitigation, and forensic capabilities." The plan will also include "concrete milestones" to deploy new tools to have real-time awareness of industrial control systems and operational technologies (OT) in electricity networks.
Cybersecurity experts have long warned that one of the major vulnerabilities in the U.S. power grid is a lack of insight into the complex and vital control system networks. The Biden administration’s focus on industrial visibility has been met with praise by cybersecurity officials since the administration first announced the issue would be a priority in March.
However, some experts questioned President Biden’s decision to suspend a May 1, 2020, executive order by Trump aimed at blocking certain foreign-made grid equipment from being installed in U.S. networks.
On his first day of office, Biden directed the Energy secretary and director of the Office of Management and Budget to consider replacing the order. DOE wrote at the time that the agency expects utilities to refrain from purchasing new grid equipment from nations including Russia and China (Energywire, Jan. 26).
The suspension was met with initial praise from industry leaders; the Trump administration’s announcement last year came as a surprise to many in the electricity sector and was rolled out with little consultation from top grid officials.
DOE today released a request for information from the electric sector focused on "preventing exploitation and attacks by foreign threats to the U.S. supply chain." The responses would "enable DOE to evaluate new executive actions," it said. Comments are due by June 7.
DOE also said it expects utilities to "act in a way that minimizes the risk of installing electric equipment" from hostile nations.
Acting CISA Director Brandon Wales said in a statement that "the safety and security of the American people depend on the resilience of our nation’s critical infrastructure."
"This partnership with the Department of Energy to protect the U.S. electric system will prove a valuable pilot as we continue our work to secure industrial control systems across all sectors," Wales said.
The North American Electric Reliability Corp., which sets and enforces cybersecurity standards for large U.S. power providers, "welcomes today’s announcement," a spokesperson said in an email.
The spokesperson said that NERC’s Electricity Information Sharing and Analysis Center has seen a "marked increase in cyber and physical security threats in the past year" and the nonprofit supports "measures to enhance the security of our nation’s critical infrastructure and [looks] forward to our continued collaboration with DOE."
Tom Kuhn, president of the Edison Electric Institute, praised the initiative in a statement, saying that the "ICS effort announced today is complementary to other [Electricity Subsector Coordinating Council] initiatives already underway, and shows the industry’s willingness to collaborate on new, creative approaches that enhance security."