President Biden’s recent executive order aimed at strengthening the federal government’s defense against hackers is also nudging the energy sector to raise standards.
Biden’s May 12 order, signed less than a week after a ransomware attack shut down the 5,500-mile Colonial oil pipeline, is in large part a response to a broader Russia-linked cyberespionage campaign against U.S. agencies. The massive hack into SolarWinds Inc., a major software provider, affected at least nine federal agencies and at least 100 other companies and nongovernmental organizations.
Experts say Biden’s call for tougher standards for software vendors will ripple across the private sector. The same goes for energy companies, which will be forced to reassess how well they can defend against hackers in the aftermath of the Colonial intrusion and as energy regulators consider the costs to consumers (Energwire, May 13).
Daniel Skees, partner at the law firm Morgan Lewis, said the order is "clearly intended to be trend-setting and leading the way for the private sector."
Skees said that several aspects of the order, including an upcoming guidance on enhancing supply chain security and improving cloud services, will affect the energy sector. The order called for the National Institute of Standards and Technology (NIST) to develop a series of guidelines to enhance supply chain security for software.
The guidelines could be an added boon for utilities as some of the measures Biden is asking NIST to develop are fairly strict, said Tom Alrich, a grid security consultant and a volunteer co-leader of an energy panel sponsored by the Commerce Department’s National Telecommunications and Information Administration.
"Energy industries can take these guidances and turn them into questionnaires saying, ‘OK, what are you doing about this?’" Alrich said.
Norma Krayem, vice president and chair of Van Scoyoc Associates’ cybersecurity, privacy and digital innovation practice group, said the energy sector would benefit from Biden’s new mandates to third-party vendors such as information technology service and cloud providers. They sell many of the same products to both the energy sector and government, she noted.
Krayem also said the order would "be an added layer" of cybersecurity mandates for utilities providing power to the federal government.
That could pose a problem to utilities that might be unsure what additional standards they will have to comply with in addition to cybersecurity standards from the North American Electric Reliability Corp., said Patrick Miller, U.S. coordinator for the Industrial Cybersecurity Center.
Miller said NERC’s rules for utility supply chain cybersecurity are vague enough that an auditor could use the order to add unwritten requirements. "If you’re a utility trying to do supply chain, this just adds more confusion and uncertainty into your supply chain efforts going forward," Miller said.
Miller said that the order is overall a good step forward, but new rules combined with other programs in place could add more confusion.
"It’s all good stuff, but there’s a bunch of confusion still," Miller said.
Last month, Biden announced a 100-day grid security plan that will be spearheaded by the Department of Energy and the Department of Homeland Security’s cyber office (Energywire, April 21). But Miller said utility executives are wondering whether there will be a conflict between that effort and the latest Biden executive order.
Morgan Lewis’ Skees said that while the grid plan has widespread support, "the proof will be in the pudding with whatever they actually come up with."