DOE, lawmakers align on cyber strategies

By Peter Behr | 07/19/2019 07:18 AM EDT

Faced with expanding cybersecurity threats to the nation’s power grid and other critical sectors, the federal government is trying to develop a crown jewels strategy of pinpointing the most dangerous risks and prioritizing defenses of the most critical infrastructure installations.

Karen Evans, assistant secretary of the Department of Energy Office of Cybersecurity, Energy Security and Emergency Response, during a hearing Wednesday.

Karen Evans, assistant secretary of the Department of Energy Office of Cybersecurity, Energy Security and Emergency Response, during a hearing Wednesday. House Science, Space and Technology Committee

Faced with expanding cybersecurity threats to the nation’s power grid and other critical sectors, the federal government is trying to develop a crown jewels strategy of pinpointing the most dangerous risks and prioritizing defenses of the most critical infrastructure installations.

The threat prioritization policy was highlighted in testimony Wednesday to the House Science, Space and Technology Subcommittee on Energy by Karen Evans, the Department of Energy’s assistant secretary for the Office of Cybersecurity, Energy Security and Emergency Response.

Evans noted the National Cyber Strategy issued last September, which focuses on cyberdefense in seven critical sectors including energy and power, with the mission of managing risks to essential infrastructure at greatest risk.

Advertisement

The strategy’s publication was followed in April by release by the Department of Homeland Security of a set of national "critical functions" requiring preferential protection, including ensuring power supply, safeguarding elections and preserving medical records (Energywire, April 24).

Evans cited the project’s mission, "to develop a comprehensive understanding of national risk by identifying national critical functions" and use that framework to develop cybersecurity policy.

Her testimony also pointed indirectly to the challenge of prioritizing policy, as she noted a thick portfolio of cyber policy programs supported by DOE and DHS with intersecting missions.

"DOE is also working with the Tri-Sector Executive Working Group in conjunction with the Department of the Treasury and DHS, along with our industry partners, to address and manage risks across the energy, telecommunications and financial sectors," Evans said.

Another project by DOE’s cybersecurity office, called Consequence-driven Cyber-informed Engineering, based at the Idaho National Laboratory, aims to pinpoint the gravest high-impact risks to grid control systems and then to define strategies for eliminating those risks. The lessons from the project, shared with the power sectors, seek to "engineer out" cyber risk from the most essential energy networks and facilities, she said.

DOE’s Office of Electricity is closing in on producing the first phase of its North American Energy Resilience Model, which analyzes the dependence of critical infrastructure systems-led electric power and its fuel sources, with an ultimate goal of giving DOE officials up-to-the-moment information during national grid emergencies to protect or restore the most essential energy facilities.

The hearing showed off a bipartisan alliance of committee members lined up to push forward legislation advancing grid security and innovation, led by backing for research on storage batteries to extend the capacity of wind and solar energy.

Science committee members have drafted two bills on these fronts, the "Grid Modernization Research and Development Act," which would fund a research and demonstration project on utility-scale battery storage and microgrids, and the "Grid Cybersecurity Research and Development Act," which would increase support for key DOE cyber research projects. Evans said the department is reviewing the legislation and looks forward to working with the committee on the measures.

Energy Subcommittee Chairman Conor Lamb (D-Pa.) opened Wednesday’s session with a warning tied to a hacking attack on an unidentified power company in the western U.S. in March (Energywire, May 2).

"As far as we know, no customers lost power," Lamb said. "It obviously is a warning of the incredibly serious damage that could happen if we don’t take action on this issue."

The challenge to Congress, he said, "is whether we can get the legislative machinery to work in such a way that we can really make a serious investment and protect folks from cyberattacks that we all know are going to come."

Juan Torres, associate laboratory director for energy systems integration at the National Renewable Energy Laboratory, told lawmakers the denial-of-service attack, caused by a flood of malicious incoming messages, left operators "basically blinded." They "may have lost control or visibility of some of the devices" controlling their systems, he said.

Spotlight on DOE research

Torres outlined other high-priority DOE laboratory research work, including projects seeking to harness artificial intelligence software to defend the grid and maintain power reliability as wind and solar power and distributed generation continue to expand.

DOE’s artificial intelligence research centers on what he called "foundational" technologies, including management of very high data flows, new concepts for controlling two-way power movements between customers and utilities, and automated grid operating systems that can produce decisions faster than human operators.

"The grid is evolving to the point where humans just won’t be able to respond quickly enough to all the information that’s going to be available to them," Torres said.

Along with cybersecurity priorities, subcommittee members also are backing increased DOE research on utility-storage battery technologies.

Another witness, Kelly Speakes-Backman, urged the committee to support DOE in developing a way to measure the economic value to the grid and its customers from resilience investments like battery storage and microgrids that speed power recovery after disasters.

"Without a well-defined and broadly accepted valuation method, resilience will remain challenging to fit into the cost-benefit analyses and program designs that ultimately determine whether an energy storage project makes financial sense for a grid operator, a state or local government, a utility, or a community," she said.

The challenge of getting new cyberdefense and grid security tools from laboratories into widespread use by utilities and grid operators wasn’t addressed in depth by committee members.

It did figure in testimony by Katherine Hamilton, executive director of the Advanced Energy Management Alliance, representing distributed energy providers and consumers. She proposed that lawmakers add research funding in the "Grid Modernization Act" to help factories retool to use clean fuels and to train workers how to use them.

"Given the speed of our energy transition, manufacturing and worker transition is lagging," she said. The research should be conducted by public-private partnerships, she added, "so that the results are realistic and economically beneficial."

This story also appears in E&E Daily.