What are the biggest challenges facing the U.S. government and utility industry in preventing and intercepting cyberattacks on the country's energy infrastructure? On today's The Cutting Edge, EnergyWire reporter Blake Sobczak discusses the future of government action and the large costs facing energy companies as they work to prevent the possibility of a cyberattack.
Monica Trauzzi: Welcome to The Cutting Edge. How safe is the U.S.'s energy infrastructure to the threat of a cyberattack? EnergyWire's Blake Sobczak has been covering all angles of the story, and he joins me with the latest developments. Blake, EnergyWire recently reported a Department of Defense official saying that it's impossible to intercept every single cyberattack against the U.S. critical infrastructure. What are the biggest challenges facing the U.S. government on cybersecurity and the potential of a cyberattack?
Blake Sobczak: Well, I think this Department of Defense official really had a legitimate point, and it can be very difficult for the U.S. government to take on the responsibility of intercepting every cyberattack on what is often privately controlled critical infrastructure. Especially when you're looking at a lot of these electric utilities, the responsibility often falls on them to actually defend their own networks, and there's an ever-growing number of cyberattacks that are targeting these types of systems. I think for the U.S. government, one of the major challenges is actually tracking down and finding who's responsible for these cyberattacks and who's really interested in actually breaking into our critical infrastructure networks in our electric grid, in our critical substations and what they're planning on doing when they get there, and so the international nature of these attacks makes it very difficult to attribute them to a particular threat actor.
Monica Trauzzi: So what components of the U.S.'s infrastructure are at greatest risk?
Blake Sobczak: I think that's a matter of some debate right now. Pete and I, in our coverage of this, have focused a lot on electric utilities and the power grid, but the very nature of the power grid doesn't necessarily lend itself to effective -- according to the attacker -- cyberattacks. A lot of these industrial control systems that these electric utilities are using vary even within companies, and so even if an attacker got into a network, it might be difficult to cause a cascading blackout. So I think that's -- there's some debate about that. Other energy companies, oil and gas companies, are constantly under attack for their intellectual secrets, and I think that, in many ways, is a more pressing threat when you're talking about monetary losses.
Monica Trauzzi: You mentioned Pete -- you're talking about Pete Behr, who you've been doing a lot of this reporting with for EnergyWire?
Blake Sobczak: Yes, exactly.
Monica Trauzzi: Wonderful. There's a big question about whether insurance companies should and will cover cyberthreats. How is that story evolving, and is this just becoming the cost of doing business for energy companies?
Blake Sobczak: Well, I think for utilities, it's tricky, because since we haven't seen a really devastating cyberattack that took down portions of the power grid, it can be difficult for insurance companies to gauge what, exactly, the risk is, and obviously, this can be considered fairly sensitive data in terms of vulnerabilities and threats, so there's not a whole lot of clarity as to just what are the odds that something really bad and horrible could go wrong. But I think energy companies, to their credit, are really starting to come around, and many of them are taking out cyber insurance policies, but they can be hard to find. So the U.S. government has been trying to encourage, through the Department of Homeland Security, developing some of these insurance policies for possible catastrophic losses associated with a cyberattack.
Monica Trauzzi: So what's the government's plan? What is the plan in place if and when there is an attack?
Blake Sobczak: It's complicated. There are several government agencies with a hand in this. I mean, you have the Federal Bureau of Investigation, that can try to track down some of these cyber criminals and bring them to justice. You have the Department of Homeland Security, which is sort of the point -- the go-to agency for defending some of these critical infrastructure networks. Obviously, Cyber Command, NSA gets involved in this in some of their foreign activities, and it's very tricky to put together a concrete plan, but the Department of Homeland Security does have a industrial control system, cyber emergency response team, and if there is a major attack, these guys are the subject matter experts. They understand a lot of these very technical control system environments, and so they'd be able to scramble and really pick up on any threat and respond to a very large-scale attack.
Monica Trauzzi: All right, great. Thank you, Blake. We'll look for your ongoing coverage in EnergyWire. Thanks for coming on the show.
Blake Sobczak: Thanks for having me on.
Monica Trauzzi: More Cutting Edge coming next Friday. We'll see you then.
[End of Audio]