Throughout this year, the Biden administration has released several directives to strengthen the United States’ cybersecurity posture. Among them are the National Security Memorandum, the Cybersecurity Executive Order and the 100-day electric plan. It’s clear cyber threats are being taken seriously at the highest levels of the government, especially when it comes to critical infrastructure, and the electric grid is a major part of that effort. No one needs another huge cyberattack such as SolarWinds, or an attack that endangers national security like Oldsmar, to understand that action needs to be taken. This is where the 100-day electric plan comes into play.
What is the 100-day plan?
The Biden administration announced the 100-day plan in April 2021. The effort was led by the Department of Energy, the Cybersecurity and Infrastructure Security Agency (CISA) and the electricity sector. The plan’s goal was to enhance detection, mitigation and response capabilities to better protect the nation’s electrical grid. Previous administrations knew about the threats the electrical grid faces, but few have actually taken any substantive action.
“The United States faces a well-documented and increasing cyber threat from malicious actors seeking to disrupt the electricity Americans rely on to power our homes and businesses,” said Secretary of Energy Jennifer M. Granholm in a Department of Energy statement. “It’s up to both government and industry to prevent possible harms — that’s why we’re working together to take these decisive measures so Americans can rely on a resilient, secure and clean energy system.”
The press release also stated that the plan would update cybersecurity defenses by:
- Encouraging owners and operators to implement measures or technology that enhance their detection, mitigation and forensic capabilities
- Including concrete milestones over the next 100 days for owners and operators to identify and deploy technologies and systems that enable near real-time situational awareness and response capabilities in critical industrial control system (ICS) and operational technology (OT) networks
- Reinforcing and enhancing the cybersecurity posture of critical infrastructure information technology (IT) networks
- Including a voluntary industry effort to increase visibility of threats in ICS and OT systems.
Giving everyone the ability to recognize threats and defend against them should be a top priority, so attacks on any electric company can be shut down before they truly begin. Then, companies can prove their reliability to citizens and show that U.S. cybersecurity can evolve to solve critical issues.
The Energy Department’s Office and Emergency Response (CESAR) put out a request for information, so they could provide future recommendations for supply chain security. At the Fortinet OT Symposium, Robert M. Lee, CEO of Dragos, said 150 electric utilities are currently involved.
“That left the ‘how’ to the sector to go figure out how can we do this together,” Lee said. Once the experts know that a solution is needed, they can come together to see where the security is lacking and how this can be overcome. The safety and security of the electricity the U.S. uses every day is constantly under threat. As more threats arise, this plan will act as a pilot to see if it could be a solution for other sectors, as well.
When working as a group, industry professionals have a better chance to see all angles of the problem and develop a better fix. “It was just wonderful to see the whole of the community step up,” said Lee.
In the past, public-private partnerships have been dominated by the government, but in this case, the government is taking a different approach. According to a Forbes article by Mark Weatherford, former CISO and deputy undersecretary for cybersecurity at the Department of Homeland Security (DHS), “These are promising signs of acknowledgment that the overused ‘public-private partnership’ term to jointly solve these kind of massive problems will only work by departing from the historical ‘regulate and punish’ model of government oversight that I experienced far too often when I served as the chief security officer at the North American Reliability Corporation (NERC).”
The Biden administration is requesting information from utilities rather than just telling them to protect themselves. This gives hope to the private sector that this really will be a collaborate effort. This evolution hasn’t just been noticed by Weatherford, either.
“That, to me, is public-private partnership,” Lee said. “It’s not, ‘Let me come in and tell you what you’re going to do with prescriptive regulations.’ It’s, ‘I’ve got a problem. If you all can solve it, we’re good. Y’all go figure out how.’”
Because the government stated the problem and then gave it to experts to solve, the experts have been allowed to take control of the situation and work with electric utility companies to create a solution.
“[There’s] lots of work to be done, but it’s really, really useful to understand why do I care, what am I supposed to accomplish, but leave the how we’re going to accomplish it to the industry and the experts in those fields,” said Lee.
With this kind of partnership, there is a much better chance of creating a robust cybersecurity infrastructure and paving the way for other sectors, as well.
“The safety and security of the American people depend on the resilience of our nation’s critical infrastructure,” said CISA Director (Acting) Brandon Wales. “This partnership with the Department of Energy to protect the U.S. electric system will prove a valuable pilot as we continue our work to secure industrial control systems across all sectors.”