A panel of experts said the nation's electric utilities have resources at their disposal to fight cyber threats, but concerns remain over how much training their personnel receives and whether the Trump administration could issue an executive order to help bolster cybersecurity.
PJM Interconnection’s Jonathon Monken, senior director for system resiliency and strategic coordination, said within the last 18 months energy infrastructure has become the most frequently attacked sector in the United States. He spoke Tuesday at the National Association of Regulatory Utility Commissioners (NARUC) Winter Committee Meetings in Washington, DC.
"The root cause is not necessarily us out there saying 'we're the best at cybersecurity,'" Monken told attendees. "What's become really implicit right now is that we are so much more reliant on electricity now than we ever have been before." Therefore, an attack on energy infrastructure "makes the most sense."
'A broad spectrum of assets'
Monken said government, especially at the state level, can play an important role in cybersecurity for electric utilities.
"There's a broad spectrum of assets that are potentially available," he said. "Some of these things are capabilities that the industry can provide [internally]. There's a very rapidly growing cyber mutual assistance capability within the electricity sector."
For the federal and state governments, "there is a significant space to play in to make sure that clearly defined roles and responsibilities [are given to] who's best suited to do what," Monken said. "And if you don't have enough people to meet every particular need, then it speaks to the even greater importance of understanding what the capabilities are, [and] how do those line up with both the strategies of defense and deterrence that need to be part of a holistic cybersecurity strategy."
He said the phrase, "a chain is only as strong as its weakest link," absolutely pertains to cybersecurity.
"There's a significant role that the states play, and that NARUC potentially plays, of making sure that those weak links are as strong as they can possibly be, and recognizing that we need to raise the lowest common denominator from a cyber perspective," Monken said. NARUC members need “to make sure that everyone is playing their respective part."
Deterring future attacks
Former Republican Sen. Rick Santorum of Pennsylvania called cybersecurity "a front burner issue," and said it would continue to be one. His biggest concern is a shortage of cybersecurity personnel, which he estimated stood at 1.5 million jobs, but would climb to three million jobs in the next few years.
"I don't think we've really gotten our head around that, not just in the private sector but even in the public sector," Santorum said. "In the public sector, we have a lot of people doing cyber, but these are basically technologists. They went to school for computer science or whole variety of other things. And they're the people who are our 'war fighters.'
"Well, they're not trained as war fighters, they're trained as technologists. And yet they're in the middle of a battle. And they don't have the war fighting capability. You don't have too many people who are trained as Army Rangers who are in cyber. And so they don't take the approach of how do we comprehensively deal with this problem."
Santorum said the government should think about ways to deter future cyber attacks, and said he has spoken with officials within the Trump administration of doing just that.
"We seem to be just thinking 'how do we defend ourselves?' instead of how do we really put a strategy together to attack the enemy to make sure they aren't attacking us," Santorum said. "There is a perspective that I'm hoping the Trump administration takes, which is we shouldn't be just about how do we protect ourselves, but how do we deter? And one of the ways you deter is to be a little bit more lean-forward."
While conceding that the federal government doesn't "want corporations out there attacking those who might attack them," Santorum said the United States should "start thinking about innovative ways in which we deter people from coming at us.
"There has to be a real change of thinking, and we have to have better and more trained individuals to deal with this problem. One of the suggestions that I've talked about with some folks on the Hill is maybe re-tasking the National Guard. We need these people out across America to be like a Minuteman type of operation to be able to respond to some of these threats that we have. I just don't think we have sufficient personnel within our government to be able to do that right now."
The Importance of Fusion Centers
Rick Mroz, president of the New Jersey Board of Public Utilities, said last year, in an effort to fight cyber threats, New Jersey required utilities to become members of a fusion center in the state. Many fusion centers -- information centers that operate 24 hours a day, seven days a week -- were established by the federal government, including the Department of Homeland Security (DHS) and the Department of Justice.
"They're taking information on all threats to all industries and pushing that out to all of the members," said Mroz, who also serves as chairman of NARUC's Committee on Critical Infrastructure. "It's part of a more comprehensive approach to meeting the challenges of cybersecurity in our state."
Monken said there were 74 fusion centers located across the country, and each state is required by law to have at least one. Some urban areas had additional centers.
"But they don't necessarily always talk to each other," he said. "That's one of the challenges that need to be overcome at the state level -- of trying to find ways to share that information. Each fusion center is organized a little bit differently: Some of them work for the state police, some of them work for the DHS and some of them work for the National Guard."
Monken said the worst thing someone with a cybersecurity issue could do would be to not tell anyone.
"The fusion centers were specifically built in order to share that type of information across intelligence silos, government and the private sector," he said. "Understanding how to access that resource and utilize that resource is hugely valuable, especially when you talk about the interdependent systems of infrastructure, that for a variety of different reasons -- such as legal hurdles or anti-trust regulations -- we don't necessarily share information in an open forum as often as we could or potentially should."
Fighting the 'Silent Mentality'
NARUC President Robert Powelson, who moderated the cybersecurity discussion, told the story of one company that was proud of its cyber efforts and an executive was invited to testify before a Congressional hearing to discuss them.
According to Powelson, before the hearing the company CEO told personnel not to "overhype what we're doing because we'll become a target...We're doing well. We're investing and we're out there, [but] don't brag about it because there could be payback [from hackers]."
Powelson added that NARUC was concerned that there was a "silent mentality" over cybersecurity issues, despite several agencies "playing in cyber." Among them were the FBI, CIA, the Department of Defense and the Federal Energy Regulatory Commission.
"We hear that President Trump is going to issue, hopefully, an executive order around cyber," Powelson said. "How can we break that silence?"
Santorum told the story of how one company was performing a cybersecurity demonstration for a federal agency, and that during the demonstration a cyber attack occurred. But it wasn't stopped.
"The reason it wasn't stopped was nobody had the authority to do it," Santorum said. "The bottom line is, you have all of these agencies who have authority, but no one has responsibility. To take the authority [means to] take the blame. So if you actually proactively do something, then you’re responsible if something goes wrong. If you don't do anything, then it's shared [blame]."
Santorum said the Trump administration should issue a directive to outline such responsibilities.
"Bureaucrats don't get in trouble for not doing things, particularly if it's not clear that it's their responsibility," he said. "They get in trouble for taking on something and having it fail. So there is all of the incentive not to do [anything].
"That is a huge problem within government generally, but we're talking about pretty high stakes here. And because it cuts across almost everything we do in government, it is diffused, and as a result I think we're much more vulnerable."