The DOE’ s Quadrennial Energy Review Report was released on Friday with some very obvious nods to the combating and recovery from emerging cyber threat across multiple critical infrastructure verticals including- Oil & Gas, Hospitals, and residential power delivery. What I found the most telling was in Chapter IV “Ensuring Electric System Reliability, Security, and Resilience”, the Report opens with:
“…..the emerging threat environment- particularly with respect to cybersecurity and increases in the severity of extreme weather events- poses challenges for the reliability, security, and resilience of the electricity sector, as well as to its traditional governance and regulatory regimes.”
“U.S. policies, markets, and institutional arrangements must evolve to reflect new electricity system realities and trends– continuing to enable and enhance the reliability, security, and resilience of the electric grid.”
Section 4.2 “The Changing Nature of Reliability,” calls for an evolutionary change in how reliability is defined. The report details how the metrics-based approach leveraged by State and Federal Regulators to quantify and measure reliability are inherently skewed. According to the report, that’s because of inconsistencies in how reliability data is collected and measured from region to region and varying definitions of what qualify as “major events.” These two issues combine to prevent a truly accurate measurement of reliability.
My reasoning for citing the report’s call for a new perspective on how reliability is measured is that with security as a supporting and tangential component to reliability, those same metrics and standards used by regulators need to be more timely and proactive to stay current with emerging cyber threats. The current standards development process under NERC makes this extremely challenging, if not impossible.
Section 4.3.6 “Evolving Cyber Threats to the Grid,” states that “The current cybersecurity landscape is characterized by rapidly evolving threats and vulnerabilities juxtaposed against the slower-moving prioritization and deployment of defense measures.” I lump regulatory standards and requirements into the “slower-moving prioritization and deployment of defense measures” as one of the key components to preventing a truly proactive stance on cybersecurity. Additional focus on recovery and resiliency needs to be a foundational element of any cybersecurity program because the idea that an organization can combat against 100% of cyber intrusions is false. What becomes critical is the recovery of the system if/when a successful cyberattack occurs.
Section 220.127.116.11 “Grid Cybersecurity Workforce Gaps” reinforces the human capital issue across industry verticals and warns that the lack of skilled cybersecurity professionals is preventing organizations from sustaining healthy cybersecurity programs to maintain Electric System Reliability, Security, and Resilience.
I know some of you are probably saying “So What?” or “Thanks Captain Obvious.” The thing that I would like everyone to remember is that some of us have been seeing the writing on the wall here for years now and this DOE QER just validates the concerns we have been evangelizing. The positive thing I see from this report is that it recognizes a holistic approach of information sharing, tools and techniques, beyond just measuring the bar at compliance. I applaud those of you who have been successful in securing budgets allocated for internal security controls programs, FTEs, and tools as a result of this message. Please continue to spread the good news. For those of you who have not yet achieved these essential budget allocations, please leverage this report from DOE to your C-level executives as further evidence of the validity of your budgetary requests and to get them to provide the support you need to implement sustainable cybersecurity programs.