Building Resilience into our Utilities, Regardless of Crisis
image credit: © Leowolfert | Dreamstime.com
- Apr 28, 2020 4:45 pm GMTApr 28, 2020 5:00 pm GMT
- 654 views
This item is part of the Cybersecurity - Special Issue - 04/2020, click here for more
Reliable power is a service we often take for granted, as we rarely stop to think about what enables our American way of life. Under “business as usual” circumstances, these services are expected to run smoothly. But, what happens during emergencies? How do we ensure utilities and other services continue to operate uninterrupted? How does the federal government work with public and private sector partners to enable the continuity of operations even in times of crisis?
The Cybersecurity and Infrastructure Security Agency (CISA), as the nation’s risk advisor, is at the forefront of building public-private sector partnerships and addressing these questions through a holistic approach. CISA works with businesses, communities, and government at every level to help make the nation’s critical infrastructure more resilient to cyber and physical threats. Since 2018, NERC’s Electricity Information Sharing and Analysis Center (E-ISAC) has been embedded with CISA operations, benefitting both organizations and producing a sharper focus on specific threats that target, or could target, the energy sector.
The COVID-19 pandemic has shown that, when strong relationships and information-sharing capabilities are already in place when a crisis begins, services to the American people can continue unabated. The key is to prepare, train and exercise under blue-sky conditions to ensure the response is timely and efficient during an emergency.
Understanding the hybrid threat we face is the first step in preparing for an effective response. There are very few cyber-only or physical-only incidents. When one company or network experiences a disruption, impacts can quickly ripple across the rest of the sector and other interdependent sectors as well. Our world is extremely interconnected and CISA is at the crossroads of that convergence, providing a risk management approach to understanding the national critical functions whose interruption may have a cascading effect across sectors. For example, as part of the response to COVID-19, CISA has released guidance to assist state and local governments determine which workers are essential when crafting stay-at-home orders. This allows utilities and other critical services to continue while keeping the community safe.
CISA works closely with the private sector to share information, provide cybersecurity tools, incident response services and assessment capabilities that safeguard networks essential to operations. The maturing, strategic partnership between the Electricity Sector Coordinating Council (ESCC), E-ISAC, and CISA has yielded a new operational level of public-private sector cooperation on combatting cyber threats and vulnerabilities. If left unmitigated, these threats and vulnerabilities could impact supervisory control and data acquisition systems as well as industrial control systems in the North American bulk power system. Additionally, CISA’s Cyber Information Sharing and Collaboration Program helps the E-ISAC strengthen its long-standing coordination with sectors that share interdependencies with electricity – including natural gas, water and finance.
CISA also conducts cyber and physical exercises to enhance the security and resilience of critical infrastructure. NERC’s Grid Security Exercise (GridEx) is an outstanding example of the public-private partnership and an opportunity for utilities to demonstrate how they would respond to and recover from simulated coordinated cyber and physical security threats and incidents, strengthen their crisis communications relationships, and provide input for lessons learned. GridEx showcases the way the critical infrastructure owners and operators, E-ISAC, the Federal interagency, and our state and local partners all work together to address an incident. The response is a shared responsibility and every organization has a role, unique authorities, resources, and expertise to bring to the table. By proactively testing our plans and processes, and following-up on the lessons learned, we strengthen the country’s critical infrastructure security and resilience.
These combined efforts can help inform risk mitigation activities and the development of new resources within the critical infrastructure community in the long run. They also embody CISA’s vision of defending against today’s threats and working to secure tomorrow.