Report highlights energy sector cyber security resources
image credit: First Energy
- Jul 20, 2020 9:06 pm GMT
- 487 views
The National Association of State Energy Officials has released a cybersecurity report titled, “Enhancing Energy Sector Cybersecurity: Pathways for State and Territory Energy Offices."
The NASEO report provides a high-level overview of energy sector cybersecurity roles and responsibilities and identifies specific actions that State Energy Offices can take to enhance internal cybersecurity and support energy sector cybersecurity. The report also aims to help State Energy Offices develop and implement cybersecurity programs and policies in partnership with federal and industry partners.
“Single vulnerabilities can jeopardize entire systems and put human and economic health and security at risk,” the report says. Through “growing complexities and nuances,” government and industry need to continue to build “mutually beneficial relationships, share information and jointly prepare and respond” to ensure high levels of cybersecurity.
The Wall Street Journal reported in late June that Southern Co. and American Electric Power planned to work together to vet vendors and analyze potential risks to the thousands of firms that make up their supply chains. The partnership, called the Asset to Vendor Network for Power Utilities, is intended to cut legwork and costs for internal security teams.
The move builds upon existing efforts in the energy sector to share threat information, diversify technology suppliers, and forge bonds between the public and private sectors to monitor potential attacks.
While diversifying supply chains can improve efficiency and spread risks across many different companies, it can also introduce new threats from nation-states that may have access to data from electricity companies’ suppliers, Southern Co. CEO Tom Fanning told the newspaper.
Suppliers with equipment spread around the globe give hackers a broad flank from which to attack the electric grid’s infrastructure, Fanning said. “That’s why America has to be very vigilant.”
The NASEO report says that information technology (IT) threats can include attempts to exploit private utility customer information or hamper state government network functionality. Operational technology (OT) threats can include cyber intrusions and overrides of machinery that physically damage energy infrastructure and disrupt the flow of energy.
It says that to prevent or mitigate the effects of cyber-attacks and exploitations, all energy stakeholders—from individual energy providers to state and federal government agencies—need to be aware of cyber threats, implement effective cyber policies and defense protocols, and develop cyber incident response plans.
The NASEO guidance includes has four sections: the first three provide background on ongoing cybersecurity efforts in both the public and private sectors and identify state-relevant communication channels and mechanisms for sharing information; the fourth identifies roles state and territory energy offices might play in enhancing cybersecurity and response actions.
The report says that cyber threats to energy infrastructure integrity and functionality are “persistent and evolving.” It says that energy sector cybersecurity requires all stakeholders to be aware of and involved in ongoing efforts to protect, prevent and mitigate risks.
The report includes an overview of multiple federal, state and industry sources of information related to cybersecurity. It also provides active links to many of these resources and suggests policy and protection enhancements to better protect the energy infrastructure.