Brian Harrell is the former assistant secretary for infrastructure protection at the U.S. Department of Homeland Security and current chief security officer for a large energy company. Mark Freedman is principal and CEO of Rebel Global Security and the former chief of staff for the U.S. Department of State’s Counterterrorism Bureau.
Resilience is the new buzzword in the energy sector. Amidst mounting threats of cyberattacks, terrorism and natural disasters, executives and security leaders recognize it is impossible to prevent every disruptive incident. Instead, energy companies must develop resiliency: the ability to adapt in a changing environment to survive and prosper.
But while many energy companies maintain business continuity plans, true resilience requires moving beyond this standard approach to become more innovative and adaptive in this heightened threat environment. As continued attacks put our national security at risk, achieving resilience for the energy sector is of dire importance.
How can the energy sector achieve resilience?
Resilience is still an emerging discipline. In 2017, the International Organization for Standardization identified several key attributes of a resilient organization: sharing information and knowledge; understanding and influencing business, political and social environments; and anticipating change. In essence, resilience begins with situational awareness. For energy companies, this requires a focus on three key types of information: threats, assets and national policy in Washington.
Solid insight into these three areas is a critical enabler to other activities an organization undertakes to improve resilience, such as business continuity, disaster recovery, emergency and crisis management, IT redundancy and more. Without this solid knowledge base, resilience planning will be ineffective.
Threats
Energy companies face growing threats from foreign adversaries like China and Russia, far-right terrorists, left-wing extremists and cybercriminals. These threat actors vary greatly in their motives — from sparking a race war to defeating the West — but have a shared understanding that attacking the energy system can advance their political objectives. As a result, energy is at the top of their target lists.
These bad actors employ a diverse set of attack methodologies, from small arms and explosives to cyber breaches and espionage. They are constantly identifying novel avenues of approach to put our energy system at risk. Take, for example, the risk that China could exploit its position as the largest manufacturer of solar panels to create back-doors in the U.S. energy system, expanding ongoing sabotage efforts across a growing renewables attack surface.
In this threat environment, intelligence is no longer optional. Energy companies need in-house intelligence capabilities to help them understand how these threats could impact the company’s assets and operations. This requires financial investment to hire the right personnel and onboard a mix of technology and consulting vendors that give perspective and insight. That said, energy companies should also take advantage of the many free and low-cost intelligence resources available. The Electricity Information Sharing and Analysis Center (E-ISAC), for example, has been so effective in generating intelligence sharing across the energy sector that it now serves as a model for ISACs in other industries.
Assets
In April 2024, the White House published a new National Security Memorandum on Critical Infrastructure Security and Resilience (NSM-22), which emphasizes the need to assess dependencies within and across critical infrastructure sectors. It also mandates that the government develop a list of Systemically Important Entities, companies with infrastructure whose disruption would have significant cascading impacts to national security.
This heightened focus on interdependencies and cascading effects serves as a needed reminder to energy companies to routinely update and maintain detailed maps of the assets they own, those upon which they rely, and those that depend on them. This begins with a thorough knowledge and risk-based prioritization of all the power plants, transmission lines, solar farms, storage facilities, etc. that the company owns or operates.
But mapping assets should also extend beyond the company itself. Energy companies rely on IT, telecommunications, water and other critical services provided by other sectors. What if one of those goes down? What will the impact be? Likewise, energy companies support other critical sectors — military bases, emergency services and more. What threats do those organizations face, and might their energy provider be targeted by someone looking to take them down?
Policy
We would argue that no private sector industry is of more concern to national security policymakers than the energy industry. Energy sector executives understand this and recognize the expectation from their customers to take any means necessary for the power to remain on. As a result, they are highly engaged with national security agencies like CISA, DOE, TSA and FBI — both to support resilience planning and so they know who to call when incidents occur.
The most resilient enterprises go even further, building internal teams dedicated to understanding national security policy at a deep level. This enables organizations to build more sophisticated resilience programs that focus on the future, not just the present. These national security teams work with policymakers (NSC, DHS, State, DOD), legislators (Congress), regulators (FERC, NERC), and industry associations (EEI, INGAA) in Washington to gain deeper insight into the government’s priorities and shape national security policy and new security requirements.
There is nothing untoward about this. Federal agencies have been encouraging active cooperation. Companies with strong leadership who value the private-public partnership have had success informing a more favorable regulatory environment and anticipating threats. These organizations provide a high standard of excellence the entire sector should strive towards.
Toward resilience
Adam Lee, vice president and chief security officer at Dominion Energy and a former FBI special agent executive, understands the value of situational awareness in building a resilient energy enterprise. Dominion Energy is the power company serving the Pentagon, Navy Yard, the Norfolk Naval Shipyard, the Loudoun Country data centers and other sensitive national security sites. “We’re the upstream target for all of that,” Lee notes, “and so we have to partner with those customers to understand their greatest risks and then we distill that information down to what it means for our resilience planning.”
Energy companies intent on building a more resilient enterprise should start, like Dominion, with enhancing their situational awareness capabilities. All the plans and playbooks make little difference if they fail to account for evolving threats, inter-dependent assets and dynamic government policy. Attaining this “information advantage” requires companies to make investments, especially in the areas of intelligence, asset monitoring, supply chain risk management and national security analysis.
But the responsibility for a resilient grid cannot rest on the private sector alone. Energy companies have made vast investments to provide a critical service to Americans. Government policymakers and legislators need to help because this existential fight is an American problem, not just an industry one. Government must expand efforts to provide timely and relevant information to the private sector and should address the financial burden borne by private sector companies to protect assets from national security threats. The battlefield is not level. The adversaries only need to be right one time, but the energy sector must maintain vigilance and resilience 100% of the time to keep the power on.
