The United States electric grid faces a growing set of cyber and physical threats, and the co-chair of the CEO-led Electricity Subsector Coordinating Council (ESCC) wants the electric utility industry to begin considering how a mutual aid approach might be used to "black start" an entire region of the country in the event of a massive blackout.
Partnerships across industry and with the federal government will be necessary to maintain reliability and to forcefully deter hackers, ESCC lead and Southern Co. CEO Tom Fanning said Thursday at the Edison Electric Institute's annual industry event.
Fanning's comments on collaboration came on the same day that the House Energy and Commerce Committee advanced four bipartisan bills aimed at bolstering the nation's energy cybersecurity, including through enhanced public-private partnerships and by empowering the Department of Energy (DOE) to take the lead on security issues.
In order to protect the United States' electric grid, utilities will need to partner with each other and the federal government, said Fanning, including those who will "hold the bad guys accountable."
That means the U.S. Department of Defense, Federal Bureau of Investigation, Secret Service and Cyber Command, said the ESCC co-chair. The ESCC serves as the principal liaison between the federal government and the electric power industry in preparation and response to critical infrastructure threats.
Industry needs the government in order to "impose costs" on hackers, said Fanning. "If the bad guys come after us, there has to be an eye for an eye — or better. We want to make sure the bad guys understand there will be consequences for messing with us."
Colonial pipeline attack shows 'industry can't do it alone'
Fanning's comments follow the May shutdown of Colonial Pipeline, after hackers stole data and compromised the company's systems with ransomware.
Colonial Pipeline President and CEO Joseph Blount Jr. testified Tuesday before the U.S. Senate Committee on Homeland Security & Governmental Affairs, telling lawmakers that government partnerships are essential to energy security and "private industry can't do it alone."
While industry needs the federal government to defend against an increasingly sophisticated threat, recovery from any large attack will require private industry to work collectively, said Fanning.
Southern, which delivers electricity and gas across the Southeast, had just finished a black start test around the time hackers shut down Colonial Pipeline, said Fanning.
A "black start" is the process of restarting grid equipment or generators without the use of external power, as may be required following a blackout.
"I just started thinking it might be really useful across the industry, now that we have this idea of mutual assistance and mutual operation, to really think in a broader sense how we black start a whole region of the United States," Fanning said.
While recovery means private industry partnerships, keeping hackers at bay will require greater cooperation with government, say experts.
Fanning, and Berkshire Hathaway Energy CEO Bill Fehrman, who also spoke at EEI's event, were both consulted in the planning of President Joe Biden's 100-day cybersecurity push for the electric sector that began in April.
The initiative is "really an effort to get an industry-wide focus on industrial control systems and operational technology," said Fehrman. He hopes that within those 100 days, industry can pull off "an incredibly sprint" that would result in the installation of technologies capable of monitoring operational technology (OT) networks and sharing that information with government partners.
"Having a foundational system that can collect OT data, get it to the government, and ultimately get it into the hands of the intelligence community ... is really going to expedite our defensive posture," said Fehrman.
The investor-owned community is proposing to use Dragos' Neighborhood Keeper System, said Fehrman, and hopes to have enough entities signed up at the end of the 100 days to cover 80-85% of customers in the U.S. Neighborhood Keeper is a collective defense system led by Dragos in partnership with DOE.
Legislation advanced by the Energy and Commerce Committee would encourage more coordination between DOE and the electric sector.
4 bipartisan security bills
Lawmakers say the Colonial pipeline attack was a reminder of the urgent need to secure the nation's energy infrastructure.
"As bad actors become increasingly sophisticated ... it is imperative that we keep pace, and today that is exactly what we voted to do," Energy and Commerce Committee Chairman Frank Pallone Jr., D-N.J., said in a statement.
The following bills were passed on a voice vote:
- H.R. 2928, the "Cyber Sense Act of 2021" empowers DOE to assist with grid security and requires the Secretary of Energy to "establish a voluntary Cyber Sense program to test the cybersecurity of products and technologies intended for use in the bulk-power system, and for other purposes";
- H.R. 2931, the "Enhancing Grid Security through Public-Private Partnerships Act," directs the Secretary to consult with states, industry and federal agencies to enhance the physical and cyber security of electric utilities";
- H.R. 3078, the "Pipeline and LNG Facility Cybersecurity Preparedness Act," strengthens DOE's ability to respond to pipeline and liquefied natural gas facility threats; and
- H.R. 3119, the "Energy Emergency Leadership Act," will elevate energy emergency and cybersecurity responsibilities as a core function for DOE.
H.R. 2931 would also provide training to electric utilities to "address and mitigate cybersecurity supply chain management risks."
The four pieces of legislation combined, said Pallone, represent a "first legislative step toward addressing growing cybersecurity threats and vulnerabilities in our energy infrastructure."