This story was originally published on Utility Dive. To receive daily news and insights, subscribe to our free daily Utility Dive newsletter.
Dive Brief:
-
Amid rising threats to operational systems and a chaotic geopolitical environment, electric utilities want Congress to cleanly reauthorize the Cybersecurity Information Sharing Act of 2015, which allows for greater information sharing between the power sector and federal government.
-
It is vital that utilities are able to share threat information as the risks are rising, said Kristine Martz, a principal product advisor at cybersecurity firm Dragos. “Adversaries are becoming aware of the impact that they can achieve against easy to access industrial control systems,” or ICS, she said Friday at a conference hosted by Columbia University’s School of International and Public Affairs.
Dive Insight:
“We’ve seen a consistent rise in threat activity over the years,” Martz said, noting new threat adversaries are focused on operational technology and ICS environments where they can impact the delivery of services.
“They get in through these internet-facing devices and just live off the land for a long time to perform reconnaissance, pulling down things like your GIS data, your network maps,” Martz said. “Living off the land” refers to cyber intruders using legitimate network tools to cover their presence and gain information.
While utility regulations like the North American Electric Reliability Corp.’s Critical Infrastructure Protection standards have helped create a baseline of security and shored up obvious weaknesses, Dragos has identified new threat groups developing operational and ICS-specific malware which take advantage of the extensive knowledge of utility work environments that hackers can gain from their research, Martz said.
Given the threat, and in an environment of rapidly growing electricity demand, it is vital that electric utilities are able to share information with government partners without fear of penalty, experts say.
The Edison Electric Institute, which represents investor-owned utilities, the Interstate Natural Gas Association of America, American Public Power Association, American Gas Association, National Electrical Manufacturers Association and the Electric Power Supply Association signed a letter in September urging a “clean” CISA 2015 reauthorization. The letter was led by the U.S. Chamber of Commerce and included a wide range of organizations.
The law’s lapse means the U.S. will face a “more complex and dangerous security environment,” the groups said. CISA “provides safeguards for businesses regarding public disclosure, regulatory issues, and antitrust concerns to facilitate the timely exchange of information between the public and private sectors. Industry and government have a strong history of protecting privacy and civil liberties under this law,” the groups said.
Reauthorizing the law will “ensure that businesses have legal certainty and protection against frivolous lawsuits when voluntarily sharing and receiving threat indicators and taking steps to mitigate cyberattacks,” the groups said.
Congress failed to reauthorize the program despite broad support among Trump administration officials, lawmakers, industry leaders and cybersecurity experts. Senate Homeland Security Committee Chair Rand Paul, R-Ky., blocked efforts to save the program as he sought new restrictions on the law’s efforts to combat online mis- and disinformation.
Bipartisan legislation introduced by Sens. Gary Peters, D-Mich., and Mike Rounds, R-S.D., would renew CISA for 10 years and would be retroactive to cover the lapse since the government shutdown began.
“Threat intelligence sharing between the private and public sector is vital in protecting critical infrastructure from cyberattacks,” Dragos CEO Rob Lee said in a statement supporting the bill. “This critical cyber information sharing authority has given private entities the guardrails, and the confidence needed for responsible cooperation with the federal government. Those authorities must be renewed.”
Kate Mabbett, director of security strategy and financial planning for American Electric Power, said during the Columbia panel that the reauthorization of CISA is a top security policy priority right now for the utility sector.
“I need to know I’m not going to be punished for sharing something that can better protect the nation,” Mabbett said.”There needs to be trust both ways — that I can share sensitive information about how I’m operating, and that the government is going to help protect that.”
Recommended Reading