Bulk power transmission grid in the US is highly vulnerable to cyber attacks
February 27, 2020 1:25 pm
8 min read
Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
Whether generated by coal, gas, hydro or wind, electricity has to travel over wires. Years after the danger was identified, the bulk power transmission grid in the United States is still highly vulnerable to cyber attacks. With the latest on the Energy Department’s efforts here, the principal deputy assistant secretary from the Office of Cybersecurity, Energy Security and Emergency Response, Sean Plankey spoke to Federal Drive with Tom Temin.
Tom Temin: Mr. Plankey, good to have you in.
Sean Plankey: Thank you. Thank you for having me here.
Tom Temin: Now you just joined recently the Energy Department coming from various other locations, including private sector and government. What are you here to do at Energy with respect to the grid?
Sean Plankey: So that’s a great question. As you know the CESER office, which we affectionately call CESER right, Cybersecurity, Energy Security Emergency Response. In this office, we’re leading efforts to be the engagement with industry, right? The federal infrastructure is largely owned by the private sector, and so we have to work with the private sector to make them aware of the threats that they may face from other nations. Aand and also facilitate and assist in emergency response when things do happen So that’s what we’re trying to build out in the Department of Energy
Tom Temin: Just make sure we understand where you delineate, because there is the bulk power transmission that comes under some federal agency regulation, I guess FERC (Federal Energy Regulatory Commission), and then there is the local and you’re concerned at the Energy Department level pretty much with the interstate bulk transmission lines.
Sean Plankey: We’re actually concerned with all of it. What I mean by that is the entire energy supply chain. So we work with the oil and gas sector, as well as all the renewables and the energy sourcing methods that we have in the United States. So it’s important to capture that the supply chain can be affected at any point. And we, as CESER, our office tries to engage the industry to better protect that.
Tom Temin: Now this issue of cybersecurity in the energy sector is not new. It goes back several administrations. Has the industry made any progress? What are the big dangers now relative to what they might have been 15 years ago?
Sean Plankey: Absolutely. The energy sector has done a significant amount to reduce risk, right, and that’s really what we’re talking about is risk. We’ve established working with the energy sector that they’ve established ISACs, which our information sharing advisory committees and councils, and these ISACs work to to share the threats and incidents that they may face with each other. Because if you’re one piece of that supply chain, the next piece is probably facing a similar threat. So we want to get that information sharing out and we want to inform them and they want to inform each other. So that’s one area that they’ve worked in. The products themselves have improved. You now have cyber security companies that specifically focus on the industrial control systems. We call it operational technology environment. That’s a little bit different than you think about IT. You’re IT is your computers, your emails, your mobile device, the business that you do every day, that most of us log into our computers on. We’re talking about the computer systems that power the valves..
Tom Temin: The SCADA (supervisory control and data acquisition) system, basically?
Sean Plankey: SCADA is widely used as a terminology, but they’re not all SCADA systems. That’s why we prefer to go with industrial control systems.
Tom Temin: Got it. But even within the energy sector, you have the SCADA, the control systems — and you also have the plain old problems of regular IT. People responding to phishing attacks in the wrong way that could also affect the supply chain.
Sean Plankey: Absolutely. One of the best practices we put out is talking about how do you best defend against that. I mean, the last thing you want is is ah, fishing incident that finds its way over to your industrial control system environment. So we work with industry to establish best practices for segmentation of networks. Ideally, you’re not connecting those two different networks together, and that’s just another example that we we used with industry.
Tom Temin: I guess the issue is at one time those networks were never connected. But in the age of IP on everything, pretty much the ubiquity of the internet, things are connected, whether they were even intended to be connected or not. Is that one of the challenges?
Sean Plankey: Absolutely, companies try to reduce friction in the environment. What I mean by that is, it’s a capital marketplace, right? They want to make money. And if an IT system helps do that, there’s a scenario where that maybe they take that action right. That’s a business decision that a company is going to make. But when you do that, you could be introducing risk into the environment. So we’re trying to stay ahead of that and make sure industry and the government is aware of any risk that might be in the environment.
Tom Temin: Over the years, has the reluctance on the part of industry players to share cyber information with one another diminished. Does that seem more palatable to them now than it did at one time?
Sean Plankey: Absolutely. I would agree with you. In years past, industry may have thought that there was a competitive advantage to not share information, proprietary data. But I think industry has learned, and the establishment of the ISACs are a great example, that there’s no competitive advantage to withholding a cyber threat that you may face. A threat to one is a threat to all in the energy sector. And I think when we talk about power, in particular electricity, the way the market works, there’s no first mover advantage in the electricity sector. It’s not like you can build a powerplant overnight. You can’t change distribution across the energy grid overnight. So the electricity sector in and of itself does an excellent job of sharing because they realize that it’s not a business risk to them.
Tom Temin: And how does your office, CESER, work with CISA over at Homeland Security?
Sean Plankey: Yes, absolutely. Undersecretary Chris Krebs is a great partner of CESER. Basically, the relationship is CISA is the federal infrastructure security responder, that is their their job. We try to focus on prevention, and under presidential policy directive 21, we’re the sector specific agency for the energy sector. So we we focus on that relationship, the unique characteristics that the energy sector has. Then we work with CISA, who is the overall federal response, right? So CISA has hunt an incident response team’s that our government workers that freely deploy around the United States to different companies. When a company may have a need for incident response to the cyber security activity and we work with them to inform them, make sure they understand the networks, the relationships that we have and try to prevent an incident from occurring.
Tom Temin: So what do you plan to be doing in the next 12 months going into fiscal 2021?
Sean Plankey: We’re gonna continue to to maintain and and grow our outreach to the private sector. We’re focused on the supply chain. What I mean by that is we’re looking at all facets of electricity and energy supply, and we’re saying, “Can we help secure the supply chain? Can we keep nation states out of the supply chain?” And we’re looking at growing American infrastructure here. If you think about some of the major components, the market supplier, maybe an overseas company, well that may not be in the best interest of the American people. So we’re looking to work with industry to see how we can best protect those those major components of the of the energy sector and grow the security for all of us.
Tom Temin: You personally have some background in this. You worked for BP in the cyber security area, big major energy producer worldwide and also the United States Coast Guard.
Sean Plankey: That’s right. So one of the reasons why I asked and was very enthusiastic about coming to the Office of Cybersecurity, Energy Security and Emergency Response because those three prongs are what I’ve done in my professional career. I was an active duty Coast Guard officer for almost 14 years, working heavily in the emergency response side of the house, on the physical security side of the house. Then working at BP as a cyber intelligence adviser. Basically, I was trying to characterize the threats that BP may face globally from nation states seeking to damage the energy sector. And then, in my last job, I was activated back to the military and then detailed to the White House to work on the National Security Council, where I was authoring and coordinating national policy on cybersecurity for for the United States. So I kind of hit on all three of those prongs in my career and wanted to then go to energy because I think it’s such a critical piece of the American way of life.
Tom Temin: And when you plug your charger into your iPhone at night and you’re pretty confident it’s gonna be powered through the night and will still be there in the morning.
Sean Plankey: That’s right. That’s what we seek to do. More so than just your iPhone. All
of your devices.
Tom Temin: Like the furnace in the winter?
Sean Plankey: That’s right.
Tom Temin: Sean Plankey is principal deputy assistant secretary of Energy for the Office of Cybersecurity, Energy Security and Emergency Response. Thanks so much for joining me.