Energy working with renewables industry, cloud providers on cyber requirements

CESER's work with cloud service providers comes amid growing threats to critical infrastructure, as well as questions about cloud security responsibilities.

The Energy Department’s cybersecurity office will work with cloud service providers and the renewable energy industry this year to help delineate cyber protection requirements for the sector.

The work is being led out of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER). It comes amid growing concerns about hackers infiltrating U.S. critical infrastructure, including the electric grid.

Puesh Kumar, the director of CESER, said “traditional large fossil generation” is often prohibited by regulations from using the cloud. But he said renewable energy providers are often starting out by relying on cloud computing.

“But really, we haven’t really sat down to define what are the security requirements? Who owns what part of the security picture? Is that the owner and operator? Or is it the cloud service provider?” Kumar said during a cybersecurity panel discussion hosted by Semafor in Washington on Tuesday.

“One of the big efforts that we’re going to be undertaking this year is really bringing together companies like [Google], to actually come together and establish those requirements for both sides, so that we can set up the energy sector of the future with that security built in,” Kumar added.

The CESER office is tasked with addressing emerging threats to energy infrastructure, including cyber risks, climate change and physical security. CESER is leading several initiatives to secure new energy technologies from cyber threats. Those programs are funded as part of the $27 billion Congress provided the Energy Department to modernize the electric grid in the 2021 Infrastructure Investment and Jobs Act.

Kumar said the energy sector is going through “tremendous change” right now.

“We’re trying to combat the climate risk,” he said. “We’re trying to deploy more clean energy. We’re trying to deploy more renewables and electric vehicles and all that’s really great. And that can be a source of resilience in our energy sector in the United States. It can bring online more generation that hasn’t been online into our grid. But we also have to do that with security in mind. And so, as we’re fundamentally changing this grid, we have to ensure that security is baked into it.”

In addition to cyber threats targeting the electric grid, policymakers are also focusing more on the so-called “shared responsibility model” that lays out the cybersecurity responsibilities of cloud providers and their customers. The security responsibilities of cloud providers has come under particular scrutiny in the wake of China’s hack into Microsoft’s cloud email infrastructure last year.

Jeanette Manfra, global director for security and compliance at Google, argued large cloud providers can make security “cheaper and easier” for their customers. Manfra is a former Cybersecurity and Infrastructure Security Agency official.

“There’s a huge opportunity to leverage that scale, and to drive cloud providers to increase that level of security and safety and reliability,” Manfra said during the Semafor event. “I do believe it is the responsibility of cloud providers, particularly the largest ones, who are increasingly serving more and more critical infrastructure sectors, to have that high bar of security and safety. But there’s also risk because you start to consolidate on just a few companies. And so you have to think about what does that mean, that concentration risk? You have to think from a policy perspective of how you both leverage that opportunity, while also managing that potential concentration risk.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories