A proposed $15 million Energy Department fund announced Tuesday looks to improve the cybersecurity posture of the sector’s most vulnerable companies: smaller utility firms that typically supply energy to municipalities that operate with fewer resources than their bigger counterparts.
“We need game changing innovation in the [electrical grid cybersecurity] space,” Deputy Energy Secretary Elizabeth Sherwood-Randall said Tuesday at a Bloomberg cybersecurity conference in Washington, D.C., Tuesday.
Utility companies across the U.S. — both small and large — are facing a myriad of cyberthreats. But by working together with the U.S. government and industry partners, an improved defensive posture is possible, Sherwood-Randall said.
Industry competitors are already sharing threat intelligence data and other security information amongst themselves and with the federal government, explained Marcus Sachs, senior vice president and chief security officer for the nonprofit North American Electric Reliability Corporation.
The next step is to include more voices in this ongoing and important conversation concerning the physical and digital security of critical U.S. infrastructure, said Suzanne Spaulding, Department of Homeland Security under secretary for the National Protection and Programs Directorate.
The proposed DOE fund, which is subject to congressional appropriations and could be as much as $15 million, will be managed and employed by prominent industry advocacy groups the American Public Power Association and the National Rural Electric Cooperative Association.
Over the next three years, APPA and NRECA — who represent private, municipal utility companies and lobby Capitol Hill on their behalf — will work alongside DOE to develop security tools, educational resources, standard guidelines, training curriculums, assessment processes and information-sharing procedures for their members.
Each organization has a ceiling budget of $7.5 million in federal funding over three years, from July 1, 2016 to June 30, 2019, with an initial allocation of $2,318,969 for the current fiscal year, a DOE spokesperson told FedScoop.
Today, roughly 26 percent of the nation’s electricity customers are served by municipal public power providers and rural electric cooperatives like those represented by the APPA and NRECA, according to the DOE.
Multiple speakers at Tuesday’s event, including former NSA Director Michael Hayden, described the hacking attack on a Ukrainian power utility in December 2015 — which DHS says cut power to 200,000 people — as a watershed moment for both the energy industry and government.
The incident has proven to be useful as a case study for the U.S., according to Sachs, and intelligence agencies have since discovered and diagnosed the malware used in the breach.
NERC runs a phishing simulation against energy providers that emulates aspects of the Ukrainian attack so that companies can learn how to avoid similar mistakes, Sachs said.