A group of congressman and senators are known for their ability to work on both sides of the political aisle, reintroduced legislation on January 17 aimed at increasing security against cyber exploits directed at crucial elements of our power grid. Critical sections of this bill include a pilot program for partnering with component manufacturers, public utilities, and other valuable entities to identify potential vulnerabilities through a working group, a timeline-based interim report (180 days post funding), and a final report (2 years post funding). The Secretary of Energy to Congress will submit both reports. Although this bill will be a step in the right direction, it has taken Congress far too long to act in properly securing our grid infrastructure.
Congressman Dutch Ruppersberger (D), stated “the time to address the vulnerabilities we inherently create when we rely on complicated digital software systems for everyday basics like electricity and running water was yesterday” and Senator Angus King (I), said “so far, the federal government has not matched this serious threat with the necessary action”. Most cyber experts would agree, the federal government is taking too long to respond to today’s cyber threats against the nation’s power grid. In 2015 and 2016 attacks against Ukraine’s power grid resulted in power outages for several hundred thousand people. Attacks have been carried out in the U.S., Turkey, Switzerland, and other European countries by a group known as Dragonfly. The group is known to have a specific interest in energy infrastructure and have been known to be active since 2015 with an increase in activity in 2017. Their modus operandi seems to be through malicious email. So, through an often-overlooked vector of attack, the human element, this group has been successful.
The “Securing Energy and Infrastructure Act” which this bill is labeled, addresses technical vulnerabilities in Supervisory Control and Data Acquisition Systems (SCADA) but seems to leave out social engineering. Specifically, the bill lists backups like analog and nondigital control systems, purpose-built control systems, and physical controls. Also, addressed in the bill is an allotted $10,000,000 for the pilot program and $1,500,000 for the working group and report. For 2018, the Department of Energy had a budget of $28,042,000,000. So, the total $11,500,000 for securing energy infrastructure demonstrates that not enough people in our government are taking the cyber threat to our energy infrastructure seriously.