DOE eyes 'rip and replace' strategy for power systems

NOTE: This story first appeared on FCW.com.

Department of Energy officials say they plan to use a recent Executive Order on securing U.S. bulk power systems to tear out foreign-made parts and components if they believe they pose a national security or economic risk.

In May, the White House issued an executive order declaring foreign cybersecurity threats to bulk electric power systems to be a national emergency. One of the initiatives created through the order will be a federal task force charged with developing energy infrastructure procurement policies and procedures for federal agencies. It will also work with industrial groups to develop similar criteria for how to legally purchase bulk-power equipment from foreign providers.

The section has drawn comparisons to "rip and replace" efforts undertaken by the U.S. government and industry for Chinese-based Huawei telecommunications equipment as well as the removal of anti-virus software made by Russian-based Kaspersky Lab from government systems. During a web event hosted by the McCrary Institute at Auburn University, Energy officials made it clear they were eyeing a similar strategy for the energy sector.

"We will be looking at identifying equipment, isolating it, monitoring it as appropriate, and where we find undue risk to the bulk power system, we will replace equipment as necessary," said Charles Kosak, Deputy Assistant Secretary for the Office of Electricity at Energy.

Sean Plankey, Assistant Deputy Secretary for the Office of Cybersecurity, Energy Security and Emergency Response (CESER) at Energy, said his office will also look to better engage with the roughly 4,000 smaller electric carriers, last mile providers and distribution providers spread out across the United States, many of whom are stretched thin and plagued by lack of money or human resources.

"None of them are big business, a lot of them…are run by taxpayers in a municipality type of environment, and many of those [entities] in fact also own the water," said Plankey.

Those small organizations are often ill-prepared to defend their systems and networks against foreign military or intelligence services. In some cases, Plankey said their systems can be connected to other critical infrastructure and rely on the same personnel, equipment and manufacturers, creating a single point of failure.

The Energy Department is spending $6 million this year to boost support for rural and municipal utility cooperatives. They're also sharing research and development and supply chain information with the Environmental Protection Agency to develop better security models for cities and towns where their energy and water infrastructure overlap. Energy officials must also deal with the budget reality that many smaller towns and companies face, particularly in the wake of a pandemic and recession that has wrought havoc on state and local budgets. That means cybersecurity employees might be overstretched and wearing several different hats at the same time.

"Cybersecurity is not a profit generator in an electricity energy provider company. No, it's a cost, and a lot of times when you think about the municipalities -- and no disrespect intended -- they're just smaller entities," Plankey said. "A lot of times the IT guy is also the security guy is also the guy who might be mowing the front lawn. That's just the way it is. On the one hand, you have someone who has total love and ownership of what he's working on. on the other hand, you're forced to be a Jack of All Trades."

Other federal agencies, like the Cybersecurity and Infrastructure Security Agency, have worried about the rising convergence of Information Technology systems with the Operational Technology systems required to physically control engines, conveyers and other machines within critical infrastructure. In addition to providing support for IT officials and CISOs, Plankey said his office was also trying to engage more with non-tech executives in the C-Suite to ensure they understand that while connecting the two environments may save a few dollars on the front end, it also makes their entire enterprise more vulnerable if they're compromised by hackers.

"It's going to be a necessity to understand that interplay, to understand where your protocol handoffs are, to understand why you might want to connect your IT environment," he said. "Because you have your CFO and your business players on one side thinking 'I can do this faster and cheaper if I connect my IT systems so I can draw efficiencies from my industrial control system environment' but then you have your security aspect, which is slower and make things harder, so those things don't always agree."