Last Monday, the current US administration released a “Statement by President Biden on our Nation’s Cybersecurity,” followed by public statements where Biden warned about the prospect of a Russian cyberattack, saying “it’s coming.” Both the written and verbal comments reinforced the fact that “the federal government can’t defend against the threat alone” and Biden went on to tell US critical infrastructure owners that “under US law…the private sector…largely decides the protections that we will or will not take.”[1]
Per the Center for Security Policy (CSP), “nothing could be truer about the protections of the nation’s most critical infrastructure – the electric grid – and this a major problem, one that must be addressed by both the White House and Congress. The reality is that the Russians have infected the US electric grid with the same malware previously used to take down the Ukrainian grid and despite years’ worth of warnings and even official complaints levied with the grid’s federal regulators by some of the most experienced and credible cybersecurity experts in the world, there is still no requirement to detect, mitigate, or remove that malware. Nor are there any mandatory cybersecurity standards for real-time grid operations – an issue highlighted constantly over the years by the former National Security Agency (NSA) Chief Information Officer (CIO). In a 2019 letter warning federal regulators about the penetration of the grid by Russian hackers, the CIO assessed that the electric power industry’s claim that the bulk power system “hasn’t suffered any outage” due to cyberattack is “totally due to Russian restraint” not industry action.
The current Secretary of Energy admitted nearly a year ago that adversaries have capability of shutting down grid and just recently the US Deputy National Security Advisor for Cyber & Emerging Tech warned that “the Russian government is exploring options for potential cyberattacks on critical infrastructure in the United States.” And, unfortunately, the grid is vulnerable to much more than just cyberattacks.
A recent shocking episode of the CBS News Show ‘60 Minutes’ highlighted that the grid has been subjected to more than 700 acts of sabotage over the last decade and that an adversary targeting just 9 electric substations could take out the entire grid for months or years. The show also revealed that there remains no enforceable standard established by government to defend against simultaneous physical attacks on multiple substations. When questions arose about why these vulnerabilities persist, and why there aren’t effective regulations to secure the grid, the White House Homeland Security Advisor categorically admitted, “In my view as the government, we can’t impose the regulations you’re suggesting.”
Per CSP, “this is exactly the problem.” The US government has been concerned about the cybersecurity of the critical electric infrastructure since at least 2003, the security of the electric grid from physical threats since at least 1981, geomagnetic disturbance (GMD) threats since at least 1990, and electromagnetic pulse (EMP) threats since at least 1972 – and “neither the President, nor his Homeland Security Advisor, are willing to impose regulations upon the electric utility industry to protect its infrastructure from any of these real and present dangers.” Nor does the self-regulated electric power industry want to add security “requirements” themselves.
This calls for urgent action by the US Congress to adopt legislation mandating that all entities, public or private sector, that are part of the electric grid take reasonably prudent actions needed to address cybersecurity, physical security, EMP/GMD protection and hardening for severe weather events. A frequent excuse by government and industry pushing back against regulations to secure the grid is that there “shouldn’t be a one-size fits all” mandate. This type of legislation would not be “one size fits all” but rather would force the industry to look at all available solutions to secure their infrastructure. Additionally, the Chief Executive Officer (CEO) of each critical electric infrastructure entity should be required to certify periodically and publicly, as to well as state and federal authorities, that reasonably prudent grid security actions have been taken. Like the provisions of the Sarbanes–Oxley Act of 2002 on the financial sector, there must be civil and criminal penalties for false certification or failure to submit them.
Unfortunately, Congress’ track record for fixing the grid’s vulnerabilities is abysmal, thanks to undue influence of the electric utility industry. However, the recently passed $1.2 trillion Infrastructure Bill contains ample resources that can be rapidly allocated toward the purpose of hardening the grid; something that could turn industry detractors, who have some justifiable concerns about unfunded mandates, into grid security advocates.
CSP’s opinion is that, “ultimately, if the White House refuses to mandate grid protections by executive order and Congress allows this regulatory capture to persist and not rapidly allocate needed resources to protect the grid, our nation’s most critical infrastructure will remain extremely vulnerable to the “coming” Russian cyberattack and other threats. For these reasons, emergency managers should take steps to be better prepared for if the lights go out.”
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Our analysts agree with the CSP and tough cyber security regulations for better network and Internet protections. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://centerforsecuritypolicy.org/biden-admissions-on-coming-russian-cyberattack-should-prompt-lawmakers-to-act-and-emergency-managers-to-prepare/
Comments