Last month, the Trump administration released a report detailing a massive Russian hacking campaign. But rather than election hacking, the report focused on critical infrastructure security — including power plants, nuclear generators and water facilities. The joint report by the Federal Bureau of Investigation and Department of Homeland Security outlined how hackers gained access to computers. And while the report only pointed to surveillance, the possibility of future attacks is enormous.
Our power plants, nuclear generators and water infrastructure are all outdated and vulnerable. It would not be that difficult for unsophisticated hackers to shut this infrastructure down. It’s even plausible to think that hackers could reroute our airline flights.
The Department of Energy has begun the task of creating an office of cybersecurity and emergency response, which will take a federal approach to this problem. But, at the local levels of government, it will be up to officials to take whatever steps are needed to bolster the state of our critical infrastructure security.
[Internet of Things World addresses the security concerns for IoT implementation in every vertical, attracting senior security professionals from the world’s biggest organizations. Get your tickets and free expo passes now.]
Many network breaches occur through human error. It usually happens when an employee clicks on a suspicious email or an infected website. Then, any collaborating partners are immediately at risk as well. To gain access to something significant like a power plant, hackers usually first attack smaller, less secure networks — like the firms that make parts for generators or sell software to power plants. Malicious code usually enters a network via a third-party breach.
While we are investing already in safeguards, that will escalate significantly in the near future. Here are some statistics related to critical infrastructure security that few citizens have time to ponder:
- U.S. utilities will spend an estimated $7 billion on grid cybersecurity by 2020.
- Between 2010 and 2014, hackers infiltrated the U.S. Department of Energy’s networks 150 times.
- Last week, several U.S. gas pipelines were hit by a cyberattack targeted at a third-party supplier.
- 68 percent of oil and gas companies experienced at least one compromise over the past 12 months.
- Policymakers are calling for the creation of a federal Department of Cyber.
- Reps. Bob Latta of Ohio and Jerry McNerney of California introduced the Cyber Sense Act to create a program that will identify, test and report on cybersecurity product effectiveness for the bulk-power system. The bill is currently being considered by the House Committee on Energy and Commerce.
- The House energy subcommittee is currently considering H.R. 5240, the Enhancing Grid Security through Public-Private Partnerships Act, which will encourage public-private partnerships and improve cybersecurity of electric utilities.
On May 11, 2017, President Trump issued an executive order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. In September 2017, the Department of Energy announced plans to pump $20 million into 20 energy cybersecurity projects. There has been little press about any of this.
The Federal Emergency Management Agency has non-disaster grants focused now on preparedness and preventing a future cyberattack. The grants are available to local and state governments. In 2017, the program was allocated $288 million for six fiscal years. That funding was in addition to $350 million which had already been allocated to the Energy Management Performance Grant program to provide assistance to local governments in enhancing and sustaining emergency management capabilities.
Hopefully, local officials are taking advantage of this type of funding. FEMA offers an overview of preparedness grants on its website.
Another program, the Critical Infrastructure Cyber Community Voluntary Program (CᵌVP) focuses on providing assistance to organizations needing to improve cybersecurity risks. The program offers a cybersecurity self-assessment for utilities and local governments to calculate their risk of a cyberattack. US-CERT offers a summary of its Critical Infrastructure Cyber Community Voluntary Program.
Finally, the National Institute of Science and Technology developed a framework that covers everything necessary to organize and execute a successful cybersecurity framework. Updated in December 2017, this program provides recommendations for industries interested in protecting themselves from cyber threats.
The federal government is large, complicated and bureaucratic. Occasionally, it is difficult for state and local officials to literally find the time to navigate the various funding sources efficiently. But, since the threats are significant and funding and assistance are available, it seems important for state and local officials to avail themselves of all the assistance possible.