There’s been so much sensational news in the last few days, it’s very easy to overlook other important news. That can be dangerous…and here’s a good example of something we should not overlook.
Last month, the Trump administration released a report detailing a massive Russian hacking campaign, but rather than election hacking, this target dealt with critical infrastructure – power plants, nuclear generators and water facilities. The joint report by the Federal Bureau of Investigation and Department of Homeland Security outlined how hackers gained access to computers. And while the report only pointed to surveillance, the possibility of future impacts is enormous.
Our power plants, nuclear generators and water infrastructure are all outdated and vulnerable. It would not be that difficult for unsophisticated hackers to shut down our electric grids or our water plants. It’s even plausible to think that hackers could reroute our airline flights.
The Department of Energy has begun the task of creating an office of cybersecurity and emergency response, which will take a federal approach to this problem. But, at the local levels of government, it will be up to officials to take whatever steps are needed to prevent hacking attacks.
Most network breaches occur through human error. It usually happens when an employee clicks on an email or an infected website. Then, any collaborating partners are immediately at risk as well. To gain access to something significant like a power plant, hackers usually first attack smaller, less secure networks – like firms that make parts for generators or sell software to power plants. Virus and malicious code usually enters a network via a third party breach.
While we are investing already in safeguards, that will escalate significantly in the near future. Here are some statistics that few citizens have time to ponder:
- It is estimated that U.S. utilities will spend over $7 billion on grid cybersecurity by 2020.
- Between 2010 and 2014, hackers infiltrated the U.S. Department of Energy’s networks 150 times.
- Last week, several U.S. gas pipelines were hit by a cyberattack targeted at a third party supplier.
- Sixty-eight percent of oil and gas companies experienced at least one compromise over the past 12 months.
- Policymakers are calling for the creation of a federal Department of Cyber.
- Reps. Bob Latta of Ohio and Jerry McNerney of California introduced the Cyber Sense Act to create a program that will identify, test and report on cybersecurity product effectiveness for the bulk-power system. The bill is currently being considered by the House Committee on Energy and Commerce.
- The House energy subcommittee is currently considering H.R. 5240, the Enhancing Grid Security through Public-Private Partnerships Act, which will encourage public-private partnerships and improve cybersecurity of electric utilities.
On May 11, 2017, President Trump issued an executive order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. In September 2017, the Department of Energy announced plans to pump $20 million into 20 energy cybersecurity projects. There has been little press about any of this.
The Federal Emergency Management Agency has non-disaster grants focused now on preparedness and preventing a future cyberattack. The grants are available to local and state governments. In 2017, the program was allocated $288 million for six fiscal years. That funding was in addition to $350 million which had already been allocated to the Energy Management Performance Grant program to provide assistance to local governments in enhancing and sustaining emergency management capabilities.
Hopefully, local officials are taking advantage of this type of funding. But, if not, more information about this funding can be found here.
Another program, the Critical Infrastructure Cyber Community Voluntary Program (CᵌVP) focuses on providing assistance to organizations needing to improve cybersecurity risks. The program offers a cybersecurity self-assessment for utilities and local governments to calculate their risk of a cyberattack. More information about that program can be found here.
Finally, the National Institute of Science and Technology developed a framework that covers everything necessary to organize and execute a successful cybersecurity framework. Updated in December 2017, this program provides recommendations for industries interested in protecting themselves from cyber threats. More details can be found here.
The federal government is large, complicated and bureaucratic. Occasionally, it is difficult for state and local officials to literally find the time to navigate the various funding sources efficiently. But, since the threats are significant and funding and assistance are available, it seems important for state and local officials to avail themselves of all the assistance possible.