The Biden administration has announced a 100-day plan aimed at enhancing the security of electric utilities’ industrial control systems and improving the sector’s ability to detect, mitigate, and investigate cybersecurity incidents.
This new initiative is the first of several planned for multiple critical infrastructure sectors, and it follows on from similar measures announced in other countries. The plan identifies the necessary industrial control system and operational technology that can serve as a platform to address critical infrastructures.
In a statement, the White House indicated that the plan – a coordinated effort between the Department of Energy, private utility operators and the Cybersecurity and Infrastructure Security Agency (CISA) – will include “aggressive but achievable milestones” and will help the industry when it comes to enhancing cyber detection, mitigation, and forensic capabilities, according to Security Info Watch.
Looking at the development for Digital Journal is Matt Sanders, Director of Security at LogRhythm.
According to Sanders, many businesses are either experiencing attacks or feel especially vulnerable to attacks: “In the wake of the SolarWinds and Microsoft Exchange attacks, as well as threats specific to critical infrastructure such as the breach of a Tampa, Florida area water facility earlier this year, it’s promising to see the Biden administration take this important step.”
Utility companies do not make as many headlines as consumer products, but they are probably more important. Sanders notes how: “Utility operations are vital to the United States’ national security, and the Request for Information (RFI) seeking recommendations for securing the U.S. Energy supply chain will open up an important dialogue that will likely result in new ideas for protecting our nation’s electricity operations against future attacks.”
Time is of the essence; however, Sanders advises: “Unfortunately, these attacks and threats are only growing. The 100-day plan from The U.S. Department of Energy and the Cybersecurity and Infrastructure Security Agency (CISA) currently calls the industry effort to deploy technologies to secure industrial control system (ICS) and operational technology (OT) voluntary, which may hurt its effectiveness.”
There are inherent weakness that have persisted which are to blame, suggests Sanders. In his perspective: “Over the past 20 years, industrial control systems have largely neglected operational technology and operational risk by air gapping data to compensate for deficiencies in network security and physically isolating platforms from unsecured networks.”
To address this, Sanders proclaims: “Any organization leveraging technology to enable operations for critical infrastructure needs to ensure proper protection protocols are established, ranging from threat detection, preventative controls and response controls to quickly thwart and identify potential catastrophes. Lagging detection and alerts can result in a disaster if controls or data are obtained by domestic or foreign adversaries.”