Energy Secretary Rick Perry warned Monday that the electric grid is easier to attack than ever as he issued a comprehensive cybersecurity strategy.
“The frequency, scale and sophistication of cyber threats have increased, and attacks have become easier to launch,” the department’s plan says. “Nation-states, criminals, and terrorists regularly probe energy systems to actively exploit cyber vulnerabilities in order to compromise, disrupt, or destroy energy systems.”
The cybersecurity plan was released as federal and industry experts say Iran could target U.S. infrastructure in response to Trump’s scuttling of the nuclear deal.
The Pentagon’s cyberwarfare unit has been closely monitoring Internet traffic in Iran since Trump announced his decision to leave the Obama-era agreement last week, the New York Times reported Friday.
The sophistication of the electric grid creates a situation of “growing interdependence among the nation’s energy systems,” which “increases the risk” of energy disruptions cascading from one state to the next, according to the Energy Department plan.
“Reliable energy and power is the cornerstone of our advanced digital economy and is essential for critical operations in transportation, water, communications, finance, food and agriculture, emergency services, and more,” the plan points out. “As nation-states and criminals increasingly target energy networks, the federal government must help reduce cyber risks that could trigger a large-scale or prolonged energy disruption.”
The plan outlines steps the agency plans to take in line with the creation of an already announced cybersecurity office that will centralize federal activities to protect the grid from attack.
The efforts to protect the grid will be implemented in “close partnership” with the energy industry, other federal agencies, and non-federal partners, the plan said. It calls for “game changing” strategies, while saying a strategy of “anticipating and reacting” to cyber threats is a futile exercise that “is not efficient, effective, nor sustainable in light of escalating cyber threat capabilities.”
Resources are too limited, and the cyber threats are outpacing even the best defenses, the agency says.
“To gain the upper hand, we need to pursue disruptive changes in cyber risk management practices,” it says.
But some experts say the plan is lacking in details on how to implement the strategies, while the problems it highlights are spot on.
Coordinating with other agencies and seeking game-changing systems are wise, said Scott Sklar, president of the Stella Group, who consults on renewable energy and the risks posed by cyberattacks. Sklar has advised clients, which include the military, that the best system of defense is to disconnect critical energy facilities from Internet access as much as possible.
But he says the plan lacks an explanation on how the Energy Department would prioritize key vulnerabilities in forming a strategy against attacks.
“Are there strategies to basically detach our critical functions from the Internet altogether, so as to be islanded off and thus not possible to have any cyber control or threat?” Sklar asked in an email responding to the report. “If so, what are they and what is the approach to implement?”
