White House Pushes for More Grid Cybersecurity

Amid increasing attacks on critical domestic infrastructure, the White House recently unveiled a “National Cybersecurity Strategy” to beef up the United States’ defense against cyberattacks and other emerging threats. The strategy comes as the federal government works with private companies and state/local, tribal, and territorial governments to build a connected network of electric vehicle chargers, alternative fueling infrastructure, and electric transit fleets.

 

The Biden administration unveiled a national strategy to address the latest cyber threats targeting critical infrastructure, including vulnerabilities in the energy grid. Image used courtesy of the White House

 

While the new plan aims to close cybersecurity gaps across several areas of the American defense landscape, its fourth pillar explicitly focuses on securing the power grid throughout the ongoing transition to renewable energy resources.

The energy transition brings new threats and opportunities as a fresh generation of interconnected hardware and software systems comes online. With cybersecurity defenses built in from conception, these new systems could strengthen grid resilience. In its 35-page National Cybersecurity Strategy document, the Biden administration cited examples of distributed energy resources, smart energy generation, storage devices, advanced grid management platforms running on cloud software, and transmission and distribution networks built for high-capacity controllable loads—all far more advanced and automated than incumbent technologies.

 

Researchers at the National Renewable Energy Laboratory work to combat threats to the U.S. power grid. Image used courtesy of the NREL

 

Engineering New Tech With Built-in Cybersecurity Measures

As the federal government invests billions of dollars into the energy transition via grants and tax incentives, the Biden administration wants to implement a congressionally-directed “Cyber-Informed Engineering Strategy” (or CIE) to get ahead of the latest threats before and while utility-connected devices are deployed at mainstream scale.

The DOE first unveiled the CIE program in June 2022 as an emerging framework to integrate cybersecurity considerations into designing, developing, and operating any physical system that connects, monitors, or controls energy infrastructure digitally. As the DOE puts it, the goal is to “engineer out” cyber risks in new devices/systems across the development cycle, starting in the early design phases. Part of that effort involves working with universities to teach engineering students to factor security solutions into critical infrastructure technologies.

 

A summary of the five pillars of the Cyber-Informed Engineering Strategy. Image used courtesy of the DOE

 

It’s worth noting that the Biden Administration’s new National Cybersecurity Strategy is scarce on specific details. Still, the general framework mirrors much of the work already taking place in the federal government.

For example, the DOE’s Clean Energy Cybersecurity Accelerator recently closed applications for its second cohort of cybersecurity solutions, focusing on preventing threats in utility-connected industrial control system assets by identifying unauthorized or compromised assets requiring remediation. The program is hosted by the National Renewable Energy Laboratory (NREL) and includes participation from major infrastructure companies such as Duke Energy, Berkshire Hathaway Energy, and Xcel Energy.

 

Video used courtesy of the National Renewable Energy Laboratory

 

As mentioned, the federal government is already spending billions on cybersecurity research and development projects and grant funding. The Bipartisan Infrastructure Law allocates $27 billion out of $62 billion in cleantech-focused investments to the DOE to upgrade and modernize the electric grid to better respond to extreme weather events and cyberattacks.

 

Working With Stakeholders on Cybersecurity

Federal agencies are increasingly looking to partner with industry stakeholders in cybersecurity efforts. The DOE-funded NREL held a two-day event in Dallas, Texas, to train the nation’s top infrastructure companies on attack and defense positions. Mastercard hosted a simulation with the NREL’s visualization tools on its cyber range to emulate information technology networks. Participants used those platforms to understand system vulnerabilities and defense strategies.

Besides Mastercard, the training drew executives and cybersecurity professionals from a handful of prominent companies, including telecommunications giant AT&T, software developer Lumen, financial services firm Morgan Stanley, and utilities Southern Company and Southern California Edison.