Contact: Allison Cullin Homeland Security and Technology Division 202/624-5311 April 20, 2010 State Engagement with the Energy Sector to Improve Cyber Security Executive Summary The state-owned computer networks used to deliver state and federal programs, benefits, and services are besieged by a variety of cyber criminals intent on stealing or manipulating the sensitive private information those systems contain. State information technology and homeland security offices are engaged full-time in fighting off those attacks by tracking new threats, protecting Internet portals, and securing databases. But state officials also have one eye on the security of the networks that run private infrastructure operations: the telecommunications systems, electrical grids, gas and oil pipelines, and transportation networks on which modern society relies. That infrastructure is so interconnected and interdependent that a successful attack on any one component of the infrastructure could have a cascading effect on several others. A reliable supply of energy, for example, is essential to the operation of transportation systems, water and wastewater treatment facilities, hospitals, and 911 dispatch centers. A successful cyber attack on the electrical grid not only could knock out power, but could also debilitate those other essential services. In such an event, state and local governments would be expected to respond in the same way, and with the same efficiency, that they would for any other disaster. But states cannot easily ensure the security of cyber systems owned and operated by the energy sector, or by any other sector of the economy. The majority of the infrastructure is privately owned, and legislative or other mandates often are strongly resisted. In addition, the cyber threat is so pervasive, and is evolving so rapidly, that the private sector often has the best information about the nature of the threat but does not share that information with government. Finally, a number of private sector-led initiatives and federal programs are already under way to improve cyber security in the energy sector, leaving the states to determine on their own what their appropriate role should be. This Issue Brief examines those challenges and reviews the approaches that several states have used to work with the energy sector to improve cyber security. Those efforts take into account the programs, policies, standards, and practices already in place that contribute to a reliable energy supply. In general, states are playing an active role in improving the cyber security of the energy sector by:
Page - 2 - State Engagement with the Energy Sector to Improve Cyber Security Facilitating coordination and cooperation among and within state agencies, the energy sector, and other interdependent sectors with which the energy sector directly interacts; Collaborating with private energy firms to improve their - and the state s - cyber security and overall information sharing; and Participating in federal and private sector cyber security initiatives to build partnerships and monitor new initiatives. Introduction In April 2009, the Wall Street Journal reported that computer systems used to control parts of the nation s electricity grid had been infiltrated by foreign intelligence operatives. These professional hackers, whom U.S. intelligence officials reportedly traced to China, Russia, and other countries, left behind hidden software programs that experts said could be used to disrupt electricity supplies. The intrusions, according to the Journal report, were pervasive across the U.S. and [did not] target a particular company or region. The report underscored the vulnerability of the nation s cyber infrastructure to vandals, bandits, spies, and terrorists, but it came as no surprise to security experts or industry analysts. A series of studies and reports dating back several years have documented that threat. In one of the more notable studies, in June 2007 a video emerged showing government researchers hacking into and manipulating a small electrical generator until it broke down in a cloud of smoke, illustrating the damage that a cyber intrusion could cause to physical components of the energy infrastructure. Congress also is paying attention. In May 2008, the House Subcommittee on Emerging Threats, Cyber Security and Science and Technology held a hearing titled Implications of Cyber Vulnerabilities on the Resilience and Security of the Electric Grid, which criticized federal efforts to address known vulnerabilities in the cyber networks underpinning the grid. A year later, the House Subcommittee on Telecommunications and the Internet held a hearing titled Cyber Security: Network Threats and Policy Challenges, which examined threats to critical infrastructure, including power grids. The House Committee on Science and Technology held a number of hearings in 2009 on federal efforts to improve the security of cyber systems. In the Senate, at least eight committees and subcommittees have held hearings or considered legislation aimed at improving cyber security in the energy sector. A Rogues Gallery States also have a significant stake in the nation s cyber security. They own and operate computer networks that are used to deliver state and federal benefits and other programs and services to their constituents. Many of these systems are accessible from the Internet. The security of those networks, and the sensitive private information that resides on them, is under near-constant attack from a rogues gallery of phishers, hackers, network probers, and increasingly, organized crime syndicates and foreign intelligence agencies. State chief information officers and chief information security officers are responsible in large part for
Page - 3 - State Engagement with the Energy Sector to Improve Cyber Security ensuring the security of state-owned systems and for protecting the private information they contain. But state-run systems are just part of the picture. States are also concerned about the security of computer networks they do not own but on which they nonetheless rely. Telecommunications platforms, electrical grids, gas and oil pipelines, and transportation systems all operate on networks that, if compromised, could have a substantial and wide impact. A successful attack on a key component of the electrical grid, for example, could have devastating and cascading effects on transportation systems, public safety, public works, and any other critical infrastructure that relies on an uninterrupted supply of electricity. In such an event, state and local governments would be expected to respond in the same way, and with the same efficiency, that they would to a hurricane, an ice storm, or any other natural disaster. As is the case with other threats to the nation s critical infrastructure, however, states find themselves in a difficult position when it comes to cyber security. State governments and their citizens rely on that infrastructure for many vital functions, yet they have limited ability to influence the security of those systems directly. Several factors stand in the way of states playing a central role in protecting the cyber security of the energy sector: The vast majority of the infrastructure is owned by the private sector, and efforts to legislate or otherwise mandate cyber security programs often meet stiff resistance; The cyber threat is pervasive and rapidly evolving, and information on the threat often is not shared effectively among the private and public sectors; and A number of federal government and private sector led initiatives to improve cyber security in the energy sector already are under way, but many of those do not directly involve state agencies, leaving states behind the curve in addressing cyber threats. Private Property With the exception of some municipal utilities, cooperatives, and federally chartered utilities such as the Tennessee Valley Authority and the Bonneville Power Administration, the vast majority of the energy infrastructure in the United States is privately owned. Regulatory authority over the sector s security practices, particularly at the state level, is limited. In the gas and electric sectors, state public utility commissions are charged with ensuring the reliability of supplies, and this responsibility extends to the reliability of cyber systems. Beyond that, however, federal and state regulatory authority over the energy sector is limited. With the exception of nuclear power facilities, governments do not have direct regulatory authority over the sector s security, whether physical or cyber. Industry officials say they are well aware of cyber security threats and are aggressively defending their systems without state or federal involvement. One electrical industry executive said that his company has strict internal cyber security standards that apply across its systems, from generation to transmission to distribution. He said states should assume that utilities are working proactively to address the cyber threat and are not waiting around for regulations or requirements.
Page - 4 - State Engagement with the Energy Sector to Improve Cyber Security Congress has nonetheless considered legislative and regulatory actions to bolster the security of the energy sector s cyber systems. Industry officials and outside experts have warned, however, that top-down mandates are unlikely to succeed and, particularly at the state level, could do more harm than good. The interconnection of electricity production, transmission, and distribution systems requires collaboration and coordination among various companies and utilities, often across state lines. Electricity used in one state, for example, often is generated in another state and carried on transmission lines that cross several state lines. Having different cyber security regulations from one state to the next, industry officials argue, could degrade the efficiency of the entire system. Privacy watchdogs also are hesitant to give government agencies a broader role in cyber security. Gregory Nojeim, Senior Counsel and Director of the Center for Democracy and Technology s Project on Freedom, Security and Technology, warned a congressional committee in May 2009 against direct government involvement in securing private sector cyber systems. Government s role in private sector cyber security, he said, should be limited to helping the private sector develop effective monitoring systems, and sharing information with private sector network operators to help them identify attacks at an early stage. i Access to Information Adding to the difficulty of effectively crafting state policy to address energy sector cyber security is the absence of information from private companies on the types of threats they face. Some state officials report that they receive little information from private entities regarding cyber attacks and rely on outside organizations for reports of new threats. Private sector officials often focus on the need for government to provide threat information and intelligence to industry, but they have historically been reluctant to share information on the attacks they experience on an on-going basis. Simply put, because they do not run the grid or manage pipeline operations, states often are not in the game when it comes to understanding and combating cyber threats to the private energy sector. Industry players, meanwhile, often share threat information with each other through forums such as sector-specific information sharing and analysis centers (ISACs), but state governments have only limited access to those industry-run forums. Instead, they rely on information provided through their own cyber security forum, the Multi-State Information Sharing and Analysis Center (MS-ISAC). Although the MS-ISAC cooperates and coordinates with private-sector ISACs, the MS-ISAC director says that more work needs to be done to break down the barriers between the public and private sectors. The ISAC Council, a coordinating body for all sector ISACs, recently expanded to allow government participation, but that does not mean state and local governments have access to all cyber threat information in all sectors. Access to Energy ISAC information would be helpful, one state official said. It would provide us with good situational awareness. ii The lack of information flowing to the states from the private sector makes any effort to develop effective public policy more difficult and, potentially, less effective. As one industry official warned, the cyber threat now evolves so rapidly that any top-down mandate from government would force industry to make investments in preventive measures that would become obsolete as
Page - 5 - State Engagement with the Energy Sector to Improve Cyber Security soon as the threats evolved to counter them, which, in the cyber world, would be almost immediately. Behind the Curve A number of efforts, some with regulatory enforcement mechanisms, have been launched over the past several years to address cyber security vulnerabilities in the energy sector. None, however, have involved state governments. The North American Electric Reliability Corporation (NERC), for example, regulates the reliability of the bulk power system in the United States and parts of Canada. It has developed a series of cyber security standards that require utilities to identify critical cyber assets, put in place security controls to protect those assets, provide security awareness training to personnel, and take other steps to ensure the cyber security of their systems. But NERC has outlined no clear role for the states to participate in or oversee those efforts. The Department of Energy (DOE) also is working with the energy sector on cyber security issues and was one of the first federal agencies to develop a long-term plan to improve cyber security throughout the sector. The department s Roadmap to Secure Control Systems, published in 2006, identifies critical challenges and priorities for improving the security and reliability of the computerized control systems that operate the energy sector. The energy sector is using the DOE Roadmap to guide technology investments by both the federal government and the private sector to enhance security and operating practices. The states have no clearly defined role under that plan. Industry associations also have initiated cyber security programs for their members. For example, the Electric Power Research Institute published a guidance document in 2006 to help its members comply with the NERC Cyber Security Standards; the American Gas Association developed a standard for the protection of supervisory control and data acquisition (SCADA) communications systems; and the American Petroleum Institute has its own standard for pipeline SCADA security. Again, none of those initiatives includes a clear role for states. Networked Solutions The actions that the federal government has taken to date, and the industry s own cyber security initiatives, do not necessarily relegate state governments to observer-only status. States concerned about the cyber security of the energy sector have several strategies available to improve the sector s cyber security and help ensure a reliable energy supply, although any statelevel effort should take into account the programs, policies, standards, and practices already in place to address those issues. NASEO, the national association representing state energy officials, encourages its members to proactively engage with the energy sector on cyber security issues. Energy assurance guidelines developed by the association include a recommendation that states assure that cyber security, critical cyber systems, and their recovery are incorporated within their Continuity of Operations Plans and encourage businesses they work with as partners in critical infrastructure protection to also address this area of need. iii Governors should encourage their state homeland security directors, chief information officers, and state energy officials to engage proactively with the energy sector by:
Page - 6 - State Engagement with the Energy Sector to Improve Cyber Security Facilitating coordination and cooperation among and within state agencies, the energy sector and other interdependent sectors with which the energy sector directly interacts; Collaborating with private energy firms to improve their -and the state s - cyber security and improve overall information sharing; and Participating in federal and private-sector cyber security initiatives to build partnerships and monitor new initiatives. Facilitate The Cyberspace Policy Review conducted by the White House in early 2009 noted that information is the key to preventing, detecting, and responding to cyber incidents and warned that [a] full understanding and effective response may only be possible by bringing information from those various sources together for the benefit of all. The report recommended that the federal government take the lead in working with state, local, and tribal governments and with the private sector to develop information-sharing networks, forums, and practices that address concerns with privacy and proprietary information and make information sharing mutually beneficial in the national interest. iv But states do not need to wait for the federal government to develop such information-sharing forums. States have a significant role to play in facilitating cooperation among the operators of critical infrastructure within their borders and in improving information-sharing between private companies and government agencies. The simple act of convening key players in periodic roundtable meetings is just one example of the proactive steps that state governments can take to establish and strengthen public-private coordination for cyber security. The state of New York convened such a meeting in 2002, when the Office of Cyber Security and Critical Infrastructure Coordination created a Public/Private Sector Cyber Security Workgroup that included state agency officials and executives from the telecommunications, financial, energy, public safety, health, agriculture, and education sectors. The Workgroup was established as a forum in which participants could share information on the types of threats facing their computer systems and networks. Will Pelgrin, the director of the New York office, said private sector officials were initially hesitant to participate in a government-led effort or to share information about their own vulnerabilities. But, Pelgrin said, with patience and hard work, the relationship began paying dividends. New York officials, he added, used the state s experience in preparing for Y2K as a guide for how to approach the new challenge of fending off deliberate cyber attacks against state-owned and private networks. We gave more than we got, and we didn t add any reporting requirements, Pelgrin said. We earned, rather than expected, the private sector s respect for the relationship. Louisiana officials took a slightly different approach in reaching out to the companies operating in the state s energy sector. Rather than convene roundtables or establish a working group for cyber security issues, the state s chief information officer (CIO) focused on facilitating a relationship between the energy sector and the state s intelligence fusion center. The fusion
Page - 7 - State Engagement with the Energy Sector to Improve Cyber Security center was gathering tremendous amounts of data about cyber threats, but lacked the expertise to analyze the information and share it with the private sector in a useful format. The CIO addressed the problem by assigning two cyber security experts to the fusion center, where they focused on identifying cyber threats to the state s critical energy infrastructure and passing on warnings and other information to the private companies operating in that and other sectors. Over time, the fusion center s outreach to the private sector improved the flow of information in both directions. Companies will now reach out to us to talk about new threats because they know we ve got good intel, one Louisiana official reported. That s a result of the trust that has been built up based on the information we ve been providing over the years. Collaborate State officials say that that type of partnership with the private sector is proving more effective than imposing top-down regulatory requirements, and several states are exploring additional opportunities for working more closely with industry to identify cyber threats and craft coordinated responses. New York s Office of Cyber Security and Critical Infrastructure Coordination is widely viewed as having set the pace for public-private collaboration through the Public/Private Sector Cyber Security Workgroup. Although the effort began as a way to improve information-sharing, it has evolved into a collaborative approach for identifying vulnerabilities and developing effective defenses and countermeasures. In 2008, in recognition of the interdependence of infrastructure and economic activity between New York and New Jersey, representatives from the public and private sectors in the Garden State were invited to participate in the workgroup. The workgroup focuses on the current state of cyber readiness in and across the participating sectors and works to identify and assess vulnerabilities and determine appropriate response and mitigation strategies throughout the region. The Tennessee Department of Safety works closely with the Tennessee Valley Authority (TVA), the federally chartered electricity company, on all aspects of infrastructure security. The department views its role as both detecting threats and preventing attacks on critical infrastructure, and it actively provides TVA with information and intelligence on the full spectrum of threats facing the energy sector, including threats to cyber networks. It also assists TVA in assessing risks and vulnerabilities in its cyber systems and developing risk-mitigation strategies. The benefit, state officials said, is that TVA, in turn, provides feedback on the types of threats its analysts and experts have identified. Participate Activities such as those can be successful only if the state develops its own expertise on cyber threats and cyber security. NASEO, in its Energy Assurance Guidelines, recommends that states develop that expertise not only so that they are aware of the threats facing their own systems, but also so that as they prepare assurance plans or related response documents they can ask the proper questions to assure that these requirements are being met. v One strategy for tracking private sector cyber security activities, and for gauging their effectiveness, is to closely monitor and, whenever possible, participate in federal and private-sector programs and exercises.
Page - 8 - State Engagement with the Energy Sector to Improve Cyber Security For example, the Department of Homeland Security s series of annual cyber security exercises, dubbed Cyber Storm, involves not only federal agencies and the private sector, but also state and local governments. The exercises are designed to examine communications, incident response policies and protocols, and operational procedures in response to a variety of cyber incidents and to identify future planning needs. vi The exercises also provide an opportunity for participating agencies to identify policies and procedures that must be developed to facilitate information sharing with outside organizations, including the private sector. Cyber Storm II, conducted in March 2008, included nine states as direct participants: California, Colorado, Delaware, Illinois, Michigan, North Carolina, Pennsylvania, Texas and Virginia. Another five states Arkansas, Minnesota, Nebraska, South Carolina and West Virginia observed the exercise from the MS-ISAC operations center in New York. The next Cyber Storm exercise, which will focus on coordinated attacks against critical infrastructure control systems, is scheduled for September 2010. In addition to its work with the TVA, the Tennessee Department of Safety engages with the private sector through the FBI-led InfraGard program, which was established after the September 11, 2001 terrorist attacks as an information-sharing and analysis partnership between the Bureau and private companies. InfraGard, which is organized around the FBI s network of field offices, now includes academic institutions and state and local agencies. Tennessee officials said that they participate actively in InfraGard cyber security programs, including annual meetings and seminars where they work closely with private sector representatives to discuss emerging threats and response capabilities. The relationships built through the InfraGard program, state officials said, have resulted in improved communications to and from the private sector on threats and available protections. The feedback for us is that we re now getting information on what they re seeing in terms of threats and attacks, Tennessee officials said. Louisiana officials said that they have engaged private sector energy companies on cyber security issues through a number of federal initiatives, including a SCADA security exercise in March 2009 that also involved DHS, the departments of Energy and Defense, and private companies from the energy and telecommunications sectors. The state also participates in InfraGard activities, notably an annual cyber security exercise known as Tiger Trap, which Louisiana officials help design. Tiger Trap is a capture the flag -type exercise, with one team of cyber attackers pitted against another team of cyber defenders. The exercise allows participants to share information and experiences on effective cyber security tools, techniques, and resources. Conclusion Threats to the nation s computer networks are growing and the potential damage from a successful attack on critical nodes of the energy sector could be far-reaching and economically devastating. States have a limited ability to force the private sector to ensure its cyber security either through laws or new regulations. But they have ample opportunities to actively engage with the private sector and with the federal government to address cyber threats cooperatively, to ensure that state programs complement rather than compete with activities already under way, and to improve information sharing.
Page - 9 - State Engagement with the Energy Sector to Improve Cyber Security By facilitating information sharing networks, collaborating with the private sector to identify and defend against cyber threats, and participating in exercises and other programs with the federal government and private industry, states can directly affect the energy sector s cyber security and improve the reliability of energy supplies. Acknowledgments: This issue brief was drafted by Chris Logan, director of the Homeland Security and Technology Division, NGA Center for Best Practices. Notes i Gregory Nojiem, Testimony Before the House Committee on Energy and Commerce, Subcommittee on Communications, Technology and the Internet on Cybersecurity, Civil Liberties and Innovation, May 1, 2009. ii Louisiana iii National Association of State Energy Officials, State Energy Assurance Guidelines, Version 3.0, June 2009. iv The White House, Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure, May 2009. v National Association of State Energy Officials, State Energy Assurance Guidelines.. vi U.S. Department of Homeland Security National Cyber Security Division, Cyber Storm Exercise Report, September 2006.