WASHINGTON (CN) – A malicious cyberattack in March disrupted the California, Utah and Wyoming electrical utility systems for several hours. No customers lost power and it only affected internal system operations, but it was enough to raise concerns about a more damaging and widespread attack on the electric grid.
In June, reports from multiple internet security monitoring companies, including CrowdStrike and FireEye, noted an increased amount of attempts from Iranian hackers to infiltrate U.S. infrastructure systems. These attacks involved “phishing,” or deceptively sending emails to individuals in an attempt to gain their login information.
The government’s Worldwide Threat Assessment released in January lists several potentially threatening countries including North Korea and Russia, which was blamed for cyberattacks targeting the Ukrainian energy grid in 2015 and 2016.
Many fear foreign actors could turn their attacks to the American electric grid.
“Russia has the ability to execute cyberattacks in the United States that generate localized, temporary disruptive effects on critical infrastructure,” the report states. “Moscow is mapping our critical infrastructure with the long-term goal of being able to cause substantial damage.”
Concerns about such attacks and government agencies’ responses to them were the focus of a Friday morning hearing in the House Committee on Energy and Commerce.
The Department of Energy’s role in mitigating cyberattacks is a relatively new one, having established the Office of Cyber Security, Energy Security and Emergency Response, or CSESER, just last year.
The office’s responsibilities include overseeing a program that coordinates a nationwide initiative to safeguard energy infrastructure. The Energy and Commerce Committee has earmarked $157 million for CSESER in its fiscal year 2020 budget request.
The Federal Energy Regulatory Commission, meanwhile, facilitates voluntary information sharing about threats to the grid between federal, state, local and tribal authorities.
The North American Electric Reliability Corporation acts as a so-called electric reliability organization. It is responsible for proposing reliability standards for protecting critical infrastructure, including information protection, cyber security supply chain management and the physical security of cyber systems.
Karen Evans, assistant secretary of CSESER, testified Friday that her office was working on a program called Cyber Analytics Tools and Techniques, which aims to detect potential cyberattacks using information such as classified threat data from governmental and energy sector partners.
“Detecting adversary tactics, techniques and procedures within anomalous traffic on critical energy infrastructure can be the first step in stopping an attack in its early stages,” Evans testified.
Jim Robb, president and CEO of the North American Electric Reliability Corporation, said one way his organization helps utilities and other agencies prepare for cyberattacks is by hosting a bi-annual grid security exercise, dubbed GridEx.
The exercise simulates a coordinated physical and cyberattack on the electric grid. In 2017, 6,500 people and 450 organizations participated in the drill. The next one is scheduled for November.
Robb said his organization also hosts a grid security conference, which brings together leaders in physical and cybersecurity to discuss emerging security trends and policy advancements.
Representative Lisa Blunt-Rochester, D-Del., brought up issues with the Energy Department’s ability to fulfill its staffing requirements, which Evans said has been done by looking outside of traditional areas.
“Some people that are best in this field do not come as STEM,” Evans said, using the abbreviation for the areas of science, technology, engineering and mathematics.
Andy Dodge, director of the Federal Energy Regulatory Commission’s Office of Electric Reliability, said his office a plethora of intern programs for interested applicants and is actively trying to improve its on-campus presence at various universities. It also offers tuition reimbursement for those employed for a certain period of time, he said.