This paper recommends seven actions for governors to consider in order to protect electricity infrastructure and personally identifiable information.
(Download)
Cyber-attacks have grown rapidly in the last few years and the energy sector has become a prime target for those attacks. In 2016, 20 percent of incidents reported to the U.S. Department of Homeland Security (DHS) targeted the energy sector. Electricity is informally considered the most critical of the 16 critical infrastructure sectors designated by DHS; water, wastewater, communications, transportation and other parts of the energy sector all depend on reliable and secure electric power. Because of these interdependencies, a successful cyber-attack on the electric system could have serious secondary effects: disrupting power or fuel supplies, damaging specialized equipment, and jeopardizing public welfare.
States are developing strategies for enhancing electric grid cybersecurity as they move toward a more modern, connected infrastructure. This white paper recommends seven actions for governors to consider in order to protect electricity infrastructure and personally identifiable information (PII):
- Define Roles and Responsibilities and Coordinate Efforts
- Incorporate Cybersecurity Roles and Responsibilities into Energy Assurance Planning
- Protect Sensitive Information
- Collaborate with Utility Regulators
- Participate in Cyber Response Exercises
- Leverage the National Guard and Civilian Workforce
- Conduct Risk Assessments
The paper also details roles and responsibilities for key state and industry stakeholders and catalogues important resources.
March 2024
Addendum
The threat of malicious attacks on the electrical grid is ever present, and the vulnerability of energy infrastructure to cyberattacks grows as the grid becomes increasingly interconnected and modernized. In 2019, NGA released a resource titled “Smart and Safe: State Strategies for Enhancing Cybersecurity in the Electric Sector” outlining best practices for Governors to enhance electric grid cybersecurity. While the recommendations in the paper continue to remain relevant, new resources have been released and actions have been taken that can further inform or support Governors’ efforts to protect the grid from malicious attacks.
Since NGA published the 2019 paper, the threat of cyberattacks on energy systems has only grown. In May 2021, a ransomware attack on the Colonial Pipeline infected the data and information technology (IT) systems of the pipeline, leading operators to preemptively shut down the pipeline for multiple days out of an abundance of caution, protecting operational systems but also leading to consumer panic buying that resulted in fuel supply concerns. In addition, the use of cyberattacks to critical infrastructure during the Russian war in Ukraine has raised concerns for the National Security Agency (NSA), and the vulnerability of U.S. critical infrastructure sectors to People’s Republic of China state-sponsored cyber actors was highlighted in a February 2024 joint assessment by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the NSA.
New Federal Resources
On the federal level, many key actions have been taken in recent years to advance cybersecurity standards for energy systems. In 2021, the Infrastructure Investment and Jobs Act (IIJA) was passed into law with $1.9 billion in funding for cybersecurity across many programs such as those focused on energy, water, transportation, and state, local, tribal, and territorial governments. In addition, the IIJA includes a provision requiring states and territories to submit Energy Security Plans as a condition of eligibility to receive funding from the U.S. Department of Energy (DOE) State Energy Program. According to additional guidance states and territories have received from DOE, “delivery of applicable FY25 federal financial assistance to a state or territory may be delayed or withheld under Part D of Title III of EPCA, if a fully compliant SESP is not received and verified by DOE.” State Energy Security Plans must incorporate cybersecurity, including assessments and mitigation strategies for cyberthreats. The Office of Cybersecurity, Energy Security, and Emergency Response (CESER) at the U.S. DOE has many resources for states and territories, including this State Energy Security Plan Guide, as they work to complete energy security plans.
In March 2023, President Biden released the National Cybersecurity Strategy (NCS) to establish a framework to protect critical infrastructure from cyberattacks, disrupt threat actors, shape market forces to promote security, make investments in cybersecurity research and development, and create international cybersecurity partnerships. The document establishes strategic objectives to advance cybersecurity across all missions, stakeholders and sectors. The NCS calls for a defensible and resilient digital ecosystem to protect our national security, public safety and economic prosperity.
This is a significant undertaking that will require industry, communities, and state, local, tribal, and territorial governments to share responsibility to create a more secure cyberspace. In July 2023, the White House released the National Cybersecurity Strategy Implementation Plan (NCSIP) to coordinate efforts with all relevant stakeholders across dozens of Federal initiatives.
The U.S. DOE, the North American Electricity Reliability Corporation (NERC), the Federal Energy Regulatory Commission (FERC) and the U.S. Transportation Security Administration (TSA) have all taken actions to encourage or require cybersecurity standards and practices in the energy sector. In addition to the many energy cybersecurity programs from the IIJA that DOE is implementing, the DOE Office of Cybersecurity, Energy Security, and Emergency Response (CESER) released its National Cyber-Informed Engineering Strategy in 2023 to encourage cyber-resilient design, operation and maintenance of energy infrastructure. NERC governs mandatory cybersecurity standards for the bulk power system in the United States. Known as the NERC Critical Infrastructure Protection (CIP) Reliability Standards, these standards are the minimum level of cybersecurity practices grid operators can maintain. In 2022, NERC released a Distributed Energy Resource Strategy to encourage cybersecurity practices for distributed generation like rooftop solar, though distribution-level infrastructure is not subject to NERC CIP Standards. FERC is considering mandatory cybersecurity standards, and in 2022 proposed new incentives of an additional 2% return on equity for utilities to voluntarily invest in cybersecurity. Following the Colonial Pipeline cyberattack, the Transportation Secuiry Administration (TSA), which regulates owners and operators of pipelines, issued mandatory cybersecurity standards.
Recent State Actions
State and territory leaders have also been very active in encouraging or requiring the adoption of cybersecurity standards for critical energy infrastructure. In 2022, the Virginia Department of Emergency Management, Virginia Department of Information Technology, Dominion Energy, Virginia State Police and Virginia National Guard participated in an energy cybersecurity exercise referred to as “Cyber Fortress.” This public-private collaboration allowed the commonwealth and its largest electric utility to test the commonwealth’s emergency operations plan and associated cyber response annex to better prepare for a cyberattack. The exercise demonstrated the importance of simultaneously managing the downstream impacts of power outages and cyber recovery efforts.
In August 2023, New York Governor Kathy Hochul announced a Statewide Cybersecurity Strategy to safeguard critical infrastructure, personal information, and digital assets in New York from malicious actors. This strategy highlights AB 3904, a 2022 bill that was signed into law by Governor Hochul “requiring electric distribution utilities to prepare for cyberattacks in their annual emergency response plans” through new enhanced New York Public Service Commission Auditing Powers.
In response to heightened security concerns stemming from Russia’s ongoing war in Ukraine, President Biden penned a letter to Governors on March 18, 2022, encouraging the adoption of state cybersecurity standards to protect critical energy infrastructure. On behalf of the Council of Governors, Minnesota Governor Tim Walz and Ohio Governor Mike DeWine reinforced the importance of cybersecure energy infrastructure and a whole-of-government approach to cybersecurity in a May 4, 2022, response to the President. The letter recommended a consistent, federally-coordinated approach to cyber standards for the energy sector. Recognizing the importance of a standardized approach to cybersecurity standards, DOE CESER is currently working with the National Association of Regulatory Utility Commissioners (NARUC) to “establish a set of cybersecurity baselines that states can consider and adopt for distribution systems and distributed energy resources.” More information on this and related initiatives are described in a March 2023 blog post by DOE CESER Director Puesh Kumar:
NGA Resources
NGA recently published an updated 2023 Energy Cybersecurity Resources for Governors’ Advisors that provides an overview of federal and state cybersecurity standards for the energy sector as well as a collection of energy cybersecurity resources from NGA, the federal government and other state focused organizations.
This addendum was prepared by Fiona Forrester, Policy Analyst, NGA Center for Best Practices. For additional energy cybersecurity resources, please visit this online resource guide NGA has compiled, or reach out to the energy, cybersecurity, or homeland security leads at the NGA’s center for best practices: Dan Lauf (dlauf@nga.org), Steve Fugelsang (sfugelsang@nga.org, and Jessica Davenport (jdavenport@nga.org).
This material is based upon work supported by the Department of Energy, Office of Cybersecurity, Energy Security, & Emergency Response under Award Number DE-CR0000011.
This report was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor any agency thereof, nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or any agency thereof. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or any agency thereof.