The Department of Energy’s new office of Cybersecurity, Energy Security, and Emergency Response (CESER) has already begun work to provide support to the nation’s energy grid and critical infrastructure cybersecurity, and the head of the new office appeared in front of the House Energy and Commerce Committee Thursday to discuss the role of CESER within DoE.
The hearing provided evidence of CESER’s place among the pantheon of Federal agency leaders in critical infrastructure protection: it appears DoE wants CESER to wear the crown.
Rep. Fred Upton, R-Mich., chair of the Energy subcommittee, opened the hearing by summarizing the proposed activities of CESER as a first-response outlet against both natural disasters and state-sponsored cyberattacks–and the ability of both to harm the U.S. electric grid.
Rep. Greg Walden, R-Ore., chairman of the full committee, explained that CESER’s “ultimate mission is to mitigate the risk of energy disruptions.”
Karen Evans, who was confirmed by the Senate on Aug. 28 as DoE assistant secretary for the CESER office and sworn in on Sept. 4, told the committee Thursday that CESER has already set to work on that mission.
“Recently, CESER demonstrated the emergency response function through multiple weather events,” she said. “The hurricanes activated our emergency response plan, while we also addressed the over pressurization of a Columbia natural gas pipeline, with the oil and natural gas subsector coordinating council, that caused multiple explosions and fires at residential locations in Massachusetts.”
Upton’s line of questioning indicated a somewhat fraught governance structure for emergency response coordination, where DoE, the Department of Homeland Security, and even component DHS agencies like the Federal Emergency Management Agency (FEMA) play a role.
The congressman said that he has “listened to a number of energy sector firms” who essentially expressed that they prefer there be “one lead cop on the beat,” that is, one agency “identifying vulnerabilities and mitigating incidents.”
To that end, Evans said the natural disasters and the Massachusetts pipeline incident she flagged earlier have provided an early opportunity–creation of CESER was announced in February, and Evans is just four weeks into her role–to demonstrate that DoE, and CESER in particular, is taking the lead, with DHS offering response-specific guidance in step with DoE.
Much of that coordination, Evans noted, has and will come through sector coordinating councils, which include industry-centric and public-private councils that enable discussions of policy or practice in the various energy sectors.
This, Evans said, is “is where the interagency partners, states, and international partners come together to discuss important security and resilience issues,” and where CESER’s voice can impact those private sector utility providers.
Critical Infrastructure Cybersecurity
But Evans, who was previously the DoE CIO, as well as the de-facto Federal CIO under President Bush before the position held that name, told the committee that she appeared Thursday primarily to discuss the cyber-related activities of CESER, rather than its weather-related response functions.
She highlighted a new pilot program, known as the Cyber Testing for Resilience of the Industrial Control Systems (CyTRICS), where DoE will “test component parts that go into operational technology that’s used throughout the energy sector,” she said. The goal is to identify “anomalies” and “risks” in components, and CESER will be looking for voluntary participation from industry to have their parts tested.
Another pilot, the Cybersecurity for the Operational Technology Environment (CYOTE) program, will also seek to find anomalous behavior on the OT networks themselves. “We’ll be able to tell by the data if something’s actually happening, if somebody’s in the network or if it’s an equipment malfunction,” Evans said.
The program will incorporate big data and machine learning algorithms, but Evans noted that all the pieces aren’t in place yet to get the full range of insights out of the program.
So, as CESER builds capacity to respond to these threats, the hearing elicited the impression that Rome wasn’t built in a day.
Rep. Jerry McNerney, D-Calif., keyed in on the nation-state threat to the grid, asking Evans, “Do you feel confident that our utilities are adequately prepared and protected from Russian and North Korean cyberattacks, to prevent massive blackouts, or credible enough threats of massive blackouts innate to make our nation vulnerable to cyber blackmail?”
The former top IT official in the Federal government didn’t mince words. “Since you asked me do I feel confident, the answer would be no,” Evans said.