The State of Security: April UpdateOver the past few years, it’s become clear that the U.S. government is under-prepared in matters of cybersecurity, a fact underscored by the pandemic and recent breaches like the SolarWinds incident. From energy, industrial and supply chain to military and government industries, high-risk cyberattacks have become more common across our nation, creating a greater urgency for change.
Attackers feed on weak, ineffective security programs. Unfortunately, the majority of private sector and federal government programs fall under this category. Our current cybersecurity landscape continues to face pandemic-related challenges and more sophisticated phishing and ransomware attacks, malware infections and DDoS attacks. With the growth in IoT and digital infrastructures, these attacks will only continue to increase exponentially.
Following the SolarWinds breach, government leaders agreed that it’s time to step up and protect U.S. critical infrastructure and data. With cybersecurity becoming one of our government’s main focuses (and rightfully so), there are many new programs in the works to help secure critical infrastructure. Below we’ve detailed three new cybersecurity research programs for U.S. energy and a draft Executive Order on security disclosure.
According to Reuters, a draft Executive Order from President Biden will require software companies to disclose any security issues to government users when companies report a cybersecurity breach. It will also place rules on programs deemed critical, such as requiring a ‘software bill of materials’ for all packages in use across the government, detailing the source of all code, including open-source and OEM’d partner pieces. Additionally, it would create a cybersecurity incident-response board to bring federal representatives and cybersecurity researchers together to host forums for vendors. It’s not yet been announced when the executive order will be released, however experts believe it could launch any day.
The Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) announced three research programs to safeguard the nation’s energy systems from growing cyber concerns:
- The CESER is joining forces with Scheitzer Engineering Laboratories in the Cyber Testing for Resilient Industrial Control System (CyTRICS) program to use analytics to test digital tools used by energy sector partners for security issues. Through testing, the groups will be able to identify and address potential vulnerabilities within industrial control before they can be exploited.
- The DOE is collaborating with utilities and labs to test, model and assess systemic vulnerabilities for electromagnetic and geomagnetic interference. Under its Lab Call for EMP/GMD Assessments, Testing and Mitigation, nine pilot projects are underway with the goal of informing the development of methods for protecting and mitigating impacts on energy infrastructure.
- The DOE is tapping into the ability of American universities to develop cybersecurity tech and the next pipeline of cybersecurity experts for the energy sector through the CESER Cybersecurity for Energy Delivery Systems (CEDS) division. The group is expected to announce a funding opportunity this month to support university-industry partnerships.
Ultimately, these new cybersecurity programs will help better secure critical infrastructure by targeting globally-sourced technologies, develop solutions for electromagnetic pulse attacks, and support research and new talent needed to deploy cybersecurity solutions. Looking forward, we can expect the White House, federal government and private sector to prioritize cybersecurity.
