A multi-partisan group of senators introduced legislation Monday asserting the smartest way to protect the nation’s electric grid from cyberattacks is to dumb it down — leaning on the adage that the only way to truly secure a computer is to unplug it from the network.
The Securing Energy Infrastructure Act put forward by Sens. Angus King, I-Maine, Jim Risch, R-Idaho, Martin Heinrich, D-N.M., and Susan Collins, R-Maine, on June 6 would take what the senators are calling a “retro approach” to securing the nation’s critical infrastructure by replacing vulnerable IT systems with unconnected, human-operated systems.
“The United States is one of the most technologically-advanced countries in the world, which also means we’re one of the most technologically-vulnerable countries in the world,” Sen. King said after introducing the legislation. “By looking to the past, we may be able to develop ways to thwart the sophisticated cyberattacks of the future. Our legislation would reengineer the last mile of the energy grid to isolate its most important systems and, in doing so, help defend it from a devastating blow that could cut off electricity to millions of people across the country.”
King cited the December attack on Ukraine’s power grid — the most public cyber offensive targeting civilian infrastructure to date — which he said would have been much worse if the country’s infrastructure didn’t rely on manual procedures to operate parts of the grid.
In a June 6 release, the senators outlined the four major goals of the legislation:
- Establish a two-year, $10 million pilot program within the national laboratories to study covered entities and identify new classes of security vulnerabilities and research and test technology — like analog devices — that could be used to isolate the most critical systems of covered entities from cyberattacks.
- Require the establishment of a working group to evaluate the technology solutions proposed by the national laboratories and to develop a national cyber-informed strategy to isolate the energy grid from attacks. Members of the working group would include federal government agencies, the energy industry, a state or regional energy agency, the national laboratories and other groups with relevant experience. The bill outlays $1.5 million to support the working group’s efforts.
- The Secretary of Energy is required to submit a report to Congress describing the results of the program, assessing the feasibility of the techniques considered and outlining the results of the working groups’ evaluation.
- Define “covered entities” under the bill as segments of the energy sector that have already been designated as entities where a cybersecurity incident could result in catastrophic regional or national effects on public health or safety, economic security or national security.
“The future of warfare is moving further away from the battlefield and closer to the devices and the networks everyday citizens depend on,” Sen. Heinrich said. “Protecting our nation from malicious cyber actors requires a comprehensive approach and keeping our energy infrastructure secure is central to that.”
However, energy security experts aren’t necessarily on board with this tack.
“The argument in this proposed legislation that says, ‘Let’s make the systems less vulnerable by making them less technically sophisticated,’ is akin to saying, ‘Let’s move from mobile phones to telegraph systems,’” said Faizel Lakhani, president and COO of SS8 and one of the original developers of the SCADA systems that manage industrial control systems.
“SCADA systems are designed to automatically re-route or stop power distribution in the case of a load imbalance and though this is possible without networked systems it will be far more time consuming and require far more humans and hence more prone to error,” he explained. “The alternative approach is to allow the benefits of the network in terms of communications and interactions yet to monitor all the communications to ensure there is nothing that is out of the norm occurring.”