Guest post III: The US takes meaningful steps to strengthen the cyber security of its electricity system

ICS cyber security blog guest post:
Guest Post III: The US is taking meaningful steps to strengthen the cybersecurity of its electricity system

April 10, 2021 – icscybersec

The cybersecurity of the US critical infrastructure is a rather hot topic, once again important things are happening overseas, and (as usual) our colleague GéPé has once again prepared a short summary. Here it is.

The US has noticeably stepped up its efforts to counter threats to the cyber security of its electricity system in 2020. One striking sign of this was the issuance of EO 13920 (Executive Order on Securing the United States Bulk-Power System, 1 May 2020). While President Biden suspended the application of the EO for 90 days on 20 January 2021, it is unlikely that a decision will be taken to permanently revoke or even relax the EO in light of the cyber attacks on the US in recent months, most notably the SolarWind/Orion incident.

In a further significant step, the US Department of Energy (DoE) established the Electricity Advisory Committee (EAC) on 30 November 2020 as the Grid Resilience for National Security (GRNS) subcommittee of the Committee on National Security. The GRNS is tasked with, among other things, leading the way in anticipating the growing threats to the electricity system and developing new approaches to risk management and mitigation.

Although the GRNS was created by the Trump administration, the DoE’s continued commitment to the GRNS is demonstrated by its announcement on 5 April of an USD 8 million (about HUF 2.5 billion!) grant to fund research and development to strengthen cybersecurity and resilience in the power system. The DoE aims to research and develop resilient, self-healing and autonomous devices and technologies. To support this, the DoE considers it important to expand Public-Private Partnerships (PPPs).

In the light of this, the fate of EO 13920, which is nearing the end of its 90-day suspension, will be particularly significant…

And of course, it would be important if a domestic equivalent of both the EAC and the GRNS could be established in Hungary, not to mention a dedicated source of related R&D…

It would be a serious mistake to believe that, since Hungary is not a primary target country for cyber-attacks, it would be possible to responsibly rule out the possibility of an attack on our electricity system, for example…

***

The original guest post was published on the ICS cyber security blog.

Translated by DeepL.