White House launches cybersecurity push targeting electricity sector

The White House on Tuesday announced the first pilot program to improve the cybersecurity of the nation's electricity infrastructure as part of a broader initiative focused on industrial control systems.

"The 100-day plan includes aggressive but achievable milestones and will assist owners and operators as they modernize cybersecurity defenses, including enhancing detection, mitigation and forensic capabilities," according to an April 20 statement from Emily Horne, a spokeswoman for the National Security Council.

The pilot is being managed by the Department of Energy and the Cybersecurity and Infrastructure Security Agency.

Anne Neuberger, the deputy national security advisor for cyber and emerging technology, has previously discussed the public-private partnership effort which is being launched around the same time the administration is expected to publish a wide-ranging executive order also focused on cybersecurity.

"Today, we cannot trust those systems because we don't have the visibility into those systems," Neuberger said April 8 during an event hosted by the Council for Foreign Relations. "And we need the visibility of those systems because of the significant consequences if they fail, or if they're degraded. So that's the threshold of success we seek from a cyber perspective, and there are many efforts that we'll need to do to get there."

Eric Goldstein, the executive assistant director for cybersecurity at CISA, said on Tuesday the "60-day sprints" being organized by CISA are meant to complement the White House's efforts. A sprint focused on industrial control systems, and scheduled to begin this summer, will consider risks arising from the use of computer operated physical systems to deliver infrastructure including water, electricity and natural gas.

"The goal of these DHS cyber sprints is to complement the 100-day plans being led by the Biden-Harris administration and coordinated out of the White House by making a national call to action for control system cybersecurity," Goldstein said during a CISA-hosted event.

Goldstein said CISA is looking to engage with private companies managing infrastructure for the chemical sector, dams, energy, transportation and water and wastewater.

"We're also developing our control environment laboratory resource which is an environment for government and the private sector to partner and actually experiencing the possible effects of a cyberattack resulting in physical manifestations," Goldstein said.

Although sometimes overshadowed by the attacks against SolarWinds and Microsoft, cybersecurity for industrial control systems has become an increasingly popular topic for both the executive branch and lawmakers this year.

The push follows a close call at a Florida water facility where a hacker nearly altered the chemical balance of the community's drinking water to include dangerous levels of lye.

Separately, the Department of Justice on March 31 indicted Wyatt Travnichek of Kansas with one count of tampering with a public water system and one count of reckless damage to a protected computer.

The indictment stated Travnichek "knowingly accessed the Ellsworth County Rural Water District's protected computer system without authorization. During this unauthorized access, it is alleged Travnichek performed activities that shut down the processes at the facility which affect the facilities cleaning and disinfecting procedures with the intention of harming the Ellsworth Rural Water District No. 1, also known as Post Rock Rural Water District."

On Capitol Hill, Rep. John Katko (R-N.Y.) in March introduced bipartisan legislation that would centralize CISA's role in responding to cybersecurity breaches of industrial control systems.