Underdefended: America’s Vulnerable Energy Infrastructure

Our enemies will fight us in cyberspace, threatening the power-generating facilities and other critical systems we depend on. Government could be doing a lot more to fend off debilitating attacks.

high-voltage power line
In the world of public-sector cybersecurity, most of our current attention is on ransomware attacks and safeguarding our elections. Those are genuine and important threats, of course, but there's another major vulnerability: the threat to the infrastructure that powers our economy and the systems we rely on in just about every aspect of our everyday lives.

Most recently, our conflict with Iran in the wake of the killing of its top military commander, Qasem Soleimani, raised new worries about possible cyber-retaliation. That's a reasonable fear. Security analysts predict that state-backed hackers will target America's weakest link. Given that our power-transmission grids and energy utilities are underdefended, American energy security has never been at greater risk.

This is not a hypothetical vulnerability. In 2018, then-National Intelligence Director Dan Coats asserted that nearly two decades after 9/11 the "warning lights are blinking red again," adding in a report to Congress that many nation-states are capable of causing "disruptive effects … for days to weeks" to our critical infrastructure. And Karen Evans, the Department of Energy's assistant secretary for cybersecurity, questioned our ability to withstand such attacks, writing that our energy infrastructure "has become a primary target for hostile cyber actors."

Iran has flexed cyber-capabilities before. In 2012, in response to U.S. sanctions, state-backed Iranian hackers launched a series of attacks that disrupted banks and the New York Stock Exchange. And in 2013, they broke into a dam's control system.

Federal policymakers are beginning to take commendable steps, including increasing annual cybersecurity spending, creating the Cybersecurity and Infrastructure Security Agency, and even organizing a "cyber moonshot" initiative for a safe and secure Internet. But we need to do more, and state governments have an important role. Here are three things the U.S. should be doing now to prevent and defend against debilitating attacks on our key infrastructure:

Foster public-private partnerships to raise collective understanding of current threat vectors. Federal and state energy regulators need to work more closely with the leadership of America's best cybersecurity companies to make sure we're using state-of-the-art protection. Such knowledge-sharing programs can produce best-practice guidelines and recommendations that provide more comprehensive security without governmental overreach.

Incentivize state-level policy. States provide most of the oversight for the nation's utilities. Nearly 90 percent of these critical systems — including power generation facilities, gas pipelines, telecommunications infrastructure and water treatment plants — are for the most part under state purview. And it's important to remember that contractors are considered cybersecurity's "unprotected underbelly": The worst known hack into the nation's power system targeted a small Oregon firm that works with electric utilities. The federal government can encourage state compliance and cooperation with cybersecurity recommendations through tax incentives and penalties. Publicizing relative security standings of departments would shame laggards and foster competition for the best security.

Cultivate a new generation of cyberdefenses. Rather than cutting overall federal research and development spending, we need to better fund basic R&D and other initiatives that will enable the next generation of American researchers and entrepreneurs to stay at the cutting edge of cybersecurity. Encouraging private-sector defense companies to build cybersecurity technologies will produce tools that bolster baseline protections on critical infrastructure.

America's enemies who cannot beat us in conventional warfare instead will fight in cyberspace. In this new theater of war, they gain an asymmetrical edge due to the low cost of debilitating and destructive cyberattacks. We need to move quickly to dial down the partisanship in government and dial up public- and private-sector cooperation to make sure that America is as well protected in this century as we were in the last.

Founder of The Westly Group and former California controller
Special Projects
Sponsored Stories
Creating meaningful citizen experiences in a post-COVID world requires embracing digital initiatives like secure and ethical data sharing, artificial intelligence and more.
GHD identified four themes critical for municipalities to address to reach net-zero by 2050. Will you be ready?
As more state and local jurisdictions have placed a priority on creating sustainable and resilient communities, many have set strong targets to reduce the energy use and greenhouse gases (GHGs) associated with commercial and residential buildings.
As more people get vaccinated and states begin to roll back some of the restrictions put in place due to the COVID-19 pandemic — schools, agencies and workplaces are working on a plan on how to safely return to normal.
The solutions will be a permanent part of government even after the pandemic is over.
See simple ways agencies can improve the citizen engagement experience and make online work environments safer without busting the budget.
Whether your agency is already a well-oiled DevOps machine, or whether you’re just in the beginning stages of adopting a new software development methodology, one thing is certain: The security of your product is a top-of-mind concern.
The World Economic Forum predicts that by 2022, over half of the workforce will require significant reskilling or upskilling to do their jobs—and this data was published prior to the pandemic.
Part math problem and part unrealized social impact, recycling is at a tipping point. While there are critical system improvements to be made, in the end, success depends on millions of small decisions and actions by people.