President Biden’s Executive Order and The Grid

Written By Nicholas Schmidt

Background on the Executive Order (EO) from 12 May 2021

Following some...err…“unfortunate” energy-related events in early May, the Biden administration took a monumental step to increase the Federal Government’s response to the ongoing risk associated with public sector cyber attacks. As much of the East Coast experienced, we are past the point where anything but an impactful, dedicated response can be considered.

With the energy sector increasingly joining the public psyche, we wanted to share some of our own thoughts on this EO!

Why was an Executive Order (EO) necessary?

To partially use the EO intro, which captures our sentiments amazingly...

the world, but for this particular post, specifically the United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy. Accordingly, the Federal Government must improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors.

While this EO is very US-centric, the parallel formation of an EU Joint Cyber Unit demonstrates that other world leaders are on the same page here. 

What Policy was set forth?

The EO calls for “bold changes and significant investments” making the “prevention, detection, assessment, and remediation of cyber incidents a top priority” to ensure national and economic security. The Federal Government has decided they will lead by example by guiding (or perhaps pushing) companies and agencies towards appropriate security measures - setting forth uniform protocols to limit systemic exposure in a world where integrations and data sharing is increasingly prevalent.

The Department of Defense went through a similar issue with their own internal security enforcement. The DoD had strong security protocols in place but regularly faced issues due to breaches at the vendor level.  Various data breaches at federal agencies (Secret Service, USPS, CBP, and OPM) forced more focus on cybersecurity. In 2014 Congress passed FISMA which put NIST in motion to update NIST 800-53, and later, NIST 800-171.

In response, what was created outlined a tailored and enforceable way to feel comfortable major security controls were accounted for. NIST 800-53 (very difficult and heavy) was accompanied by NIST 800-171 (check the major boxes) and vendors were audited to ensure compliance. It was essential to ensure a consistent security standard and baseline was established through the entirety of the supply chain for DoD procurement. Given the overall success of that transition, we are hopeful this will have a similar effect. This is to not say there are not faults (hacks are still happening), but it is a solid framework to start with and monumentally better than the prior state.

What aspects of the EO are relevant to non-Federal systems (e.g., the energy grid)? 

The EO sets forth initiatives that impact the private sector every bit as much as the public sector.

  • Removing Barriers to Sharing Threat Information

    • The federal government must make it easier for critical systems at companies and organizations to report incidents and communicate regarding cyber threats. As such, it’s paramount that barriers or restrictions (e.g., contractual) that limit the sharing of threat or incident information be eliminated. Admittedly, there are some sensitivities here as it places the government in a much more “active” position regarding private company cybersecurity oversight. In our view, however, this is simply a necessity in the current environment. 

  • Modernizing Federal Government Cybersecurity

    • Steps must be taken to migrate towards National Institute of Standards and Technology (NIST) standards and guidelines to combat the modern and constantly evolving cybersecurity threat. Additionally, authentication and data encryption standards (FIPS 197) along with advances to more recent paradigms such as Zero Trust Architecture and secure cloud services must be pursued.

  • Enhancing Software Supply Chain Security 

    • As commercial software often lacks transparency, sufficient focus on the software’s ability to resist attack, and adequate controls to prevent tampering by malicious actors, the EO mandates that more rigorous and predictable mechanisms for ensuring that products function securely be implemented.  In addition, the security and integrity of “critical software” (i.e., software that performs functions critical to trust) is a particular concern. In a later blog post, we will cover why SBOMs (Software Bill of Materials) will be so integral to this effort!

  • Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents

    • To maximize the benefits associated with identifying, remediating, and recovering from vulnerabilities and incidents that affect systems, the EO aims to standardize response processes to attacks - ensuring more coordinated and centralized cataloging of incidents. As we alluded to earlier, a key to accomplishing this will be the broad application of all appropriate NIST standards.

    • The information-sharing spurred by these processes will go a long way towards allowing businesses and agencies to identify advanced persistent threats (APTs) from what otherwise would appear to be small, isolated events.

  • Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks

    • Appropriate resources must be employed to maximize the early detection of cybersecurity vulnerabilities and incidents networks. Therefore, an Endpoint Detection and Response (EDR) initiative, which is an integrated endpoint security solution that combines real-time continuous monitoring and collection of endpoint data with rules-based automated response and analysis capabilities, shall be deployed to support (i)proactive detection of cybersecurity incidents within an infrastructure, (ii) active cyber hunting, (iii)containment and remediation and, (iv) incident response.

    • We are looking forward to embracing the US-CERT CVE incorporation as part of how the community thinks about software patches! Internally, we track software updates with the CVE identification, which provides excellent guidance on prioritization.

Traditionally, the DHS provided oversight for Critical Infrastructure systems, but who and what falls under this umbrella left a lot to the organization’s discretion. This EO, along with additional guidance provides Cybersecurity & Infrastructure Security Agency with some additional funding and guidance on making the protections clearer.

Additionally, we expect to see further updates to the Energy Sector-Specific Plan 2015 published back when Blueprint was just a twinkle in Robyn Beavers’ eye. We were thrilled to hear Lawfare Podcast speak with DHS Leadership on the immediate action plan for critical infrastructure and the upcoming updates.

What is Blueprint Power doing about cyber threats?

Blueprint has tried to engage with the proper regulators to help drive this conversation throughout the company’s existence. For example, in 2019, we submitted comments to the New York PSC suggesting that instead of broad and somewhat ambiguous security controls, it was appropriate to follow the federal model closely. Our comments also championed NIST as providing exceptional guidance on ensuring proper control allocation concerning risk - a critical feature for any adequate security posture. 

Internally, we have taken the initiative to institutionalize security best practices. In so doing, much of the breadth and depth of the EO has been implemented, though there is always work to be done. We instituted this posture to meet security requirements before those levied by New York Utilities via a Data Security Agreement

In much the same way as we at Blueprint view open data and open standards/protocols as intrinsic to grid modernization, so too have we treated security - intrinsic and essential. We have built our software and infrastructure based on the guidelines of the NIST Cyber Security Framework. We’ve additionally been fortunate to have the ability to leverage the military and intelligence community experience of our employees to bolster and inform our security posture. 

Of course, not every company has the luxury of having this level of applicable security experience in-house. This further highlights the importance of this recent EO - it provides clear and concrete guidelines for companies and agencies to follow. The easier it is for non-security minded companies to implement the better!

In a world of integrations and data exchange, ensuring that these processes can happen safely and securely is terrific for our team - and pretty much everyone (hackers excluded).

Nicholas Schmidt
Previous

Blueprint joins the bp Launchpad family
Next

A Blueprint for LeFrak City