Is Our Government Tackling Energy Cybersecurity Objectively?

President Donald Trump published the National Security Strategy last year, which lays out a clear vision for protecting the United States against adversaries and promoting culture shifts for a more resilient and prepared nation.  

The NSS promotes the objective identification and prioritization of threats by supporting risk management principles. This is the right approach, centering security decisions on objective risk identification, analysis and recommendations for risk elimination, acceptance or mitigation.

These threats of course include cyberattacks, where it is clear that adversaries, including insider threat actors, continue their attempts to exploit vulnerabilities and penetrate information or operational systems. Their objectives range from stealing intellectual property to creating physical damage of critical infrastructure and related business systems.

One of the most high-profile and often-cited cyberattacks utilized the Stuxnet virus to destroy centrifuges at the Iranian Natanz nuclear facility, making clear to the world that the nuclear industry is susceptible to significant incidents, resulting in physical damage to equipment. Indeed, the industry has suffered cyber incidents prior to the Iranian incident, including one at the Davis-Besse Nuclear Power Station in Ohio that blocked operator access to reactor core information in 2003, back when the word cyber was less of a household term.

What these prior nuclear sector cyber incidents prove beyond doubt is that nuclear power facilities are both vulnerable to cyber risk and a clear target.

Perhaps in recognition of this point, the White House National Security Council has already led an exercise with the United Kingdom that postulated a significant cyber incident that impacted nuclear power plants in our respective nations. Both countries share a mutual understanding of the significant risk posed by a cyberattack on a fixed nuclear facility, which could include catastrophic consequence to life, safety and the environment.

Given the reality that the nuclear industry is susceptible, and not immune, to cyber risk, it is surprising that certain legislators and policymakers in the U.S. government claim that relying on nuclear power versus other forms of generation will somehow reduce the cyber risk to the nation. They claim that the cyberthreat to natural gas pipelines systems is a primary reason the United States needs to maintain and build a larger nuclear power fleet, in addition to coal-fired generation. But that argument is contradicted by leading industrial cybersecurity firm Dragos, which has said that promoting more nuclear and coal plants offers little protection and will not deliver any additional cybersecurity resilience based on the current threat environment.

While policymakers also claim that increasing penetration of natural gas generation in the fuel mix creates power reliability concerns, this is contradictory to industry and academic analyses. The Massachusetts Institute of Technology Lincoln Laboratories, a defense-funded national security lab, has previously found that “historically, there have been very few outages in the natural gas distribution system, with firm delivery contracts exhibiting greater than 99.999% reliability.”

This reiterates the extreme reliability of the natural gas systems from outages, which is critical for our power generation capacity. PJM Interconnection, a regional power transmission organization, released a study this year concluding the current generation mix, which is comprised largely of natural gas-fired generation, provides high grid reliability. Another recent study by the Rhodium Group, using Department of Energy data, found that “increasing amounts of coal and nuclear generation on a utility’s system has no clear relationship with higher performance regarding reliability metrics.” In other words, the data and the facts do not support increasing more nuclear generation for enhanced reliability.

One of the strongest security partnerships at the U.S. Department of Energy is with the oil and natural gas industry through the Oil and Natural Gas Subsector Coordinating Council, where industry and intergovernmental partners come together on a regular basis to inform government policy and industry practices for a more secure critical infrastructure ecosystem. Both the electricity and oil and natural gas sectors attend classified government monthly briefings to ensure greater shared understanding of the threat environment and provide technical expertise and analysis jointly between information sharing centers.

Ultimately, all critical energy infrastructure is a target for America’s adversaries, and promoting one sector over another distracts from comprehensive efforts to secure all infrastructure from cybersecurity threats. If the president agrees that following a risk-based approach is the most effective way to secure our nation and protect against adversaries at home and abroad, then we should take an approach that is mindful of sound risk principles and perspectives, incorporating a systemwide view.

That is, our government should re-evaluate our current policy approaches by resetting our posture and truly evaluating the actual risk environment that we face, based on objective, factual and nonpolitically motivated analysis. Our national security demands and requires it.

Sean Griffin is a partner with ecubed us, a risk management and preparedness consulting firm, and he previously served on the National Security Council and in the Office of Electricity Delivery and Energy Reliability at the U.S. Department of Energy.

Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.