Energy Dept. Awards $30M to IT to Secure Utilities

The Department of Energy is doing something about the oft-cited (but little-addressed) threat to U.S. power and utility networks from outside attack: it will give $30 million to 11 security vendors to develop new technology to make electrical grid, oil, and gas infrastructures more resistant to cyber-assaults.

The grants follow a February order from the White House to beef up digital security in parts of the country’s critical infrastructure – primarily electrical power grids. The order warned that “repeated cyber intrusions into critical infrastructure… represents one of the most serious national security challenges we must confront,” according to a February GridInsights story.

In a survey of U.S. utility companies in May, the Department of Energy found that cyberattacks had become either daily or constant at a dozen utilities, and were rising fast at the others. In a report following the survey titled “Electric Grid Vulnerability,” (PDF) the agency further reported that, during 2012, the number of cyber attacks on federal agencies had increased 68 percent from the year before.

The types of primary attacks were similar to those at non-utility companies: phishing, malware infection, and unfriendly probes.

Security products developed using the $30 million in grants will expand on security requirements imposed on utilities by the North American Electric Reliability Corp. (NERC), a part of the Department of Energy, in 2011. The primary set of requirements focused on making utilities share information about attacks, and how well specific defenses worked against them.

It did not transform the utility industry from one fairly lax about security into a new stronghold of national cybersecurity. Most utility companies complied with a list of requirements, but didn’t take suggestions that were only voluntary. For example, more than three quarters of utilities confirmed in a survey that they’d implemented required protections against Stuxnet – the state-sponsored cyberattack malware that attacked Iranian nuclear-fuel development facilities in 2010; but only 21 percent of privately-owned utilities and 44 percent of municipally owned utilities implemented the voluntary measures, as well.

The Department of Energy has spent more than $100 million since 2010 to change that, according to the announcement; most was given in grants, awards and other fundint efforts to companies working in areas the agency considers particularly important. “Keeping the nation’s energy flowing is vital to the safety and well-being of Americans, our economic prosperity, and modern society as a whole,” the announcement quoted agency Secretary Ernest Moniz as saying. “To meet the challenges of today’s evolving cyber landscape, we must continue investing in innovative, state-of-the-art technologies.”

The money to meet the challenges went to 11 vendors for systems including one to validate the authenticity of commands to shut down a grid or change a relay’s configuration; another that automates the process of updating firmware and software patches; and another that will give small- and mid-sized utilities better tools to help manage their own security.

The full list of companies awarded grants, along with the amounts and intended uses, is available on the Energy department announcement of the grants, which is here.