#1 Why is your sector considered critical infrastructure and why is it so important to protect?
One of the 16 critical infrastructure sectors identified within Presidential Policy Directive 21 (PPD-21 – “Critical Infrastructure Security and Resilience”) is the Energy sector, which is comprised of three interrelated subsectors—electricity, oil, and natural gas. The Energy sector entails the production, refining, storage, and distribution of oil, gas, and electric power (but does not include hydroelectric and commercial nuclear power facilities and pipelines).
On a macro scale, the United States economy and modern society as we know it would not function without the outputs of the Energy sector. As noted in the 2015 National Infrastructure Protection Plan (NIPP) Energy Sector-Specific Plan, the Energy Sector supplies fuels to the transportation industry, electricity to households and businesses, and other sources of energy that are integral to growth and production across the Nation. Moreover, PPD-21 identifies the Energy Sector as uniquely critical because it provides an essential function across virtually all other critical infrastructure sectors.
On a more personal level, imagine how fundamentally different your typical daily routine (and by extension, your quality of life) would be without a source of energy to:
#2 What are the biggest risks to your sector’s operations?
As summarized in the NIPP Energy Sector-Specific Plan, the most prominent critical infrastructure risks that are common across the electricity, oil, and natural gas subsectors include:
Cyber and physical security risks
Natural disasters and extreme weather conditions
An “aging” of both workforce and equipment/infrastructure
Evolving environmental, economic, and regulatory requirements
#3 Has your sector been in the news recently?
Due to its criticality to the global economy and markets around the world, the Energy sector is in the news on a regular basis. More exceptional news coverage of late is surrounding the destructive cyberattack executed against three Ukrainian electric utilities on December 23, 2015.
The possibility of a cyberattack causing physical damage to electric system equipment first received widespread news coverage in 2007 when Idaho National Laboratory performed the Aurora generator experiment, in which a diesel generator was destroyed by a simulated cyberattack. Over eight years later, this attack on the three Ukrainian utilities represents the first publicly acknowledged power outage resulting from a cyberattack. Although this is significant in its own right, the overall impact of the attack was relatively low when gauged by the number of customers impacted (225,000 out of a Ukrainian population of over 40 million) and the duration of the power outage (less than 10 hours).
The investigation of the incident is still underway, but if you’d like to learn more, publicly available reports from the U.S. Department of Homeland Security (DHS) and the Electricity Information Sharing and Analysis Center (E-ISAC) and SANS provide insight into how the attack unfolded as well as mitigation strategies.
About the Sector Chief
Martin Kessler serves as Chief of Staff to the CIO at The AES Corporation, a Fortune 200 global power company. Prior to his current role, Martin served as Senior Advisor, Global Cybersecurity, with responsibility for governance of AES’ global cybersecurity and business continuity management programs. Martin has over 15 years of cyber and IT risk management consulting, auditing, and operations experience at a Big 4 accounting firm and a U.S. Government agency. He has several security certifications, including the Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), and GlobalIndustrial Cyber Security Professional (GICSP).