Lawmakers push for research grants for cybersecurity in the energy sector
Grant Gross
Video Embed
House legislation in the new Congress aims to increase cyber defenses in the U.S. energy sector by creating incentives for students and researchers focusing on the topic.
Sponsors of the bipartisan Energy Cybersecurity University Leadership Act are looking to address a rise in cyber threats against U.S. energy infrastructure. Reps. Deborah Ross (D-NC) and Mike Carey (R-OH) pointed to a handful of recent incidents, including a December substation attack in Moore County, North Carolina, a 2021 ransomware attack on the Colonial Pipeline, and an attempted water poisoning at a Florida treatment plant in 2021.
DEFENSE OFFICIALS EYE ANTI-QUANTUM ENCRYPTION TO SHORE UP PROTECTION OF CLASSIFIED MATERIAL
To confront these attacks, Congress must make “real investments in a strong and diverse workforce,” Ross said in a statement.
Her bill with Carey would create the Energy Cybersecurity University Leadership Program to provide scholarships and fellowships for graduate students and postdoctoral researchers studying cybersecurity and energy infrastructure. It would also support research and development projects at U.S. universities.
The bill would also give students and postdoctoral researchers with trainee research positions at energy utilities and the Department of Energy’s national laboratories. Ross and Carey introduced an earlier version of the bill in April 2022; it passed in the House but didn’t move forward in the Senate.
Cybersecurity experts welcomed the legislation and the congressional attention on cybersecurity, but some said the bill would have a limited impact.
The legislation would be more helpful to a “handful” of universities than to cybersecurity as a whole, said Craig Burland, chief information security officer at cybersecurity provider Inversion6.
“While more focus on cybersecurity is a positive, it won’t move the needle on the overall posture of the energy infrastructure — those problems are too wide and too deep,” he told the Washington Examiner.
Burland noted that the inspiration for the bill seems to be attacks on local energy services, but concerns about the energy industry’s cybersecurity posture are national. “The flaws in the energy grid are well known, with a convergence of IT and [operational technology], huge attack surface, and high levels of decentralization,” he added. “The energy grid is also an attractive target for actors looking to cause disruption on a large scale.”
While the bill won’t have a huge impact, it may help to drive forward the discussion about federal funding of cybersecurity efforts, Burland added. “Put into the context of a more active federal government, it has the potential to be a spark for a broader movement where cybersecurity is mandatory for everything we as a nation build or produce.”
Small steps forward in cybersecurity are still steps forward, said Edgard Capdevielle, CEO of Nozomi Networks, a network security provider.
“The important piece is that the government uses a ‘carrot’ rather than the much-anticipated ‘stick’ that is often met with much pushback,” Capdevielle told the Washington Examiner. “Programs like this one that are fueling much-needed money into the problem, as well as directionally pointing to the talent shortage, are a net positive for the industry.”
A talent shortage is a big problem in the energy sector, he added. Many clean energy companies have reported difficulties hiring new employees in recent years due to competition and a lack of skilled workers.
CLICK HERE TO READ MORE FROM THE WASHINGTON EXAMINER
Utilities and other organizations in the energy sector have recruitment challenges because private companies “can more easily afford higher salaries,” Capdevielle said. In many cases, U.S. utilities’ rates are highly regulated, meaning they have difficulty competing with the private sector for workers, he noted.
However, the legislation would “reinforce the importance of driving talent into the energy sector while expanding current cybersecurity research projects currently being conducted within academic institutions,” he added. “This initiative will certainly drive more protection and institutional cybersecurity knowledge across the energy sector, thereby making it more secure.”