➤ The federal government should optimize information sharing through public-private forums to ensure infrastructure operators are ready for cyberattacks.
➤ It makes "perfect sense" for the U.S. Energy Department to take over pipeline cybersecurity from the Transportation Security Administration.
➤ The DOE should help expand artificial intelligence capabilities across the federal government.
Former U.S. Energy Secretary Dan Brouillette Source: U.S. Department of Energy |
The U.S. Energy Department placed special focus on cybersecurity, artificial intelligence and quantum computing under former Secretary Dan Brouillette and his predecessor, Rick Perry. During Brouillette's tenure under President Donald Trump, first as deputy secretary and then as the agency's top official, the DOE stood up the Office of Cybersecurity, Energy Security and Emergency Response, or CESER, as well as the Artificial Intelligence and Technology Office.
In December 2020, Brouillette also signed an order prohibiting utilities that supply critical defense facilities from procuring certain bulk power system equipment from China. The Biden administration recently suspended that order and initiated a review of the policy.
In an interview, Brouillette discussed what industry and government can learn from the cyberattack on the Colonial Pipeline Co., which prompted the operator to shut down a critical 5,500-mile gasoline and refined fuels artery. This is an edited transcript of that conversation.
S&P Global Market Intelligence: What are your key takeaways from the Colonial Pipeline cyberattack and shutdown?
Dan Brouillette:
I think we need to do a better job, candidly, on the government side, of sharing some of the intel with the industry so that they know what the actual threats are, and they can help determine what are the best defenses that they can deploy against those types of threats. I always wonder whether or not the industry fully understands the threat that they face. I know they do, generically, but boy, there's some very specific intelligence that comes across our desk in the government that I wish I could have shared from time to time with the industry. But you're not allowed to, obviously, because many of the CEOs don't have security clearances, or the [chief intelligence officers] don't have security clearances in certain cases, or they don't have the right clearance. Or in many cases, the intel belongs to one of the three-letter agencies, and they want to protect sources and methods, so they don't want a wide distribution of that information.
And that's legitimate. I understand that. I'm not being critical, but we have to think about cybersecurity — and, more importantly, the intelligence around cybersecurity — perhaps in a different way if we are to protect the infrastructure.
What, in your view, should energy infrastructure operators and the federal government be prioritizing, either separately or in forums?
Right now, ransomware is easy for the attackers. And you've got players like North Korea, for instance, which specialize in ransomware because that's how it pays [North Korean leader Kim Jong-un] through this type of piracy: steal some data, encrypt it, hold it for ransom and, hopefully, somebody pays. That activity is going to continue for some time.
Where I have some perhaps even bigger concerns are on the OT [operational technology] side of the house ... We're seeing more and more of the OT systems become vulnerable because now you can communicate with them from the outside. And that's going to be a big challenge for the industry.
With regard to the pipeline guys, in particular, I hate to characterize them as perhaps a little slower than the rest of the industry, but my impression — I think most people's impression — is that they've been a little bit behind. For instance, the electric utilities — where you have guys like [The Southern Co. Chairman and CEO] Tom Fanning, and [American Electric Power Co. Inc. Chairman, President and CEO] Nick Akins, and Lynn Good at Duke Energy Corp. — they're very, very sensitive to these issues, and they're very good at what they've done so far. And they just continue to invest enormous amounts of money to ensure that their systems are protected and defended against.
This event has revived talk of imposing mandatory minimum cybersecurity standards on pipeline operators, similar to those for the electric power sector approved by the Federal Energy Regulatory Commission in 2008. What are your thoughts on that?
I don't know that that's a perfect answer, either. You think about it in terms of standardization, for instance: If you have a minimum standard, what you've essentially told the adversary is that they have at least this. So you've given them at least half of the combination to the lock that they're looking for. And you have to be careful with that.
Some people, including FERC Chairman Richard Glick and Commissioner Neil Chatterjee, have advocated transferring TSA's pipeline cybersecurity portfolio to DOE. Would you support that?
I wouldn't disparage [TSA]. I think they're fine people, and they do a great job, and we enjoyed our relationship with them.
But it makes perfect sense for it to be at the Department of Energy. Congress acknowledged in the FAST Act that the DOE was the sector-specific agency for incidents like this, with regard to the energy infrastructure. So why would you exclude pipelines from that grid, from that energy infrastructure? It doesn't make any sense. It's the perfect place for it to be and, candidly, when you combine that with the other functions within the department, for instance, the office that Secretary Perry and I created, CESER, that is the sole focus of that office: cybersecurity and catastrophic response. It is led by an assistant secretary. It's well staffed. It's well funded.
The Biden administration revoked the prohibition order you signed concerning bulk power system equipment procurement from Chinese entities. The administration did agree that China's role in providing essential electric system equipment presents a "significant threat," but it decided to seek more information from utilities and stakeholders. Do you have concerns about this action?
I do have concerns about it. I think they're going to learn exactly what we learned. And that is, one, there is a real threat.
What were your views and priorities on energy sector cybersecurity when you became deputy secretary, and how did these evolve during your time at DOE?
I think we recognized really early that the threat had grown tremendously — exponentially, if you will. And we were very engaged with the utilities, with the industry itself, to determine what it is that we might do to assist and what is it that we had at the Department of Energy that might be of benefit to them. And Secretary Perry, in particular, was very interested in things like artificial intelligence and the supercomputing capacities within the department itself. So we wanted to make those available to the industry as quickly and as efficiently as we could.
I think we did a pretty good job of that. I think utilizing the National Laboratory system, Oak Ridge, PNL — Pacific Northwest Lab out in Washington State — and making those part and parcel to the conversations that we were having with utility CEOs produced some tangible benefits.
What more would you have tackled if you had more time?
I was pleased with the initial progress that we made around artificial intelligence. I think we convinced the Congress that DOE — as a science agency, as a computing agency, as a technical agency — was the right place for it to be. I think if you were today to talk to the CIA, if you were to talk to the [National Security Agency], or [NSA Director and U.S. Cyber Command Commander] General [Paul] Nakasone and others, they were very, very pleased with the work that we did early on and the work that I did later on as secretary to ensure that they had adequate access to those capabilities within the department. In some cases, people didn't even know it was there. I would say that if I was still there, I would want to deepen those relationships and to ensure that those [capabilities] were made even more available to the rest of the government.