HHS CISO: Ransomware, Telehealth Top Challenges
February 23, 2023
At AFCEA Bethesda’s second annual Energy, Infrastructure and Environment Summit, a thematic throughline animated the program: risk.
Attendees talked about risk to energy security, cybersecurity, information technology (IT) networks, citizens, government workforces, and the environment. They spoke of risk’s sources: climate change, cyber threats, IT obsolescence, IT debt, delivering inadequate user experiences, focusing on executive orders and losing mission focus, inadequate funding, and the challenge of recruiting IT professionals into government agencies.
These are risky times, it would seem, but attendees said the pandemic showed that it’s possible for government to face big challenges and prevail. Carrying forward the pandemic mindset will help agencies to remain mission-focused, they said. “The key is balance … plain risk management,” said Brian Epley, principal deputy CIO, Department of Energy. The executive orders aren’t going to stop, he said.
Implementing zero trust architecture to protect government networks against cyberattacks was top of mind for many attendees, including Venice Goodwine, director of Enterprise Information Technology for the U.S. Air Force. “We can’t go back” to government’s risk-averse, pre-covid mindset, she said. Nor can government agencies allow zero trust initiatives to divert attention from missions, she added.
Implementing zero trust can’t compromise the user experience because in the Air Force “user experience is imperative for the warfighter,” Goodwine said. “Their lives depend on it.”
User Experience
Mittal Desai, CIO of the Federal Energy Regulatory Commission, said the imperative to provide user experiences that are accessible to anyone at any time has led to better project planning. The amended process simultaneously overlays customer experience and security requirements, rather than prioritizing one over the other.
Delivering world-class user experiences further helps agencies to recruit the next generation of IT talent. “If you want the best … you need to make sure that you’re giving them experiences that match what we told them they were going to do when they went to the recruiter’s office,” Goodwine said.
Being nimble and finding partners in industry and government will also help agencies to mitigate and navigate risk and uncertainty. “Things are changing very quickly. Success is going to be in partnerships,” Epley said. Implementing zero trust architecture, for example, will require “a breadth and depth [of] effort. It’s got to be a coordinated effort.”
At times, federal workers hamper government’s initiatives by withholding information from colleagues at other agencies. Agencies also shy away from industry partnerships, at times, fearful that collaboration will compromise contracting rules.
“That’s a cultural change we must address,” Goodwine said.
Clean Energy Infrastructure
Officials from the Department of Energy pulled back the curtain on the Bipartisan Infrastructure Deal, enacted last year, that provides more than $62 billion to develop the country’s clean energy infrastructure.
Over the next five to 10 years the energy system will transform, from a historically “dumb” grid to an energy ecosystem comprising solar power, wind energy, electric vehicle charging stations, smart thermostats, and other connected IT devices. The shift toward smart, renewable energy seeks to mitigate the consequences of climate change, including extreme weather events.
“It’s just getting worse every day,” said Puesh Kumar, director, Office of Cybersecurity, Energy Security, and Emergency Response, Department of Energy.
The challenge is to develop a modern and flexible grid capable of accommodating many uses. At the same time, DoE must make sure that the fast-expanding universe of connected devices doesn’t enlarge the grid’s attack surface.
It’s a big challenge – and a huge opportunity. Maintaining a grid that was deployed decades ago often has required bolting on cybersecurity fixes to combat emerging threats. The clean energy initiative is an opportunity to secure the new grid “from the get-go,” Kumar said.
Operational Technology
To get a better picture of threats targeting critical systems across the country, the Energy Department is looking to improve monitoring of Operational Technology and Industrial Control Systems (OT/ICS), officials said.
Traditionally, DoE did a good job of monitoring the IT side of things, but OT is where a lot of emerging cyber risk is happening that could have an impact on energy delivery.
“OT is the huge area we’ve neglected in the past,” said Ann Dunkin, CIO of the Department of Energy.
Zach Tudor, an associate laboratory director at Idaho National Laboratory, said his team is improving infrastructure and risk analysis to advance system security and resiliency. The lab is leveraging numerous tools, including cyber-informed engineering, supply chain security, and software bills of materials. These SBOMs provide visibility into the components of software, making it easier for developers to identify code that hackers exploit.
Another driver of modernization is consumers who are accustomed to using mobile apps “to control everything on their phones” and who expect the same level of control over energy-related issues, Kumar said. “Customers are causing the grid to change.”
For DoE, accommodating consumers’ expectations for a more user-friendly grid means that all those devices must be secured.
“That’s why OT has become so important to us,” Dunkin said. “The last thing you want to hear is that someone’s Nest thermostat brought the grid down.”
