With hacking attacks mounting against US energy companies, guarding the sector will be a top priority for a new cybersecurity effort, Homeland Security Secretary Kirstjen Nielsen has said.
Five months after five pipeline operators in the US said their third-party electronic communications systems were shut down by hackers, Nielsen said a new National Risk Management Center would help government and the private sector better coordinate efforts to protect critical infrastructure.
The center will focus initially on energy, finance, and telecom, Nielsen told attendees at a New York conference. The action comes after the energy industry, in particular, has faced criticism from cybersecurity firms for not spending enough to fend off attacks. In April, Symantec said it is tracking at least 140 groups targeting energy, up from 87 in 2015.
“We are in crisis mode," Nielsen said. “A Cat 5 hurricane has been forecast.’’
Russian government hackers compromised dozens of US energy companies in 2017, the US director of national intelligence said in a report that also cited attacks from Iran and China.
The new center is designed to allow industry and the public sector to better coordinate on both reducing risks and responding to attacks, Department of Homeland Security (DHS) said in a statement released at the conference. The government’s response includes a “major" cybersecurity exercise to be held later this year, Nielsen said.
DHS will be critical in helping the private sector fend off assaults, Tom Fanning, chief executive officer at Atlanta-based utility owner Southern Co., told the crowd.
Homeland Security is “the convening arm that can bring together these important sectors of America to help organize and harmonize” the counter-response, he said. “We are interdependent on each other."
The industry’s past response to cyberthreats has drawn criticism from some.
While the Transportation Security Administration requests voluntary notifications of “security incidents” involving hacking, there is no mandate and the industry has generally not been in support of mandating notification.