Good morning, and thank you, Jeh (Johnson, Secretary of the Department of Homeland Security), for your leadership on these critical issues. Jeh and I have worked together since the day after the election in November 2008 -- when we both joined the Defense Department Transition Team.
In fact -- I came to the team from Stanford, where I spent 12 wonderful years based at the Center for International Security and Cooperation. I’m thrilled to be back on the Farm -- and to see so many colleagues and friends in the audience today.
What has kept me in Washington has been the opportunity to work on some of our toughest national security challenges -- including modernizing and securing the vital energy sector that powers our nation.
As you know, innovation born here in Silicon Valley has enabled our grid to do more today than ever before -- through interconnected information technologies and industrial control systems. While it has empowered us, this convergence of wireless communications and digital controls also creates huge new vulnerabilities.
I want to highlight two facets of the electric grid where vulnerabilities are introduced by this interconnectivity: industrial control systems, and supply chain vulnerabilities.
Industrial control systems, including supervisory control and data acquisition systems -- known as SCADA systems -- are the backbone of the energy sector. These systems allow users to monitor, gather, and process data in real time as well as send commands such as opening and closing fuel or water pumps in remote locations.
Obviously, this offers opportunities to adversaries who would do us harm.
Second, the supply chain of the electric grid. Electric companies don’t make all their parts and software -- their suppliers are diverse.
So, for example, a company could take great care to enhance its cyber defenses but fail to fully audit potential vulnerabilities of new software -- and in fact the amount of time, energy and money required to do so would be impractical. Supply chain integrity and management must be part of our cybersecurity protections.
As leaders in the Federal government, we don’t have the luxury of just describing problems. We have to identify practical solutions.
The partnership highlighted by this summit is at the core of what we are doing in the government to work with industry and brilliant people at universities like Stanford to take action across the energy industry to address cyber vulnerabilities.
As President Obama pointed out in his 2013 policy directive on critical infrastructure security and resilience, energy and communications systems enable all other infrastructures to function. If we don’t protect the energy sector, we’re putting every other sector of the economy in peril.
The Department of Energy is the day-to-day coordinator with industry on matters of security, resilience, incident response, and planning. In government-speak, we’re the “sector-specific agency” for the energy sector.
And that brings me to the core of this panel discussion today. Public-private partnerships and information sharing mechanisms are indispensable in meeting the challenge of cybersecurity. Getting started as Deputy Secretary, I’ve made these partnerships a high priority. Indeed, I chair the Department’s Cyber Council.
The fact is that our energy infrastructure is largely not government-owned. About 90 percent of infrastructure is privately owned. This means that it is imperative that we work with owners and operators to rapidly elevate and sustain our cybersecurity capabilities.
As Tony Earley mentioned, one of the most progressive partnerships is our Electricity Sector Coordinating Council. The ESCC holds three strategic meetings each year with a large group of CEOs from across the industry. Indeed, I’ve done two of these meetings with the ESCC in my first four months on the job. And, as Tony mentioned, I’ve emphasized the importance of cross-sector coordination, especially with the oil and gas, transportation, and communications sectors.
Our efforts have resulted in the development and deployment of information sharing measures and industry assessment tools.
One of the challenges here is speed -- and the need to meet that challenge is reflected in the EO that the President is issuing today. If we have a government process that takes a long time to share information about dynamic threats, or we try to set regulations on how to deal with new cyber attacks, then we’re going to be perpetually lagging behind the threat.
Our solution is to provide tools and information to companies so that they can become aware of risks as soon as they’re identified, and can take voluntary action.
In addition, DOE’s National Labs conduct cutting-edge research on cyber and physical challenges to our critical infrastructure.
And just a week ago today I visited Idaho National Laboratory, where DOE has a real-world, 900-square-mile grid-scale test range, which enables us to test the interdependencies of modern grid technologies and the evolving threat to critical infrastructures.
Over the last several years 80 percent of the world’s control system vendors have been tested through government funded assessments at Idaho National Laboratory. The testing is often followed by design reviews, and mitigation discussions with the vendor.
We also conduct live exercises to train government and private-sector cybersecurity experts on control system technologies and what they can do to minimize and mitigate vulnerabilities.
We all know cybersecurity will remain a constant challenge. We can’t fix it once and then be done -- we have to keep up our skills and capabilities and processes to share information.
Secretary Moniz and I have made this a high priority -- indeed, we’re directing nearly $100 million over this year and next year toward cybersecurity for the nation’s electric grid.
I’d like to ask all the students in the audience to raise your hands. In closing, I’d like to speak directly to you:
When the President of the United States and many cabinet members and CEOs come to your campus, I hope that you will be inspired to pursue careers that give you a chance to find a way to do public service.
That can take many forms and you will blaze your own trails. Indeed, my 17 year old son Richard will be joining you here in the class of 2019 this fall, and I hope he will take up this call to action alongside you.
The problems that we are discussing today are some of the toughest that we face as a nation -- and that makes them the most worth working on.
So I encourage you to use the privilege of being at this extraordinary university to find ways that you can play a part in inventing solutions that make our great country strong and safe.