by Jingnan Huo
WASHINGTON — The Energy Department must give companies adequate security clearances so they can provide information about cyberattacks as well as get data on what the government and other companies know about combatting attacks, top energy company executives told a Senate committee Tuesday.
“Despite my experience in the military, in the congressional intelligence agencies, and currently holding a security clearance, I have not been able to get a (Department of Energy) security clearance,” said Dave McCurdy, president and CEO of the American Gas Association, which represents about 200 companies that deliver natural gas to consumers.
The energy industry shares information about cyberthreats and attacks with the government through the Department of Energy’s Cybersecurity Risk Information Sharing Program. The industry also addresses cyberthreats through the Electricity Subsector Coordinating Council, the Energy Sector Oil and Gas Subsector Coordinating Council and a cyber mutual assistance program in which 93 utility providers provide mutual support in the wake of a cyberattack.
And while the Energy Department is the lead agency in dealing with energy sector cyberattacks, McCurdy and other industry leaders said there are too many hurdles to getting the security clearances needed to fully share information.
Gerry Cauley, CEO of North American Electric Reliability Corporation, told the Senate Energy and Natural Resources Committee that he couldn’t gain access to the very information his organization handed to government agencies a few days before.
“There can be no partnership without access,” Col. Gent Welsh, commander of the Washington National Guard, testified at the hearing. The Washington National Guard has participated in mock cyberattack exercises in the state.
In an interview after the hearing, Welsh said security clearances are only granted by the federal government, and states need to nominate more energy sector officials to receive these clearances.
He and the industry executives said trust between the companies and the government that information can be shared without repercussions is essential.
“Companies have to be reassured that when they share information with the government, there won’t be vulnerabilities on our side, and that the government won’t use these information to penalize them,” Welsh said
Arkansas Electric Cooperative Corporation CEO Duane D. Highley said energy companies deal with cyberattacks on a daily basis despite the U.S. record of having had no massive energy delivery system attacks.
“The threat is very real,”Cauley said.
The Energy Dept official, Patricia Hoffman, acting assistant secretary of the DoE’s Office of Electricity, Delivery and Energy Reliability, was not asked about the security clearance issue.