Enterprise Cybersecurity (2020 DOEl transition)

The Department of Energy networks are targets of multiple nation states and other malicious actors. DOE Office of the Chief Information Officer (OCIO) coordinates and synchronizes cybersecurity functions across the full spectrum of DOE mission and operations. The Department also has a sector specific cybersecurity responsibility that is carried out by the Office of Cybersecurity, Energy Security, and Energy Resilience (CESER).

Summary

Protecting the information assets of the Department of Energy (DOE) is of vital importance to financial and national security posture. Due to the high concentration of advanced research, the responsibility for the transmission of 11% of the electricity for the United States, and the national security missions of the Department, DOE is constantly targeted by sophisticated nation- state adversaries. Additionally, DOE has statutory, sector-specific cybersecurity responsibility for the Energy Sector. This document is focused on the Chief Information Officer’s (CIO) functions. CESER prepared a separate paper on DOE sector-specific cyber programs.

DOE is a complex agency both in the scope of its mission space and its unique organizational structure. DOE encompasses 17 National Laboratories and approximately 100 field installations across the country. The mission of the Department spans from open, collaborative research to maintaining the Nation’s nuclear stockpile. Given this extreme divergence in mission focus areas, cybersecurity postures and approaches are carefully tailored to provide appropriate risk management for each installation. The organizational structure of the Department adds to this complexity. Cybersecurity funding and authority is divided between the CIO and the program offices. The CIO is responsible for developing policy, performing oversight, and providing an enterprise wide incident response and coordination capability. Program offices such as Science (SC), Environmental Management (EM), and the National Nuclear Security Administration (NNSA) directly fund the cybersecurity programs for their field elements at the National Laboratories, Power Marketing Authorities (PMAs), sites, and plants. In short, the CIO coordinates and oversees cybersecurity activities for the Department, and the program offices fund and execute DOE cybersecurity policies.

Creating policy and direction for such a large and diverse agency is extremely challenging. To ensure appropriate guidance on cybersecurity is promulgated, OCIO employs an open and collaborative development process for directives. This process is designed to capture and incorporate requirements from the multiple mission areas and provide appropriately tailored guidance for the complex.

The cybersecurity program of the Department has existed for over twenty years, but it has been primarily focused on protecting traditional information technology (IT). In FY 2020, the Department has increased its focus on cybersecurity risks associated with DOE’s industrial control systems. These control systems are used to operate our advanced scientific tools, the electric grid in the PMAs, and in manufacturing and other plant facilities across the Department. The OCIO is coordinating the tailoring of policies to specifically address the cyber risk for control systems and is developing Department-wide capabilities to provide cyber monitoring, incident response, and education opportunities for protecting the DOE’s critical infrastructure.

Issue(s)

Topic 1

Currently, enterprise visibility into the status of cybersecurity networks across DOE is an issue. Each site has insight into their environments, but the OCIO continues to deploy solutions that will roll this site-specific visibility up to an enterprise level.

Topic 2

The Department needs to update our cybersecurity strategy and policies. This includes updating the creating a strategy for protecting control systems, and developing a enterprise policy for the various national security systems at DOE.

Topic 3

DOE faces challenges in workforce recruitment and retention as we work to attract cyber professionals with the right training and experience. Workforce modeling in both the public and private sector predicts there will be a significant gap between the required number of cybersecurity professionals and the pool of available qualified candidates.

Topic 4

Supply Chain Risk Management (SCRM) is critical to ensuring IT products and services are secure for achieving mission outcomes by highlighting the risks of potentially malicious functionalities, counterfeits, and vulnerable products due to poor manufacturing and development practices. The DOE SCRM program supports compliance with the

Federal Acquisition Supply Chain Security Act, North American Electric Reliability Corporation (NERC), and Critical Infrastructure Protection (CIP) requirements. Quantitative Risk Management (QRM) training and guidance helps cybersecurity SMEs express risk in terms of probability and cost to more effectively communicate with executives and budget planners. QRM is meant to supplement rather than replace existing qualitative approaches.

Status

Topic 1

In FY 2020, deployed Big Data Platform (BDP) as a central cloud-based repository for consolidating cybersecurity sensor data for cyber operations and analytics. In addition, the capability can be leveraged by other programs for their research if they have an approved plan.

Continuing to deploy cybersecurity sensors as part of the federal Continuous Diagnostics and Mitigation (CDM) program. Department of Homeland Security (DHS) funding for expanding the licensing and integration of cybersecurity sensors was diverted to support a major shift to remote work in FY 2020. DOE anticipates continuing the deployment when DHS restores funding in FY 2021.

Topic 2

• The Department is updating DOE Order 205.1C to address new threats. This process will take a year, and the process will include input from our Management and Operating (M&O) community, program offices, and other stakeholders.
• At the end of FY 2020, the Control Systems Working Group (CSWG) was established to coordinate across programs to develop a strategy that includes asset inventory; vulnerability management and assessment; instrumentation; configuration; and alignment with ongoing processes and systems. This effort is not currently funded.
• In FY 2021, DOE is developing a new policy to address national security systems at DOE. This effort is being led by the OCIO. The operators of these systems, NNSA and the Office of Intelligence (IN), will be critical partners in this process.

Topic 3

• The Department is leveraging both Cybersecurity and Science, Technology, Engineering, and Mathematics (STEM) direct hire authorities and internship programs.
• The Department is working in interagency forums to explore cybersecurity reskilling programs and expanding cybersecurity workforce initiatives to incorporate recruitment and retention incentive programs.
• National Labs face this same issue, but have more flexibility to address the problem. Because they are not limited to the same processes and compensation structure as the federal government, they can employ a number of site specific incentive programs to help attract the best available talent.

Topic 4

• Enterprise SCRM program achieved full operational capability in FY 2020 to evaluate potential exposure based on five risk lenses: Cybersecurity, Foreign Interest, Geo-Political, Compliance, and Financial. To date, the program has more than 90 active users, and has completed over 400 assessments. CESER and IN have additional programs in development related to testing individual IT components, which will further DOE’s understanding of supply chain risk.
• Factor Analysis of Information Risk (FAIR) methodology has been integrated into the DOE Enterprise Cybersecurity Risk Management methodology. We will continue to offer training and assistance in conducting risk analysis in scenarios such as investment tradeoffs and modernization efforts.

Milestone(s)

Update DOE Cybersecurity Strategy by 2nd QTR FY 2021.

Deploy the full-scale Vulnerability Disclosure Program by FY 2022.

Major Decision/Events

DOE CyberFire and International Hackathon scheduled for FY 2021. The biannual training and hackathon allows DOE to develop technical workforce skills and partner with key international, federal, and industry partners.