Cybersecurity (2020 Transition)

The Department of Energy (DOE) has statutory, sector-specific, scientific, and national security missions that contribute to advancing our Nation’s cybersecurity. DOE is responsible for its own enterprise cybersecurity as well as supporting the sector’s efforts to strengthen cybersecurity.

Cyber Threat

Cyber threats to the energy sector are growing in number and sophistication. The Intelligence Community’s 2019 Worldwide Threat Assessment stated: “China, Russia, Iran, and North Korea increasingly use cyber operations to threaten both minds and machines in an expanding number of ways—to steal information, to influence our citizens, or to disrupt critical infrastructure. China has the ability to launch cyber-attacks that cause localized, temporary disruptive effects on critical infrastructure— such as disruption of a natural gas pipeline for days to weeks— in the United States. Russia has the ability to execute cyber-attacks in the United States that generate localized, temporary disruptive effects on critical infrastructure— such as disrupting an electrical distribution network for at least a few hours—similar to those demonstrated in Ukraine in 2015 and 2016. Moscow is mapping our critical infrastructure with the long-term goal of being able to cause substantial damage.

In recognition of the emerging cyber threat from China, Russia, Iran and North Korea, and the increasing importance of cybersecurity for the energy sector, DOE created the Office of Cybersecurity, Energy Security and Emergency Response (CESER) in 2018. The creation of CESER fulfilled a dual purpose: to work with industry to increase cybersecurity protections across multiple energy subsectors and interdependent sectors of critical infrastructure, and to coordinate the cybersecurity mission among multiple stakeholders within the department. DOE’s enterprise-wide approach to cybersecurity is guided by the 2018-2020 DOE Cyber Strategy and corresponding implementation plan. DOE is the only statutorily-defined sector-specific agency for cybersecurity and the Secretary has authority to issue an order to protect or restore the reliability of critical electric infrastructure or of defense critical electric infrastructure during an attack on the grid.

Energy Sector Cybersecurity

As the sector-specific agency for the energy sector, CESER leverages deep technical expertise in its work with industry – which owns and operates 80 percent of the Nation’s power infrastructure – to counter cyber threats to critical energy infrastructure. DOE also is an owner and operator of critical energy infrastructure and manages cyber threats that affect the transmission and marketing of Federal hydropower by our four Power Marketing Administrations. Additionally, CESER directly invests in collaborative cybersecurity research and development projects with industry, universities, and DOE’s Labs to support energy systems cybersecurity for control systems and operational technology. CESER hosts and supports numerous cyber exercises involving multiple energy sector stakeholders, as well as several innovative assessment programs that evaluate cyber risk and maturity and test whole-of-Nation responses to cyber incidents.

Issue(s)

Cybersecurity Mission Growth

In August, CESER completed a new plan to strategically evolve the cybersecurity mission at DOE, to include building new capabilities to perform cyber discovery and pursuit functions; cyber threat intelligence sharing and situational awareness; cyber modeling and simulation; and fostering cyber protections for emerging technologies in energy sector systems. All of these functions will be undertaken in collaboration with the DOE Offices of Electricity, Chief Information Officer, and Intelligence and Counterintelligence, in support of DOE-operated utilities such as the Power Management Authorities, and in partnership with external stakeholders in industry and all levels of government.

New Cybersecurity Engagement with Industry

Pursuant to direction in Section 5726 of the FY2020 National Defense Authorization Act, CESER launched a 2-year pilot Securing Energy Infrastructure Executive Task Force (SEIETF) to partner with digital component manufacturers and asset owners to address cybersecurity in sector supply chains. The SEIETF convenes a broad set of stakeholders from across government, industry, academia, and the DOE Labs to:

1. evaluate technology and standards to isolate and defend critical industrial control systems (ICS) from cybersecurity vulnerabilities and exploits;
2. develop a national cyber-informed engineering strategy to isolate and defend critical ICS from cybersecurity vulnerabilities and exploits; and
3. identify new classes of security vulnerabilities of critical ICS

Supply Chain Risk Management

CESER manages DOE’s premier cyber vulnerability testing program for industrial control system (ICS) digital components: the Cyber Testing for Resilient ICS (CyTRICS) program. CyTRICS partners across stakeholders to identify high-priority operational technology (OT) components, perform expert testing, share information about vulnerabilities in the digital supply chain, and inform improvements in component design and manufacturing. The program leverages best-in-class test facilities and analytic capabilities at four DOE Labs and strategic partnerships with key stakeholders including technology developers; manufacturers; asset owners and operators; and interagency partners.

Energy Sector Pathfinder Program

The Energy Sector Pathfinder is led by DOE and the Department of Homeland Security (DHS) and is supported by the Department of Defense (DoD) and FBI. The overall purpose of the Pathfinder is to coordinate among government and critical industry partners in the energy sector to pilot cybersecurity projects, collect best practices and lessons learned, and identify opportunities for scaling up findings.

Federal partners signed an MOU launching the program in February 2020. Pursuant to the MOU, the Pathfinder focuses on three core objectives:

1. Advance Threat-Information Sharing and Analysis;
2. Improve Energy Sector-Specific Knowledge Within the U.S. Government; and
3. Develop Joint Operational Preparedness and Response Procedures

Cyber Threat Information Sharing

The energy sector has housed the premier cyber threat intelligence platform for over a decade. This program, known as the Cybersecurity Risk Information Sharing Program (CRISP), is a public-private partnership, co-funded by DOE and industry and managed by the Electricity Information Sharing and Analysis Center (E-ISAC). CRISP collaborates with energy sector partners to facilitate the timely bi-directional sharing of unclassified and classified threat information and to develop situational awareness tools that enhance the sector’s ability to identify, prioritize, and coordinate the protection of critical infrastructure and key resources. CRISP leverages advanced sensors and threat analysis techniques developed by DOE along with DOE’s expertise as part of the nation’s Intelligence Community to better inform the energy sector of the high-level cyber risks. Current CRISP participants provide power to over 75 percent of the total number of continental U.S. electricity subsector customers.

Status

Cybersecurity Mission Growth

CESER’s plan is reflected in DOE’s FY2022 budget request. Internally, the implementation of new cybersecurity functions began ramping up at the beginning of FY2021. Cybersecurity will feature prominently in the new DOE Integrated Security Center (DISC) located in Denver. DISC will, among other functions, provide secure space for a team of cybersecurity analysts to develop and provide critical information to the sector and to coordinate with DOE’s Office of Intelligence and Counterintelligence. Initial cybersecurity personnel are targeted for onboarding in Denver in the 3rd Quarter of FY2021.

New Cybersecurity Engagement with Industry

The SEIETF launched in October 2020 and is chartered as a three-tiered structure that includes senior technology policy leaders, senior technical leaders, and joint project teams comprised of technical experts. The SEIETF will deliver an interim report to Congress in mid-December and final progress report in Mid-June 2021 and is scheduled to complete the three deliverables noted above in June 2022.

Supply Chain Risk Management

CyTRICS completed proof-of-concept testing in 2018 and developed multi-Lab program processes in 2019. During FY2020, CESER began signing agreements with major manufacturers and asset owners to provide digital components for testing. CyTRICS will complete a full pilot test of program processes in the fall of 2020. Concurrent with pilot testing, CESER is gathering input from industry stakeholders on key CyTRICS processes including test operations, reporting formats, design requirements for the results repository, advanced analytics, and a coordinated vulnerability disclosure process. Through the program pilot and industry input, CESER will refine and finalize CyTRICS program processes and move to initial operating capability in early 2021.

CyTRICS cyber vulnerability testing will support testing needs under the Bulk Power Executive Order (E.O. 13920), as well as testing needs for other energy subsectors including oil and natural gas, renewables; and hydroelectrics. CyTRICS will leverage the new Securing Energy Infrastructure Executive Task Force for technical feedback on the program, and will brief findings to CESER’s existing sector engagement forums to ensure transparency and coordination with industry partners.

Energy Sector Pathfinder Program

Initial work to identify and coordinate existing federal stakeholder cyber activities in the energy sector was completed in FY2020. Proposals for new pilot projects will be submitted for federal leadership consensus in the first quarter of FY2021, and will be subsequently presented to critical energy sector companies for participation. New pilots are anticipated to begin in the 3rd quarter of FY2021.

Cyber Threat Information Sharing

CRISP is extending its footprint of participants to include utilities that support Defense Critical Energy Infrastructure facilities. The “+ 30 Initiative” provides funding for critical electric sector companies to participate for a period of three years, working together with the E-ISAC and Pacific Northwest National Laboratory. Additionally, CRISP is launching pilot efforts in FY2021 to extend participation to select entities in the oil and natural gas sector, and to collect and integrate operational technology data into its current information technology data holdings.

References

↑DOE. (2021). Transitions 2020: Issue Papers. US Department of Energy.