DOE Announces New Efforts in Energy Sector Cybersecurity

On May 14, 2018, the Department of Energy (DOE) Office of Electricity Delivery & Energy Reliability released its Multiyear Plan for Energy Sector Cybersecurity (“Plan”). The Plan is significantly guided by DOE’s 2006 Roadmap to Secure Control Systems in the Energy Sector and 2011 Roadmap to Achieve Energy Delivery Systems Cybersecurity. Taken together with DOE’s recent announcement creating the new Office of Cybersecurity, Energy Security, and Emergency Response (CESER), DOE is clearly asserting its position as the energy sector’s Congressionally recognized sector-specific agency (SSA) on cybersecurity.

Multiyear Plan for Energy Sector Cybersecurity

Under development over the last year, the Plan aligns with President Trump’s executive order on “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” which calls on government to engage with critical infrastructure owners and operators to identify authorities and capabilities that agencies could employ to support the critical infrastructure cybersecurity. To this end, the Plan lays out DOE’s integrated strategy to reduce cyber risks to the U.S. energy sector. The Plan seeks to leverage strong partnerships with the private sector to strengthen today’s cyber systems and risk management capabilities; and develop innovative solutions for tomorrow’s inherently secure and resilient systems. It identifies three goals to accomplish these priorities. They are:

• Strengthen energy sector cybersecurity preparedness.
• Coordinate incident response and recovery.
• Accelerate game-changing research, development, and demonstration of resilient delivery systems.

Office of Cybersecurity, Energy Security, and Emergency Response

Featured heavily in the Plan is CESER, which was announced by DOE Secretary Perry on February 14, 2018. That announcement stated that CESER would be led by an assistant secretary, which the administration has yet to nominate, and that President Trump’s fiscal year 2019 (FY 19) budget requested $96 million for the new office.

DOE Undersecretary Mark Menezes testified to Congress that “initially, the office will be comprised of the work we currently do” under existing programs. Indeed, DOE’s FY 19 budget request indicates that CESER will be formed from existing reliability programs in the Office of Electricity Delivery & Energy Reliability, which will be renamed the Office of Electricity Delivery (OE). OE will maintain the Transmission Reliability, Resilient Distribution Systems, Energy Storage, and Transmission Permitting and Technical Assistance programs, while CESER will inherit the Cybersecurity for Energy Delivery Systems (CEDS) program, currently led by Deputy Assistant Secretary Henry S. Kenchington, and the Infrastructure Security and Energy Restoration (ISER) program, currently headed by Deputy Assistant Secretary Devon Streit.

CEDS forms the core of DOE’s work on energy sector cybersecurity and aligns with the Plan’s goals of increasing energy cyber preparedness and developing new cybersecurity technologies. Besides conducting cybersecurity research and development, CEDS also oversees DOE’s primary programs for sharing cybersecurity information with the private sector. This includes the Cybersecurity Risk Information Sharing Program (CRISP), which facilitates timely bi-directional sharing of cyber threat information in order to monitor energy sector information technology (IT) networks. At present, 75% of U.S. electric utilities participate in CRISP. CEDS also includes the Cybersecurity for Operational Technology Environment (CYOTE) pilot project, which applies lessons learned from CRISP to monitor operating technology (OT) networks.

According to the budget request, DOE intends to improve both CRISP and CYOTE by integrating utility data into the intelligence community environment to enhance threat information. The request also states that DOE will create a new “Advanced Industrial Control System Analysis Center” within CEDS that will “span the DOE laboratory network and work in collaboration with private sector partners to use the analysis of energy sector supply chain component and model impacts to address system threats and vulnerabilities through technical solutions, share information about findings, and develop mitigation and response solutions.”

ISER provides technical expertise on supporting resiliency of critical infrastructure assets key to energy sector operation and addresses the Plan’s goal of coordinating incident response. ISER’s focus is operational and spans across all hazards facing the energy sector. However, the DOE budget notes that in the next fiscal year, ISER will “build out its effective, timely, and coordinated cyber incident management capability” and “envisions” forming a team of at least six cyber energy responders to support incident response within the energy sector.