The U.S. Department of Energy this week announced its strategy to reduce cyber risks in the energy sector and outlined its goals, objectives and activities for the next five years.
With the energy sector increasingly targeted by threat actors, the Energy Department is concerned that attackers may be able to cause a large and prolonged energy disruption. In an effort to improve the cybersecurity and resilience of energy services, the agency has created the DOE Multiyear Plan for Energy Sector Cybersecurity, which is meant to provide a foundation for the recently launched Office of Cybersecurity, Energy Security, and Emergency Response (CESER).
The plan focuses on three main goals: strengthening cybersecurity preparedness, coordinating incident response and recovery, and accelerating research, development and demonstration (RD&D) for resilient energy delivery systems (EDS).
When it comes to strengthening preparedness, the DOE’s objectives include enhancing information sharing and situational awareness capabilities, strengthening risk management capabilities, reducing supply chain vulnerabilities, and developing and improving information sharing tools. This last objective includes the development of a virtual crowdsourced malware forensic analysis platform.
As for incident response and recovery, the Energy Department wants to establish a coordinated national incident response capability, conduct training for emergency responders and improve the incident reporting process, and conduct exercises.
The DOE’s third goal is to accelerate “game-changing RD&D” of resilient EDS, including for detecting, preventing and mitigating cyber incidents. The organization also wants tools and technologies that can anticipate future attack scenarios, and the development of systems and components that are cybersecurity-aware and capable of automatically handling cyberattacks.
“The DOE will be updating the Cybersecurity Capability Maturity Model (C2M2). The market has changed since it was published in February 2014,” commented Michael Magrath, director of global regulations & standards at VASCO Data Security. “We anticipate DOE will incorporate NIST’s Digital Identity Guidelines (SP 800-63-3), refreshed in 2017 and advance risk-based, biometric adaptive authentication technologies to protect the nation’s energy sector.”
“We welcome the DOE raising awareness around critical threats to the energy sector and laying out a strategy,” said Ray DeMeo, COO at Virsec. “While the strategy pillars are sound, making them actionable will be challenging – largely in view of the inertia behind legacy systems. It’s critical that we invest with speed and agility, and the roadmap’s goal to accelerate game-changing RD&D of resilient systems stands out. The administration’s funding request for $96 million is hopefully just a down payment, because protecting our infrastructure adequately will cost billions.”