Energy’s Heightened Focus on Cyber Operations in FY 2019

In the past, the Department of Energy (DOE) has been cited for numerous cyber weaknesses throughout its enterprise. Nevertheless, the President’s FY 2019 budget is ready to invest in improving the IT security stance of the agency and further protect the electrical grid. The budget states that “cybersecurity is one of the Administration’s top priorities, and the FY 2019 Budget Request provides funding in multiple programs to prevent and address cyberattacks on the energy sector and to secure the DOE enterprise.”  In total, $394.5M is listed in the DOE budget for cybersecurity, an additional $98M over FY 2017 enacted amounts. A majority of those dollars is distributed under the National Nuclear Security Administration (NNSA), Office of the Chief Information Officer (CIO) and Office of Energy.

NNSA

With a total budget of $15B in FY 2019, the NNSA will use a majority of those dollars for weapons activities and to modernize the nuclear security enterprise. However, also within that budget is $185M set-aside especially for cybersecurity purposes. In particular, the agency is ordered to continue the recapitalization of the Enterprise Secure Network, implement the Identity Control and Access Management project at HQ and modernize the federal and site cyber infrastructure. Moreover, NNSA is to use the funds to execute and coordinate Public Key Infrastructure and other Committee on National Security Systems requirements.

OCIO

The OCIO is allotted $92M, a $23M increase from FY 2017. The additional funding is to be particularly used to reduce the agency’s exposure to threat while managing enterprise cybersecurity risks. The CIO will continue to collaborate with Department of Homeland Security (DHS) to improve security protection of information systems and perform continuous diagnostic mitigation throughout the entire department.

Office of Energy/CESR

Most notably, Energy has created the Office of Cybersecurity, Energy Security and Emergency Response (CESR) with an Assistant Secretary that will report to the Under Secretary of Energy. In an agency announcement regarding the new office, DOE states that the organization will “elevate the Department’s focus on energy infrastructure protection to enable more coordinated preparedness and response to natural and man-made threats.”

Within the budget, the CESR account is described as a split from the Electricity Delivery and Energy Reliability (OE) account in order to increase focus on grid and cyber reliabilities. CESR is allotted an estimated $96M in FY 2019, a $17M increase over FY 2017. Breaking that number down even further, $70M will be set-aside for Cybersecurity for Energy Delivery Systems (CEDS), $18M for Infrastructure Security and Energy Restoration, and $7.8M for program activities under CESR.  The funds will primarily support three areas:

• Research and Development (R&D) for cutting-edge technologies that help utilities secure the current energy infrastructure from advanced cyber threats and design next-generation future systems that are built from the start to automatically detect, reject, and withstand cyber incidents.
• Cybersecurity Tools and Development to strengthen the energy sector’s cybersecurity posture through public and private sector partnerships that leverage DOE-supported tools, guidelines, outreach, training, and technical assistance.
• Emergency Preparedness and Response to pursue enhancements to the reliability, survivability, and resiliency of energy infrastructure, and facilitating faster recovery from disruptions to energy supply.

FY 2019 IT Budget

Concurrently, DOE’s emphasis in cyber is also revealed in the agency’s latest IT budget. In fact, the largest increases in FY 2019 IT investments occur within various cyber programs. Of the 21 line items within the IT budget labeled as some form of IT security, 10 programs saw increases from FY 2017 while 9 stayed the same and 2 saw decreases of about $1M or less. The top five security investments with increases in FY 2019 include:

• NNSA OCIO Cyber Security Program: $149.2M (+$26.3M)
• IM IT Security and Compliance: $54.1M (+$21.3M)
• EM HQ IT Security and Compliance Cyber Security Roll Up: $46.8M (+$13.5)
• SC Office of Science IT Security and Compliance: $38.2M (+$3.3M)
• IM-30 Integrated Joint Cybersecurity Coordination Center (iJC3): $32.3M (+$3.3M)

Implications

The boost in IT security funds will help Energy continue to utilize the private sector to prepare and mitigate security weaknesses to reduce the agency’s impact from cyber threats. Moreover, the agency will need help in aligning preparedness, planning and response capabilities across state, local, tribal, territorial and federal entities to improve the reliability of the nation’s energy infrastructure. Finally, the agency will need to leverage partnerships with its national labs to continue driving next generation cyber technologies for the energy sector.