DOE’s Two-Pronged Approach to Cyber Protection: Strength and Innovation

The Department of Energy’s Office of Electricity Delivery and Energy Reliability (OE) recently released the DOE Multiyear Plan for Energy Sector Cybersecurity in order to reduce cyber risks to the U.S. energy sector and boost the department’s cyber capabilities against attack. The plan describes how cyber attacks have turned from being exploiting to disruptive and destructing. Nation-states and criminals are now targeting energy systems for large-scale, long-term energy disruptions that could have impacts to the country’s national and economic security.  With the integration of advanced technologies and automation on the electric grid, the larger platform paves the way for new and larger cyber threats.

In response, the plan introduces Energy’s two-pronged strategy to dealing with the latest cyber threats: “strengthen today’s energy delivery systems by working with our partners to address growing threats and promote continuous improvement, and develop game-changing solutions that will create inherently secure, resilient, and self-defending energy systems for tomorrow.”

To achieve this, the strategy lists three DOE priorities in the cyber world, each with a respective set of objectives:

1. Strengthen Energy Sector Cybersecurity Preparedness
   1. Enhance information sharing and situational awareness capabilities
   2. Develop and improve tools for bi-directional, real-time, machine-to-machine information sharing
   3. Strengthen sector risk management capabilities
   4. Reduce critical cybersecurity supply chain vulnerabilities and risks
2. Coordinate Cyber Incident Response and Recovery
   1. Establish a coordinated national cyber incident response capability for the energy sector
   2. Conduct cyber incident response training and improve incident reporting
   3. Exercise cybersecurity incident response processes and protocols
3. Accelerate Game-Changing RD&D of Resilient EDS
   1. Research, develop, and demonstrate innovative tools and technologies to prevent, detect, and mitigate
   2. Research, develop, and demonstrate game-changing cybersecurity tools and technologies
   3. Build strategic core capabilities

The plan goes into great detail for each priority and objective, including the importance and use of public-private partnerships. Specifically, in the department’s search for new and effective cyber technologies, industry partners must keep the following in mind when working with energy security space:

1. New solutions must support the business case that are cost effective and reliable in making energy delivery systems easier to operate.
2. Tools and technologies must not impede on energy delivery functions and must operate to the real-time and continuous processes of energy delivery control systems.
3. Cyber solutions must integrate with a diverse set of legacy and modern devices, a mix of vendors and devices with difference levels of computation and communication.
4. Solutions from vendors and third-party providers must interoperate
5. Secure devices sourced from a global supply chain
6. Design systems with built-in cyber resilience to anticipate security in the future grid.

Outside of the plan, Energy has taken recent steps to zero in on its cyber efforts. Within the FY 2019 budget, DOE introduces a new office called the Office of Cybersecurity, Energy Security and Emergency Response (CESER) with a $96M budget to specifically focus on the electric grid’s security readiness and reliability. Moreover, the agency is requesting more investment into its cyber programs with over $73M in program increases, according to the DOE FY 2019 IT budget.