DOE Security Compromised 150+ Times between 2010 and 2014

USAToday recently reported that the DOE was subject to a total of 1,131 cyberattacks during a period that ran from 2010 until October 2014. Of those attempted cyber intrusions, 14% were successful. A few other points worth noting:

• 59% of the successful attacks targeted the DOE’s Office of Science, which manages research along with 10 of the federal laboratories.
• 12% of those successful attempts were directed at the National Nuclear Security Administration (NNSA).
• One third of the intrusions were Root Compromises.

According to DOE spokesman Andrew Gumbiner, "DOE does not comment on ongoing investigations or possible attributions of malicious activity." While the details of these incidents may go without comment, concerns related to critical infrastructure protection and government information security continue to fuel demand for scrutiny and oversight. Prompted in part by reports earlier this year that part of the nation’s power grid is subject to a cyber or physical attack about once every four days, the House Committee on Science, Space and Technology is scheduled to hold a joint hearing in mid-September 2015 to examine the vulnerabilities of the national electric grid more closely.

One organization that’s likely to be drawn into the discussion is the DOE’s Office of Electricity Delivery and Energy Reliability (OE), which facilitates public-private partnerships to accelerate cybersecurity advances for the nation’s power grid. In February 2014, OE published the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2), Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONG-C2M2), and Cybersecurity Capability Maturity Model (C2M2). Developed through collaboration between private- and public-sector experts, the guidance provided by these models is intended to support energy suppliers and grid operators in assessing their cybersecurity capabilities and prioritize activities and investments to improve information security.

OE’s other responsibilities include development of security standards, threat information sharing, improving risk management strategies and supporting decision making, and supporting sector incident response and management. While OE extends support across the energy sector, it also receives support through working closely with the Department of Homeland Security and other government agencies as well as collaborating (and contracting) with industry. For example, in September 2014, DOE awarded a contract to Norse Corporation with a ceiling value of $1.9 million to support OE’s Cybersecurity Risk Information Sharing Program (CRISP). To date, reported spending on the contract amounts to $944,000 (about 50% of the contract’s estimated ceiling value).

Due to the sensitive nature of energy sector security, it’s not that surprising that there’s a gap around the Of particular relevance for the upcoming hearing on sector vulnerabilities and the OE’s information sharing efforts, developments are planned that will enable security benchmarking. In July 2014, OE issued a source sought notice for a web portal and data analytics that would support the C2M2 (GovWin Opportunity ID: 116424). The anticipated work would include:

• C2M2 Web Portal Development Plan
• Data Privacy Safeguard and Security Plan
• C2M2 Toolkit Upgrade
• C2M2 Database and Data Analytics Development
• Cybersecurity Capabilities Catalogue and Data Analytics Development:
• Web Portal Development and Management
• Data Analytics Services and Support
• Incorporation of Energy Information Administration (EIA) Data
• Incorporation of Information Related to Other Cybersecurity for Energy Delivery Systems Technology and Operations (CEDS OPS) Program Areas

While no request for proposals (RFP) has been issued yet, there remains a requirement for a way to harness the information collected through individual security assessments across the energy sector. With the increased awareness of the federal information system vulnerability and concerns for critical infrastructure protection, approaches to the data privacy safeguards and security plan will be a potential way for bidders to differentiate their offerings. Interested vendors should watch for an RFP in early FY 2016.