Energy Department Outlines Cyber Procurement for Critical Infrastructure

Published: April 30, 2014

Critical Infrastructure ProtectionCybersecurityDOE

In 2013, the President issued an executive order to improve critical infrastructure, which calls for a voluntary framework to be established to support organizations risk-management. The National Institute of Standards and Technology (NIST) released the resulting cybersecurity framework mid February 2014. Building on NIST’s Framework for Improving Critical Infrastructure Cybersecurity, the Department of Energy (DOE) has published baseline principles for improving cybersecurity procurement for energy delivery systems.

On April 28, 2014, the Energy Sector Control Systems Working Group (ESCWG) released Cybersecurity Procurement Language for Energy Delivery Systems. The document outlines language for procurement of cybersecurity products common to the energy industry, such as software and session management.

 This baseline cybersecurity procurement language covers individual energy delivery systems, individual components of such systems, as well as assembled or networked energy delivery systems. Individual components of energy delivery systems may be programmable logic controllers, digital relays, or remote terminal units. Examples of individual energy delivery systems include a Supervisory Control and Data Acquisition (SCADA) system, Energy Management Systems (EMS), or Distribution Control Systems (DCS). Electrical substations or natural gas pumping stations would be considered assembled or networked energy delivery systems.

 Many types of products are procured as part of an energy delivery system. The ESCWG provides general language for cybersecurity procurement across ten categories:

  • Software and services
  • Access Control
  • Account management
  • Session management
  • Authentication/password policy and management
  • Logging and auditing
  • Communication restrictions
  • Malware detection and protection
  • Heartbeat signals
  • Reliability and adherence to standards

In addition to the types of products involved, the guidelines consider supplier’s life cycle security programs. As in other security areas, a vendor’s internal security capabilities help or hinder the trust it garners from government and industry customers. The DOE’s guidance explores product lifecycle is explored through half a dozen different areas, such as:

  • Secure development practices
  • Documentation and tracking of vulnerabilities
  • Problem reporting
  • Patch management and updates
  • Supplier personnel management
  • Secure hardware and software delivery

While this document outlines a baseline, obviously suppliers may build upon this language when proposing products and services in response to a request for proposal (RFP) or a request for information (RFI). In fact, a section on adding procurement language notes that the baseline language “is not intended to be all-inclusive.” Both suppliers and acquirers are directed to resources from other entities (e.g. NIST, NERC, DHS, SANS, etc.) for specific language or mandatory compliance standards. These procurement guidelines add to the existing toolkit for critical infrastructure protection and help to implement the framework and standards from previous government-industry collaborations.