Security and Resilience (Cyber and Physical)

DOE releases multiyear plan for energy sector cybersecurity

The Department of Energy has released a multiyear plan for energy sector cybersecurity aimed at improving the cybersecurity and resilience of the country’s energy system. The plan includes several goals and objectives that the DOE’s Office of Electricity Delivery and Energy Reliability will pursue over the next five years to bolster cybersecurity efforts.

The DOE said that the plan, which was released on May 14, lays out an integrated strategy to reduce cyber risks in the U.S. energy sector by pursuing high-priority activities that are coordinated with other DOE offices, and with the strategies, plans, and activities of the federal government and the energy sector.

“Anticipating and reacting to the latest cyber threat is a ceaseless endeavor that requires ever more resources and manpower,” the DOE said in the plan. “This approach to cybersecurity is not efficient, effective, nor sustainable in light of escalating cyber threat capabilities. We must recognize today’s realities: resources are limited, and cyber threats continue to outpace our best defenses. To gain the upper hand, we need to pursue disruptive changes in cyber risk management practices.”

The DOE said that its cyber strategy is two-fold. First, “strengthen today’s energy delivery systems by working with our partners to address growing threats,” and second, promote continuous improvement, and “develop game-changing solutions that will create inherently secure, resilient, and self-defending energy systems for tomorrow.”

The DOE also said that meaningful public-private partnership is foundational to its strategy.

According to the federal agency, the plan is guided by the energy sector vision contained in the 2011 “Roadmap to Achieve Energy Delivery Systems Cybersecurity.” The new plan complements the Roadmap “by articulating DOE's distinct role and actions to enhance energy sector cybersecurity, working in partnership with the sector.”

The DOE noted that it will implement the plan in coordination with other federal agencies, state and local governments, and the private sector.

Goals and objectives

The plan includes several goals and objectives that the DOE’s Office of Electricity Delivery and Energy Reliability will pursue over the next five years to bolster cybersecurity efforts.

The plan lists the following three goals: (1) strengthen energy sector cybersecurity preparedness; (2) coordinate cyber incident response and recovery; and (3) accelerate “game-changing” research, development and demonstration (RD&D) of resilient energy delivery systems.

Within each goal are related objectives. For example, for the goal of strengthening energy sector cybersecurity preparedness, the DOE plan lists an objective of developing and improving tools for bi-directional, real-time, machine-to-machine information sharing.

In relation to this objective, the plan notes that the Cybersecurity Risk Information Sharing Program, or CRISP, provides energy sector owners and operators with a capability to voluntarily share cyber threat data in near real-time, analyze this data using U.S. intelligence, and receive machine-to-machine threat alerts and mitigation measures.

CRISP helps companies identify malicious traffic within their IT systems by analyzing the data streams and enhancing the analysis with classified DOE intelligence and cyber tools.

CRISP delivers cyber alerts and mitigations directly to affected companies and broadly to the energy sector. The voluntary program is now managed by the Electricity Information Sharing and Analysis Center with the goal of creating a sustainable program owned and operated by the private sector enabling near real-time data sharing and analysis. The plan notes that CRISP’s 26 participating utilities account for 75% of U.S. electricity customers.

“The American Public Power Association has encouraged members over the years to participate in the E-ISAC and utilities will benefit from the enhanced analysis through unclassified alerts through the E-ISAC portal,” said Nathan Mitchell, Senior Director of Cyber and Physical Security Services at the Association.

The DOE multiyear plan includes activities to expand energy sector participation in CRISP and advance CRISP analysis capabilities through the Office of Electricity Delivery and Energy Reliability’s Cyber Analytics Tools and Techniques project. The plan also seeks to expand CRISP capabilities to analyze and share threat indicators in operational technology systems.

Another objective listed in the section of the plan for this goal is strengthening sector risk management capabilities through the development of tools, guidelines, outreach, training and technical assistance.

Under this objective, the plan calls for working with electric cooperatives and public power utilities to foster a culture of security and facilitate assessments. The DOE will work with cooperatives and public power utilities to evaluate emerging cybersecurity tools and cyber risk information sharing platforms, and develop case studies, reports, and briefs on the devices, tactics, and techniques best suited for different utility business models.

The Association has partnered with the DOE to develop the resources to foster a culture of security at public power utilities. The cooperative agreement between the Association and the DOE has provided needed funding to develop programs best suited for the needs of public power utilities, Mitchell noted. 

One of the objectives listed for the second goal (coordinate cyber incident response and recovery) is the establishment of a coordinated national cyber incident response capability for the energy sector.

The plan notes that the Office of Electricity Delivery and Energy Reliability is working with the DOE’s national laboratories “to develop an integrated mix of specialized cyber resources and capabilities that can be deployed during a cyber incident to help energy companies identify and respond to a cyberattack.”

Each lab is expanding technical capabilities in specific topic areas to build an integrated Energy Cyber Resource Partnership. “This partnership’s robust incident response capability will support DOE’s mandate to provide cyber-specific technical expertise and assistance to support energy sector response during a cyber incident and restore or maintain critical functions,” the plan said.

The objective for the third goal is to research, develop, and demonstrate game-changing cybersecurity tools and technologies.

With respect to this objective, the DOE said that ABB is leading a research partnership to enable high-voltage DC systems to detect and automatically reject commands that could destabilize the grid if implemented.

“Using the physics of the grid, the capability will anticipate how the grid would react to a received command — rejecting commands that would jeopardize grid stability while executing legitimate commands in time.”

The project builds on a prior Office of Electricity Delivery and Energy Reliability RD&D project, which successfully demonstrated the capability in transmission-level AC systems. According to the plan, this technology allows the grid to continue functioning during a cyberattack and prevent or limit energy disruption.

The plan is available here.