Security and Resilience (Cyber and Physical)

Government, Power Sector Have Made Major Strides Tied To Infrastructure Cybersecurity Initiative

Key federal government agencies and the electricity industry have made significant strides in support of White House goals aimed at boosting the cybersecurity of critical infrastructure in the U.S., the Department of Energy (DOE) recently reported.

In April 2021, the Biden Administration launched an Industrial Control Systems (ICS) Cybersecurity Initiative to meet its goal of strengthening the cybersecurity of the critical infrastructure across the country.

The initiative was kicked off with a 100-day action plan for the U.S. electricity subsector led by the DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) in close coordination with the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), and the Electricity Subsector Coordinating Council (ESCC).

On July 28, 2021, President Biden further emphasized the importance of this initiative and broader cybersecurity efforts through his National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems.

The electricity subsector action plan is the first in a series of sector-by-sector efforts to protect the country’s critical infrastructure from cyber threats and leverages the important public-private partnerships established by Sector Risk Management Agencies, such as DOE for the energy sector, and CISA, DOE said.

Since the launch, CESER, CISA, and the electricity industry have made significant strides in support of the initiative, DOE said.

At least 150 electric utilities have adopted or committed to adopting technologies to further improve the security of the operational technologies (OT) and ICS that manage the nation’s electric systems, by enhancing the visibility, detection, and monitoring of these critical networks. The American Public Power Association (APPA) continues to reach out to members regarding participation in the initiative.   

DOE said that in furtherance of the initiative, control system cybersecurity experts at CESER, CISA, and the National Security Agency’s Cyber Directorate developed a set of ICS monitoring technology evaluation considerations for reference by the electricity subsector. These evaluation considerations, as recently updated, can be found here.

In addition to accelerating the deployment of OT/ICS cyber monitoring technologies, the initiative has also sparked a range of activities in the electricity subsector like incentivizing cybersecurity investments and discussing the value of cyber insurance, according to DOE.

DOE said that it is committed to continue working with the ESCC in support of this initiative and broader cybersecurity efforts.

DOE is also providing technical and analytical support to some of the smaller utilities in the U.S., municipal and rural cooperative electric utilities, through collaborations with APPA and the National Rural Electric Cooperative Association. “These collaborations will provide financial support to ensure that those utilities can deploy OT/ICS monitoring capabilities, perform risk assessments and architectural reviews, and provide training to utility workers using the technologies,” DOE said.

Meanwhile, DOE also recently issued an updated version of the Cybersecurity Capability Maturity Model (C2M2) to help utilities assess and improve the cybersecurity of their information and operational technology systems. DOE is encouraging all electric utilities to leverage C2M2 to assess the cybersecurity posture of their organizations to help make informed cybersecurity investment decisions.