The US Department of Energy released its Multi-Year Plan for Energy Sector Cybersecurity to help make US energy systems more resilient and secure. The plan includes:
- boosting threat-sharing with the private sector, including a malicious code repository and exchange
- curbing supply-chain risk, and
- accelerating research and development to make energy systems more resilient to hacking.
Also, the plan serves as a roadmap for the new Office of Cybersecurity, Energy Security, and Emergency Response (CESER), for which The Administration has requested $96 million in the 2019 US Federal budget. In response, a Corero Network Security expert commented below
Andrew Lloyd, President at Corero Network Security:
“This Cybersecurity Plan from the US DOE is far more radical than anything that’s been published so far in the UK/EU to enforce the NIS Directive, and constitutes key aspects of a superb roadmap for the relatively new Office of Cybersecurity, Energy Security, and Emergency Response (CESER). The DoE states their “Goal 3: Accelerate Game-Changing RD&D of Resilient EDS” and the Plan’s framers say they intend to “anticipate future energy sector attack scenarios and design cybersecurity into emerging energy delivery system devices from the start; and make future systems and components cybersecurity-aware and able to automatically prevent, detect, mitigate, and survive a cyber incident”. This is precisely the style of proactive “prevention and protection” posture that we’ve been encouraging. By way of contrast, the UK/EU legislation focuses on reactive “defense and disclosure”.
“Much of the DOE document rightly focuses on protecting the integrity of the power grid itself, but also recognizes that Internet-exposed management systems are at even greater risk than the more isolated power grid control systems themselves. The Plan underscores that the days of power grid controls being “off the Internet grid” are past, given the proliferation of “distributed energy resources ranging from electric vehicles to batteries and solar panels; increase customer participation and demand response; and integrate with other smart gas, water, and transportation infrastructure as Internet of Things technology”.
“The recent ESG outage underscored this, when a cyberattack on a 3rd party vendor’s systems (which relied on outmoded password security technology) drove system-wide disruption. That and other recent events have once again showed that many critical infrastructure operators have done the cyber-security basics well enough, including access control, but they have under-invested in cyber-defenses for advanced attacks such as DDoS, and they have demanded far too little of partners with Internet-exposed management and operations systems.
“The DoE Plan is a great start and worthy of applause. In one area, the recent UK/EU CI security strategies and directives remain ahead of US plans: enforcement.
“It’s unclear whether CESER will use the ‘carrot and stick’ approach that the UK has adopted for critical infrastructure entities with the NIS Directive, which allows for fines of up to $24 million or an eye-popping 4% of annual revenues against operators of essential services who fail to successfully defend their energy, control and data systems against cyberattacks.”