Progress Report: 100 Days of the Biden Administration’s Industrial Control Systems (ICS) Cybersecurity Initiative and Electricity Subsector Action Plan

In April 2021, the Biden Administration launched an Industrial Control Systems Cybersecurity Initiative to strengthen the cybersecurity of the critical infrastructure across the United States. The initiative was kicked off with a 100-Day Action Plan for the U.S. electricity subsector led by the U.S. Department of Energy’s (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER) in close coordination with the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), and the Electricity Subsector Coordinating Council (ESCC). On July 28, 2021, President Biden further emphasized the importance of this initiative and broader cybersecurity efforts through his National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems.

The Electricity Subsector Action Plan is the first in a series of sector-by-sector efforts to safeguard the Nation’s critical infrastructure from cyber threats and leverages the important public-private partnerships established by Sector Risk Management Agencies, such as DOE for the energy sector, and CISA.

Since the launch, CESER, CISA, and the electricity industry have made significant strides in support of the goals of the initiative. At least 150 electric utilities, serving almost 90 million American electric customers, have adopted or committed to adopting technologies to further improve the security of the operational technologies (OT) and industrial control systems (ICS) that manage the Nation’s electric systems, by enhancing the visibility, detection, and monitoring of these critical networks. This continued effort builds on the leadership of the electricity subsector to invest in cybersecurity.

In furtherance of the initiative, control systems cybersecurity experts at CESER, CISA, and the National Security Agency’s (NSA) Cyber Directorate developed a set of ICS monitoring technology evaluation considerations for reference by the electricity subsector. These evaluation considerations, as recently updated, can be found here.

While efforts continue and all utilities are encouraged to deploy technologies to improve the cybersecurity of their OT/ICS environments, the United States Government does not and will not select, endorse, or recommend any specific technology or provider as part of this initiative. Each utility must assess and select the technology or provider that is best for it. These evaluative considerations are recommendations, not requirements, and each utility should determine which of them are applicable to its situation and consider the technology that best fits its needs.

In addition to accelerating the deployment of OT/ICS cyber monitoring technologies, the initiative has also propelled a range of activities in the electricity subsector like incentivizing cybersecurity investments and discussing the value of cyber insurance.

DOE is committed to continue working with the ESCC in support of this initiative and the broader cybersecurity efforts: collective preparedness and collective response are the heart of our partnership. DOE is also providing technical and analytical support to some of the smaller utilities in the United States, municipal and rural cooperative electric utilities, though collaborations with the American Public Power Association and the National Rural Electric Cooperative Association. These collaborations will provide financial support to ensure that those utilities can deploy OT/ICS monitoring capabilities, perform risk assessments and architectural reviews, and provide training to utility workers using the technologies.

DOE also recently issued an updated version of the Cybersecurity Capability Maturity Model (C2M2) to help utilities assess and improve the cybersecurity of their information and operational technology systems. DOE encourages all electric utilities to leverage C2M2 to assess the cybersecurity posture of their organizations to help make informed cybersecurity investment decisions.

The cybersecurity of America’s critical infrastructure remains a top priority for this Administration. This initiative is a major step in increasing the cybersecurity of the U.S. energy sector and securing the grid that millions of Americans rely on every day.