Energy sector cybersecurity preparedness is one of the three key areas in which CESER’s cybersecurity program supports activities. Preparedness activities address situational awareness and information sharing, and risk analysis.
Situational Awareness and Information Sharing
CESER works closely with energy sector owners and operators to better detect risks and mitigate them more rapidly by fostering industry assessment capabilities, developing operational threat analysis tools, and working with the intelligence community to better share actionable threat and intelligence information. CESER collaborates with government and private sector partners to develop technologies, tools, exercises, and other resources to assist the energy sector in evaluating and improving their security posture, practices, and readiness.
Because of the highly-dynamic technology and threat environment, effective cybersecurity practices require a continuous and comprehensive assessment of threats, identification of system vulnerabilities, strengthening and sharing of recognized security practices, and analysis of the impact of cyber events on the energy infrastructure. Timely bi-directional sharing of cyber threat information between the energy sector and government helps to determine the severity, scope, and nature of threats and rapidly develop needed mitigations.
Bi-directional cyber risk information sharing
Cybersecurity Risk Information Sharing Program (CRISP)
The Cybersecurity Risk Information Sharing Program (CRISP) is a public-private partnership, co-funded by DOE and industry and managed by the Electricity Information Sharing and Analysis Center (E-ISAC). The purpose of CRISP is to collaborate with energy sector partners to facilitate the timely bi-directional sharing of unclassified and classified threat information and to develop situational awareness tools that enhance the sector's ability to identify, prioritize, and coordinate the protection of critical infrastructure and key resources. CRISP leverages advanced sensors and threat analysis techniques developed by DOE along with DOE’s expertise as part of the nation’s Intelligence Community to better inform the energy sector of the high-level cyber risks. Current CRISP participants provide power to over 75 percent of the total number of continental U.S. electricity subsector customers.
Cybersecurity for the Operational Technology (OT) Environment (CYOTE) – OT Pilot
CYOTE is demonstrating two-way data sharing and analysis within the complex OT environment, where utilities currently have less mature tools for threat detection. These pilots are demonstrating and addressing the challenges of collecting data on OT networks: determining what to monitor, how to collect and process data, and how to share sensitive data while protecting privacy. The results from these pilots will inform the development of a repeatable, standard approach that the energy industry can use for to real-time operational threat data sharing and analysis.
Risk Analysis Tools, Practices and Guidelines
Cybersecurity Capability Maturity Model (C2M2)
As part of the Federal Government’s efforts to improve electricity subsector cybersecurity capabilities, CESER and industry partners developed the Electricity Subsector Cybersecurity Capability Maturity Model (C2M2) to help private sector owners and operators better evaluate their cybersecurity capabilities. The C2M2 evaluation helps organizations prioritize and improve cybersecurity activities. This is a comprehensive and credible approach that all energy sector companies can use to improve their cybersecurity posture. CESER also released versions of the C2M2 for the oil and natural gas subsectors and for industry at large.
Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President under Executive Order (EO) 13636 “Improving Critical Infrastructure Cybersecurity” directed the National Institute of Standards and Technology (NIST) to work with stakeholders to develop a voluntary Framework for reducing cyber risks to critical infrastructure. In 2015, CESER released guidance to help the energy sector establish or align existing cybersecurity risk management programs to meet the objectives of the Cybersecurity Framework released by NIST in February 2014. The Energy Sector Cybersecurity Framework Implementation Guidance discusses in detail how the C2M2 maps to the voluntary Framework.
Cybersecurity Risk Management Process (RMP)
Cybersecurity risk is one of the components of the overall business risk environment and feeds into an organization’s enterprise Risk Management Strategy and program. Cybersecurity risk, as with all risks, cannot be completely eliminated, but instead must be managed through informed decision making processes.
The electricity subsector cybersecurity Risk Management Process (RMP) guideline was developed by the Department of Energy (DOE), in collaboration with the National Institute of Standards and Technology (NIST) and the North American Electric Reliability Corporation (NERC). The RMP is built on the premise that managing cybersecurity risk is critical to the success of an organization’s mission in achieving its business goals and objectives, specifically the reliable generation and delivery of electric power. Implementation of the RMP will facilitate more informed decision making throughout an organization leading to more effective resource allocation, operational efficiencies, and the ability to mitigate and rapidly respond to cybersecurity risk.