Over the past two years, the Department of Energy’s (DOE) Securing Energy Infrastructure Executive Task Force (SEI ETF) has developed a body of work that is advancing the state of the practice for industrial control system cybersecurity. Now, portions of this jointly-developed technical work are being adopted and expanded by the Industrial Society of Automation (ISA)—a global standards body—and the MITRE’s Common Weakness Enumeration (CWE) framework, the nation’s top repository for cyber vulnerability and weakness information.

DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) formed and led the SEI ETF under congressional direction in Section 5726, “Securing Energy Infrastructure,” of the National Defense Authorization Act for Fiscal Year 2020. The Task Force is a voluntary group of senior leaders and technical experts that represent energy sector asset owners and operators, vendors and manufacturers, standards organizations, research and academic institutions, DOE’s National Laboratories, and government agencies.

Several dozen stakeholders from 35 organizations participated in developing SEI ETF’s body of work under the leadership of government and industry executives. Operating as a technically focused public-private partnership, they jointly developed and delivered a set of new resources aimed at narrowing critical gaps in industrial control system cybersecurity, including 20 new enumerations of control system security vulnerabilities, a set of energy sector reference architectures and profiles, an interactive matrix of standards, and a forthcoming National Cyber-Informed Engineering Strategy, among many others. 

  • New Categories of Security Vulnerabilities
    • The SEI ETF developed and described 20 new categories of security vulnerabilities for industrial control systems, extending existing categorization efforts beyond the IT space. CESER has partnered with MITRE and its Common Weakness Enumeration (CWE) program to integrate and expand the Task Force’s work. CWE Version 4.7, released in April, includes three new entries that draw from the SEI ETF’s descriptions of vulnerability categories. CESER and the CWE program have also formed an industrial control system/operational technology Special Interest Group, launched in May, that will further explore the inclusion of these categories in the CWE. This group is open to the public; details on how to join are included in MITRE’s announcement of the ICS/OT Special Interest Group.
  • Reference Architecture and Profiles for Electric Energy OT
    • The Reference Architecture for Electric Energy OT addresses gaps in existing reference architecture models and can provide a critical starting point for users to develop security applications in the OT environment. The SEI ETF further developed a set of profiles that leverage the Reference Architecture for four specific OT domains. CESER and Task Force participants partnered with ISA to form a working group to validate and expand the Reference Architecture profiles and incorporate them into the ISA/International Electrotechnical Commission 62443 series of standards, which provides cybersecurity technical requirements for industrial automation and control systems. ISA is inviting participation from other international standards groups to ensure broad alignment with cybersecurity standards development activities. Details on how to join this group are included in ISA’s announcement.
  • Matrix of Standards for ICS
    • As a foundational element in evaluating the array of standards used to secure industrial control systems, The SEI ETF developed a searchable and sortable interactive matrix of standards that contains more than 75 standards related to industrial control systems. The matrix can help energy providers apprehend the large body of security standards that can apply to industrial control systems, how they interrelate, and which may be the best fit—ultimately supporting more effective implementation of cybersecurity standards and guidance.
  • National Cyber-Informed Engineering (CIE) Strategy
    • DOE is preparing to release the congressionally directed National Cyber-Informed Engineering Strategy, developed by the SEI ETF. The National CIE Strategy offers a holistic approach to integrate cybersecurity considerations into the conception, design, build, and operation of any physical system that has digital connectivity, monitoring, or control. CIE calls for using design decisions and engineering controls to mitigate avenues for cyberattacks, or reduce the consequences when an attack occurs. The National CIE Strategy offers an integrated set of recommendations to incorporate CIE principles into engineering education and training, build a body of knowledge and resources for engineers, and apply CIE principles to the nation’s critical energy infrastructure and emerging technologies in our modern decarbonized grid.

To read more about all of the work that the Task Force has completed, visit the SEI ETF page on CESER’s public website.