In response to the COVID-19 pandemic, the U.S. Department of Energy’s (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER) is in regular communication with energy sector partners across the government and energy industry. CESER will continue to coordinate with interagency and energy sector partners to closely monitor any threats or potential threats to the energy system.
Acting as the Sector Specific Agency for Energy and the coordinating agency for Emergency Support Function #12, CESER is advising energy sector partners to remain vigilant to cybersecurity threats.
Malicious actors may attempt to capitalize on public fears by launching phishing attacks to gain unauthorized access to critical energy control systems. A dynamic operating environment could allow bad actors to target companies with emails that contain malicious attachments or links to fraudulent websites in order to trick victims into revealing sensitive information or performing actions such as donating to fraudulent charities. CESER recommends that executive leadership emphasize with company personnel the need to be cognizant of the risk from external emails, phishing, and social engineering. Please exercise extreme caution when opening any emails related to COVID-19 and clearly establish good sources of communication to avoid confusion with misinformation.
CESER also encourages energy sector companies to assess the full breadth of risk within the supply chain, including that of managed service providers (MSPs) and how COVID-19 may affect service providers’ approaches to service delivery. In addition, companies will want to understand how MSP approaches may affect their overall risk posture, in particular with MSPs outside of the Continental United States.
Please reference Insights from the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to help think through physical, supply chain, and cybersecurity issues that may arise from the spread of COVID-19.
Additionally, as many organizations may consider alternate workplace and telework options, CESER encourages you to adopt a heightened state of cybersecurity and review the March 13th CISA alert on Enterprise Virtual Private Network Security Concerns and Mitigations.