The release of the National Cybersecurity Strategy (NCS) is a major milestone in the journey toward a more secure, connected, and resilient future for all Americans. In the energy sector, we see an incredible transition taking place: a transition that involves new sources of generation such as wind and solar; new architectures and systems to operate electricity, oil, and natural gas systems more reliably, safely, and efficiently; and new market players to help us charge our electric vehicles, control our thermostats remotely, and move energy from one place to another. At the same time, we’re seeing cyber threats targeting energy systems continue to increase whether it’s from Nation-states or criminal actors. As we see both of these dynamics play out, the NCS provides a critical roadmap to ensuring that the U.S. energy sector continues to remain secure and resilient for Americans today and for generations to come.
As the Sector Risk Management Agency for the energy sector, the Department of Energy’s (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER) works to secure critical energy infrastructure from cyber, physical, and climate-based threats, and to inform the market through research, development, demonstration, and collaboration to move us rapidly toward a more secure and resilient tomorrow. We work collaboratively with the energy sector and intergovernmental partners to understand where risks exist—both physical and cyber—and how best to buy down those risks where appropriate.
As our energy infrastructure becomes smarter and more connected, it can also become more vulnerable to disruption from cyber-attacks. Each connection pathway in our electric, oil, or natural gas infrastructure, and each interconnected device on our system, presents a new vector for maligned cyber actors to cause damage to our infrastructure. We stand ready to leverage this unparalleled moment of change to embrace security by design and to capitalize on the new tools, systems, and architecture coming online as our energy systems evolve.
The NCS sets a clear direction for the United States and establishes definitive objectives for cyber threat mitigation and response across sectors, unifying our approach and creating a common understanding of what is required to keep our nation safe from bad actors and ever-changing risks. The Strategy cites several key CESER initiatives, highlighting the importance of the work we are already doing in this space.
DOE’s pilot of the Energy Threat Analysis Center (ETAC) is included as an example of the new and innovative capabilities that we need to build to collaborate effectively at the scale and speed needed to defend critical infrastructure. The ETAC will bring experts from government and industry together to analyze and address cyber threats to the energy sector. Through this new, operational approach to cyber collaboration, we will close gaps in our collective situational awareness of threats, improve our ability to mitigate and defend against them, and support the nation’s response to incidents within the energy system.
The NCS takes special note of the need to advance innovation as we strive to stay ahead of cyber criminals. To that end, CESER is proud to lead and support several significant efforts to push the boundaries of what is possible in energy cybersecurity. The Clean Energy Cybersecurity Accelerator (CECA) is one such example. In partnership with DOE’s Office of Energy Efficiency and Renewable Energy (EERE), CESER co-leads this initiative to bolster early stage, next-generation cybersecurity technologies by providing a state-of-the-art testbed at the National Renewable Energy Laboratory.
CESER also sits at the helm of the Energy Cyber Sense Program, which is a comprehensive effort to address supply chain risk within the energy sector. The program will increase the cyber resilience of energy sector hardware and software through policies, standards, testing, educational awareness, and more. Lessons learned can then be shared with energy sector asset owners and manufacturers to address them.
Under the Energy Cyber Sense umbrella is the Cyber Testing for Resilient Industrial Control Systems, or CyTRICS program, which leverages the testing capabilities of the National Laboratories to strengthen the security and resilience of hardware and software in the energy sector. As testing expands, CyTRICS is identifying systemic supply chain vulnerabilities that can help us engineer out cyber weaknesses in next-generation systems. CyTRICS has established partnerships with four companies that represent a large portion of the market share of critical systems and components in the electricity sector: Schneider Electric, Hitachi Energy, Schweitzer Engineering Laboratories and, most recently, GE Power Gas. Strategic collaboration is a hallmark of CESER’s success in advancing cybersecurity within the energy sector; it is central to our approach.
We also recently announced a joint project with the National Association of Regulatory Utility Commissioners (NARUC) to establish a set of cybersecurity baselines that states can consider and adopt for distribution systems and distributed energy resources. This effort will be supported by a public-private advisory committee that NARUC is establishing so that a collaborative approach is taken to identify and define cybersecurity best practices for electric distribution systems and distributed energy resources. This effort, along with many other collaborative projects, will help create a more stable, more predictable business environment for energy innovators over time while having a real impact on the overall cybersecurity of our energy systems.
In addition to embracing and supporting research and development, the NCS calls on Federal agencies to make strategic investments in a more resilient future—a future in which cyber threats are far less likely to have cascading or catastrophic impacts on our critical infrastructure. DOE is out ahead on this front, poised to make more than $62 billion of investments in a clean energy future that is inherently resilient and secure, thanks to President Biden’s Bipartisan Infrastructure Law. In 2022, CESER opened a $45 million funding opportunity to create, accelerate, and test technology that will protect the grid from cyber-attacks. This funding will support up to 15 research projects that will establish or strengthen existing research partnerships with energy sector utilities, vendors, universities, National Laboratories, and service providers working toward resilient energy delivery systems.
Apart from financial investments, CESER actively engages in workforce development to build up our human capital and to ensure the energy sector of tomorrow is properly designed, maintained, and secured. Through programs such as CyberForce, which provides competitions and opportunities for college students to test their skills while defending critical infrastructure against cyber-attacks in a test environment, and the OT Defender Fellowship, which offers training to operational technology (OT) security managers to help them better contribute to two-way information sharing between government and industry, CESER is making a real impact on professional development at the cyber/energy nexus.
The Cyber-Informed Engineering Strategy (CIE), which is specifically called out in the National Cybersecurity Strategy, is an emerging framework—originated by the National Laboratories and advanced by DOE—to build cybersecurity into our energy systems at the earliest possible stages. One aspect of CIE is partnership with key R-1 universities to build curricula teaching prospective engineers how to design security solutions into critical infrastructure projects. This initiative sets a standard for both cyber best practices and workforce development, starting at our institutions of higher education.
The release of the National Cybersecurity Strategy represents a starting point: a launch pad for a digital, interconnected future within the energy sector, and across many other sectors, that is secure, reliable, and resilient. CESER is committed to supporting the long-term implementation of this Strategy in partnership with the private sector, academia, State, local, Tribal, and territorial (SLTT) communities, and our international partners. It will take all of us coming together to raise the bar for cybersecurity across the U.S. energy sector!
Learn more about CESER, our initiatives, and opportunities to join our team here: /ceser/office-cybersecurity-energy-security-and-emergency-response.