Global technology supply chains have evolved to be increasingly diverse and complex, changing the overall risk for energy systems. To face the threat of a supply chain compromise – whether from intentional actions, technical vulnerabilities, or simply poor-quality control – the Office of Cybersecurity, Energy Security, and Emergency Response leads DOE’s cybersecurity vulnerability testing and enumeration program for priority energy system component software and firmware in order to secure the most critical parts of the Nation’s future energy infrastructure.

Through the Cyber Testing for Resilient Industrial Control Systems (CyTRICS) program, CESER is leveraging the testing and analysis capabilities of the Department of Energy’s National Laboratories to confirm the security of the software and firmware of components used across the energy sector. Through CyTRICS, CESER tests vulnerabilities, shares information with manufacturers to develop mitigations, and alerts industry stakeholders using impacted components so they can address flagged issues in their deployed systems. Components with high impact, prevalence, and National security interest are prioritized for testing and analysis.

In order to consistently and efficiently deliver findings that support its national security mission, the CyTRICS program takes a standardized approach across its key elements, including:

• a standardized testing process to produce consistency and compatibility, no matter where testing takes place,
• a standardized format to report vulnerabilities and enumeration to the CyTRICS database for sector-wide anaylsis, and
• a standardized vendor agreement to generate joint action on vulnerability disclosure and mitigation

As the CyTRICS program grows, findings will be collected and normalized within a comprehensive database. Access to the database will be shared among participating Labs, industry stakeholders, and equipment vendors to ensure managed and timely disclosure of vulnerabilities identified during testing. Accrued results will be available for advanced analytics to better assess sector-wide vulnerabilities and direct proactive mitigation efforts.

As stated in the May 2020 Executive Order on Securing the United States Bulk-Power System, electricity and other forms of energy “support our national defense, vital emergency services, critical infrastructure, economy, and way of life.” Through the CyTRICS program, CESER is securing energy – and all it is supports that is so vital to the American way of life – by ensuring the integrity and reliability of critical system components nationwide.