CyTRICS Factsheet
Global technology supply chains have evolved to be increasingly diverse and complex, changing the overall risk for energy systems. To secure the most critical parts of the nation’s future energy infrastructure from the threat of a supply chain compromise – whether from intentional actions, technical vulnerabilities, or simply poor-quality control – the Office of Cybersecurity, Energy Security, and Emergency Response (CESER) leads the Cyber Testing for Resilient Industrial Control Systems™ (CyTRICS) program, DOE’s cybersecurity vulnerability testing and enumeration program for priority energy system component software and firmware.
Through the CyTRICS program, CESER leverages the testing and analysis capabilities of the DOE National Laboratories ecosystem to confirm the security of the software and firmware of components used across the energy sector. CESER leads lab teams to test vulnerabilities, share information with manufacturers to develop mitigations, and alert industry stakeholders using impacted components so they can address flagged issues in their deployed systems. Researchers prioritize components with high impact, prevalence, and national security interest for testing and analysis.
Learn more about CyTRICS from our lab partners:
Idaho National Laboratory
To consistently and efficiently deliver findings that support its national security mission, the CyTRICS program takes a standardized approach across its key elements, including:
- A standardized testing process to produce consistency and compatibility, no matter where testing takes place,
- A standardized format to report vulnerabilities and enumeration to the CyTRICS database for sector-wide analysis, and
- A standardized vendor agreement to generate joint action on vulnerability disclosure and mitigation
As the CyTRICS program grows, findings will be collected and normalized within a comprehensive database. Access to the database will be shared among participating Labs, industry stakeholders, and equipment vendors to ensure managed and timely disclosure of vulnerabilities identified during testing. Accrued results will be available for advanced analytics to better assess sector-wide vulnerabilities and direct proactive mitigation efforts.
As stated in the May 2020 Executive Order on Securing the United States Bulk-Power System, electricity and other forms of energy “support our national defense, vital emergency services, critical infrastructure, economy, and way of life.” Through the CyTRICS program, CESER is securing energy – and all it is supports that is so vital to the American way of life – by ensuring the integrity and reliability of critical system components nationwide.
Supply Chain Cybersecurity Principles
The Supply Chain Cybersecurity Principles characterize the foundational actions and approaches needed to deliver strong cybersecurity throughout the vast global supply chains that build energy automation and industrial control systems (ICS). The principles aim to create an enduring framework to drive best practices today, while informing international coordination to advance those practices into the future.
Related News
-
The U.S. Department of Energy (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER) today announced a collaboration with Rockwell Automation to test multiple critical infrastructure components for cybersecurity vulnerabilities.February 29, 2024 -
Westinghouse is the first nuclear Instrumentation and Controls (I&C) supplier to provide critical electrical grid components for cyber-related testing program.February 1, 2024
-
GE Gas Power is the fourth equipment manufacturer to provide critical electrical grid components to test under the Department of Energy’s Cyber Testing for Resilient Industrial Control System program.May 9, 2023