The Securing Energy Infrastructure Executive Task Force (SEI ETF) is a voluntary group of senior leaders representing energy sector asset owners and operators, vendors/manufacturers, research and academic institutions, Department of Energy National Laboratories, and government agencies. The Department of Energy formed the SEI ETF pursuant to direction in Section 5726 of the National Defense Authorization Act for Fiscal Year 2020.
Under a two-year effort, the SEI ETF formed a series of senior steering groups and technical project teams to pursue cyber supply chain-related tasks mandated by the statute, including evaluating technology and standards for industrial control systems (ICS), identifying new categories of ICS vulnerabilities, and developing a National Cyber-Informed Engineering (CIE) Strategy. Key deliverables from the SEI ETF body of work are described below.
The final report on the Department of Energy Fiscal Year 2020 Implementation of Section 5726, National Defense Authorization Act, Securing Energy Infrastructure, is coming soon.
National Cyber-Informed Engineering Strategy
The National CIE Strategy outlines the core CIE concepts—defined by a set of design, operational, and organizational principles—that place cybersecurity considerations at the foundation of engineering and energy systems design. The strategy is built on five integrated pillars, offering a set of recommendations to incorporate CIE as a common practice for control system engineers.
Matrix of Security Standards for ICS
The interactive matrix contains over 75 standards in a searchable and sortable format, organized by the standard type, purpose, and applicability. The matrix can help organizations apprehend the large body of security standards that can apply to ICS, how they interrelate, and which may be the best fit—resulting in more effective implementation to achieve security outcomes.
Reference Architecture and Profiles for Electric Energy Operational Technology (OT)
The Reference Architecture for Electric Energy OT provides a starting point for users to orchestrate security applications. Building on the baseline Reference Architecture, the SEI ETF developed profiles for four specific applications, including substation, generation, distributed energy resources, and operation/network control center.
The International Society of Automation (ISA) is leveraging this body of work to develop a forthcoming series of profiles for inclusion in the ISA/International Electrotechnical Commission (IEC) 62443 series of standards.
Categories of Security Vulnerabilities in ICS
These 20 categories are distinct from those already documented in information technology (IT), go beyond vulnerabilities arising from the implementation of ICS systems, and include those arising from design, architectural, operational, and human factors. The full category descriptions can be downloaded here.
MITRE has launched an ICS/OT Special Interest Group (SIG) to explore the inclusion of these categories in MITRE’s Common Weakness Enumeration database. Anyone interested in participating in the SIG should email MITRE (firstname.lastname@example.org) to be included on the distribution list.