DOE’s National Cyber-Informed Engineering (CIE) Strategy turned a game-changing concept into a strategic roadmap. Two years later, CESER has matured CIE into an industry-led practice that is beginning to change how we design energy infrastructure—now and into the future.
Office of Cybersecurity, Energy Security, and Emergency Response
November 22, 2024
minute read time
Lili Colon
With more than 20 years of experience, Lili Colon has a deep understanding of how quickly the threat landscape changes and what is needed to best secure and protect the U.S. energy supply from all threats. She helps drive the U.S. Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) mission to strengthen the security and resilience of U.S. energy infrastructure from cyber, physical, and natural hazard risks and disruptions by leveraging critical expertise across both public and private sectors.
Lili guides the department and its programs towards success with an emphasis on multi-disciplinary collaboration among agency partners, industry, academia, and education. Her background in operations and cyber, physical, and communications domains is rooted in her commitment to excellence and ensures a critical eye is kept on the horizon.
Most recently, Lili served as the Deputy Associate Director for the Integrated Operations Division within the Cybersecurity Infrastructure Security Agency (CISA). In this role, she worked to minimize the impact to our Nation’s Critical Infrastructure by establishing operational and leadership support within the Agency’s 24/7 Operation Center. Lili also served as the deputy co-chair to the COMM-ISAC and supported CISA’s operational processes in response to Emergency Support Functions #2: “Communication” and #14: “Cross-sector Business and Infrastructure” responsibilities under the National Response Framework.
Previously, Lili served as the Chief for Strategic Planning and Resource Management for the Cybersecurity Division within CISA. Ther work was integral in managing strategy, policy coordination, integrating program planning, and performance of a $1.2B annual budget. Furthermore, she was responsible for maturing the Division’s annual operating plans and long-term strategy to achieve national cybersecurity objectives. This required Lili to establish multiple agency strategic policy development planning efforts and coordinate engagements to support the Department of Homeland Security’s broader mission to increase resilience in our Nation’s Critical Infrastructure and reduce exposure to cyber risks.
Throughout her career, Lili has honed her expertise through various Information Technology/Cybersecurity Positions in the government and private sectors relating to the Certification and Accreditation Process, Cybersecurity Curriculum Manager, Information Assurance, Cyber Strategic Planning, and Security Policy Development.
Her role at CESER clarifies the Office’s vison for how our Nation can secure its energy infrastructure now and in the future.
Cyber-Informed Engineering (CIE) leverages engineers and engineering design to provide deterministic controls that reduce the damage potential of a cyber attack. CIE offers a framework to integrate engineering controls that reduce or mitigate the impact of cyber threats into any physical system used in critical infrastructure, energy or otherwise. CIE guides engineers to consider the worst-case scenarios of cyber attacks on their designs, and allows for engineering teams and cybersecurity teams to collectively design solutions that can mitigate what an adversary could do.
The Office of Cybersecurity, Energy Security, and Emergency Response (CESER) has worked with the Idaho National Laboratory (INL) and the National Renewable Energy Laboratory (NREL) to integrate CIE into the U.S. energy infrastructure, acting on the approaches outlined in DOE’s 2022 National Cyber-Informed Engineering Strategy.
Over the past two years, CESER has transitioned CIE from a strategic approach to an industry-led practice, with a growing library of resources and tools that are influencing infrastructure design, engineering education, and standards implementation.
Influencing Energy Infrastructure Projects
CESER’s CIE program published an extensive CIE Implementation Guide to guide engineers through questions that help employ CIE principles into systems across engineering lifecycles. The Implementation Guide was also developed into a web-based CIE Analysis Tool, and the program is preparing to release a companion guide focused on CIE case studies for a number of different generation technologies.
Now, the CIE program is working alongside five utility partners (and counting!) to implement CIE into energy infrastructure projects from microgrids to substations. Researchers worked with a cooperative utility to implement cyber-informed engineering protections into dozens of new microgrid installations. Because each installation had different cyber risks and opportunities, the team built a CIE Microgrid Analysis Tool (CIEMAT) that helps utilities get to CIE decisions faster when designing microgrids.
CIE program partners in utilities and system design and engineering firms are implementing these design principles and bringing real-world feedback and case studies into CIE research through the CIE Community of Practice.
Building an International Community of Practitioners
CESER built a thriving CIE Community of Practice with 305 members from 164 organizations who are working with the program to build CIE concepts into guidance and tools, integrate CIE into university-level engineering programs, and align CIE with industry standards. This ensures that CIE resources are directly informed by the engineers, manufacturers, utilities, researchers, universities, and standards organizations who will be using them.
Members guide resource development through three monthly Working Groups (Standards, Education, and Implementation). Email CIE@inl.gov to join the Community of Practice and participate in a working group.
CIE concepts have also been presented at 43 industry events in the last year, including in-depth CIE workshops that challenged participants to apply CIE concepts to critical infrastructure designs, including microgrids, substations, advanced distribution management systems, and water booster pump stations.
Partnering with Standards Bodies to Align and Integrate CIE
The CIE program is actively working with standards organization to examine how to align CIE strategies with existing standards and further integrate CIE concepts into standards over time:
- ISA 99 WG14 is building CIE concepts into an ISA/IEC 62443 Security Profile for Energy OT Control Systems.
- CIE is referenced in IEC TR 63486 ED1 on cyber risk management for nuclear instrumentation and control.
- The American Water Works Association identified CIE as the resource to lead long-term sustainment & culture change for high cyber maturity.
- CIE is included in the upcoming IEEE Power & Energy Society Roadmap, fostering ongoing dialogue and collaboration.
Keep an eye on this space to learn more about CIE resources and successes as CESER continues driving CIE research and development forward.