With a new national cyber strategy focused on the security of critical infrastructure, the Energy Department’s lead cyber directorate is working to set cybersecurity requirements for federal investments in clean energy technologies, while also overseeing a new review of digital threats to the electric distribution system.
Meanwhile, DOE is finalizing an update to its own cyber strategy that will align with the recently released national plan.
The Biden administration’s new strategy released last week, calls for ensuring private entities in critical infrastructure are protecting their systems from digital threats. The document also endorses investing in sector risk management agencies like DOE, which is responsible for overseeing the energy sector.
Puesh Kumar, director of DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER), said DOE and the energy sector are well positioned to meet the call.
“The energy sector as a whole has been a little bit more forward leaning than some of the other critical infrastructure sectors when it comes to security,” Kumar said in an interview.
But the sector also remains one of the top targets for cyber attacks. Meanwhile, the energy industry is increasing digitized and interconnected, while new clean energy technologies — ranging from solar panels and wind farms to electric vehicle charging stations — are also being added to the mix.
“It also helps message what more we need to be doing,” Kumar said of the cyber strategy.
DOE’s National Renewable Energy Laboratory is conducting a review of security risks to the electric distribution system on behalf of CESER. The assessment was a requirement under the Infrastructure Investment and Jobs Act.
Kumar said a report from on the assessment is due out this fall.
“The idea behind that is the grid is changing,” he said. “We’re going from large, centralized generation to more distributed, decentralized generation when we see all this solar and wind connecting. And so how does that change our cybersecurity risk going into the future? If we can start to do that assessment now and see where the grid is heading, as we see this energy transition underway with all these investments being made, let’s do an assessment of what the cyber risk looks like.”
In February, CESER also launched a joint initiative with the National Association of Regulatory Utility Commissioners (NARUC) to establish cybersecurity “baselines” states can use in regulating electric utilities.
“It’s going to be a collaborative process,” Kumar said. “We’re going to invite industry to the table, we’re going to have cyber technology companies there. And we’re going to have state regulators also jointly developing cyber baselines for distribution systems and distributed energy resources. So we’re really looking at the policies, we’re looking at the incentives we can provide, and the work we can do as DOE.”
CESER also continues to build out a new “Energy Threat Analysis Center,” or ETAC, Kumar said, that will bring together cyber experts from industry and government to share information about digital threats. The center will also be connected to the Cybersecurity and Infrastructure Security Agency’s broader Joint Cyber Defense Collaborative, a public-private cybersecurity hub that looks across all sectors.
“If we see a threat in the chemical sector, we want to make sure that the energy companies are aware of it, because they may be operating similar industrial control systems,” Kumar said.
Energy cyber strategy ‘very close to being done’
Both CESER and DOE’s Office of the Chief Information Officer were involved in shaping the new national cyber strategy, according to Energy CIO Ann Dunkin. “This was an incredibly collaborative process,” she said in an interview.
The strategy focuses heavily on critical infrastructure owned by the private sector, but it also includes an emphasis on securing federal systems.
“We all, pretty much everybody agreed, it’s really important to keep federal systems in there as well, because, obviously, federal systems are critical to our success as a nation,” Dunkin said.
DOE is also finalizing a new cybersecurity strategy, which hasn’t been updated since 2018.
“We’re very close to being done,” Dunkin said, adding that the focus is on “collective defense” with private sector and international partners.
In addition to overseeing DOE systems and networks at its 17 national labs, Dunkin’s office also oversees cybersecurity at DOE’s four Power Marketing Administrations, which market and transmits electricity from federal dams.
Dunkin said a major priority for those entities gaining visibility into threats to the operational technology that underpins many of their systems.
“OT has not gotten enough attention in the past, and so we are very focused on OT security with the Power Marketing Administrations and on ensuring that we have the right abilities to understand what’s going on in their network traffic,” she said.
DOE is also working with the Power Marketing Administrations to pilot “OT control systems in the cloud,” Dunkin said.
“Currently, from regulatory standpoint, we can’t do that, but we’re trying to do a proof of concept to be able to then work with other regulators to move that forward,” she said. “So we’re really trying to work with them to ensure they have all the tools that they need to understand their environment.”
CESER focuses on clean energy security
Biden’s cyber strategy also highlights clean energy, along with computing-related systems and biotechnology, as one of three families of technologies that will be critical to secure in the coming decades.
Kumar said CESER is leading an effort to ensure cybersecurity requirements will be included in DOE’s clean energy investments funded under the infrastructure law. The bill included approximately $62 billion for clean energy investments over the next decade.
“Whether it’s an initiative led by our Renewable Energy Office or whether it’s an initiative led by our Nuclear Energy Office, if it has a digital connectivity to it, we in CESER are going to be working with those offices, in partnership with the national laboratories, to ensure that there are cyber requirements also built in,” Kumar said.
DOE and CESER, last year, also published a “National Cyber-Informed Engineering” strategy. The document is intended to serve as a framework for building cybersecurity into energy systems early in their development, rather than after their deployment.
Kumar said the security-by-design concept will continue to be a major initiative for CESER well into the future.
“What that means is we need to be working with the engineering community that’s designing these systems to ensure cyber is included as part of their designs,” Kumar said. “We need to be working with standards organizations who set standards for designing things like substations. How do we ensure that those designs, not only take reliability and operational efficiency into account and safety, but also cybersecurity? So you’re going to be seeing a real focus by us to really push this concept of cyber informed engineering going into the future.