Energy Dept advisor studying intersection of OT and zero trust

Amy Hamilton, the Energy Department’s senior advisor for national cybersecurity policy and programs, says she’s in the middle of an “incredible opportunity.”

That’s because Hamilton is currently on-detail at National Defense University, where she’s serving as visiting faculty chair at the College of Information and Cyberspace.

At NDU, Hamilton has the chance to study “deep, wicked problems.” Most recently, Hamilton has been working on how a zero trust security approach can be applied to operational technology, such as the systems that undergird the energy grid.

“How are you going to adjust what we’ve done traditionally in the Purdue model, protecting operational technology by segmenting it off? And micro-segmentation is going to be a huge piece of the future,” Hamilton said. “How do you look at confidentiality, integrity, availability? But also the big ‘s’ in operational technology is ‘safety.’ And that safety has to be more important than any of those things.”

The 2022 federal zero trust strategy directs agencies to migrate to a zero trust security approach for all their networks. The Energy Department and other agencies are grappling with how to apply advanced cybersecurity practices to OT systems without impacting their operations.

“If you add latency into the electric grid and you’re no longer able to produce power, that is a very significant detriment — you can’t do that,” Hamilton said. “We’re really looking at these factors, and we’re working with many of the other agencies that are experiencing it.”

Federal zero trust push

Hamilton’s work at NDU is in many ways a natural progression from her days leading the Energy Department’s zero trust program management office. She said Energy took a people-first approach to the shift to zero trust practices. Energy now has at least one person trained on zero trust at every single one of the agency’s 91 sites.

“There’s going to be an evolution — include that workforce early so that they’re not afraid,” Hamilton explained.

Federal agencies are implementing zero trust practices to better protect their data and systems from evolving cyber threats. Vulnerabilities are on the rise, even as agencies deepen their adoption of digital services to advance their missions.

Hamilton pointed to an estimated 400% increase in application programming interface attacks in 2022 as one example of the quickly changing cybersecurity threats that federal chief information security officers are facing.

“The speed from technology to hit the market and be adopted is so fast now. And for the CISOs out there, it’s just overwhelming. How do you secure everything?” Hamilton said.

Cyber informed engineering

She pointed to the “Application Rationalization Playbook” from the Federal Chief Information Officers Council as a great resource for CIOs and CISOs to get a handle on their increasingly complex technology environments.

“In the Department of Defense where I’m detailed to right now, they defined cyberspace as looking at the entire information environment. And I think a lot of times when civilian agencies and civilian organizations look at cyber, they’re only looking at the security aspect,” Hamilton said. “But if you look at this whole concept of cyberspace, it’s everything. The modernization is part of making things more secure. And data is the entire reason why networks exist. … It’s very, very important that we continue to recognize that data has been assessed maturity wise as the weakest pillar across the federal government.”

The Energy Department has also authored a “Cyber-Informed Engineering Strategy” that extends traditional engineering to include defense against cyber vulnerabilities.

“We used to just let the engineers have a wonderful time, and then we’d bring the security people in. But it has to be part of how we’re designing systems in order for these systems to be secure,” Hamilton said. “So that once they’re hitting the market, once they’re coming in and being adopted, we’re not having to worry about security afterwards. … I think it’s really looking at it all the way holistically to who are the suppliers, who are the producers, what are the supply chain risks, and making sure that we’re addressing this with that 20 to 30 year lifecycle, while at the same time recognizing that something’s going to come out tomorrow, and the CIO and the user are going to want to implement it the next day. And so how do you bring all those things together?”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.