The Energy Department new office for sharing cyber intelligence is moving beyond its pilot phase and going fully operational, building off work within the the past year to alert industry to “Volt Typhoon” and other cyber threats to energy systems.

The Energy Threat Analysis Center officially transitioned to “steady state operations” in October, according to ETAC Director Elke Sobieraj. DOE’s Office of Cybersecurity, Energy Security and Emergency Response established ETAC as a pilot program in April 2023.

The goal of the center is to bring together experts from government and the energy sector to analyze cyber threats and provide mitigations to the broader sector, which includes electricity, oil, natural gas, nuclear power, and renewables. The center also coordinates with the Cybersecurity and Infrastructure Security Agency Joint Cyber Defense Collaborative. 

In an interview, Sobieraj said a key piece of the pilot was instituting the ETAC’s “governance model” for information sharing between agencies, industry and the national labs.

“Making sure we have all the processes aligned and developing threat monitoring tools, techniques and analytics,” she said.

The center has also sought to recruit experts in energy sector systems. The aim is to ensure the cybersecurity information that the ETAC shares is relevant to energy-specific systems and operations.

“Folks who understand the intricate details of [Supervisory Control and Data Acquisition] or operational technology systems that operate the physical energy systems that we all rely on,” Sobieraj said of the ETAC’s recruiting efforts.

The pilot was also focused on “building some of the initial muscle memory” for collaboration between government and industry analysts, she added.

The emergence of Volt Typhoon presented an early opportunity for the ETAC. U.S. officials allege Volt Typhoon is a China state-sponsored hacking group that has compromised the networks of multiple U.S. critical infrastructure organizations, including energy systems, to “pre-position” for disruptive or destructive cyber attacks.

Sobieraj highlighted how the ETAC contributed to a joint advisory on Volt Typhoon released by the Cybersecurity and Infrastructure Security Agency in February.

“This was an opportunity for the whole interagency to come together, and an opportunity for the ETAC to make its opening debut, if you will, on something that was very important,” she said.

Sobieraj said Volt Typhoon is “not just something we can secure overnight.” She highlighted the group’s so-called “living off the land techniques,” which have allowed the group to evade detection and maintain yearslong access in some IT systems.

“This is not something that is going to go away in the near term, and it’s something that us as the interagency and the federal government will continue to reach out to our private sector partners and help them understand the threat,” she said. “CISA and some of our other energy agency partners, including DOE, have done a great job of reaching a lot of the stakeholders who will likely be impacted by this or who should be specifically searching on their systems. But I don’t think the work is done. I think this is still at the very beginning. There’s a lot more that needs to be done.”

ETAC platform

The experience with Volt Typhoon and other cyber incidents over the past year has helped the ETAC understand “what worked, what didn’t” when it comes to industry collaboration, Sobieraj said.

“I think we’ve learned a lot, and we’re building on those lessons learned now that we are moving into a full operational piece,” she said.

The center is also working on a five-year roadmap to outline its priorities moving out of the pilot phase.

“What are our measures and milestones that we should be accomplishing over the next five years? Metrics is top of mind, and something we’ll be continuing to finalize us in the coming in the coming months,” Sobieraj said.

ETAC officials are also working to build an IT platform that can pull together different streams of cyber threat data from government and industry partners. Sobieraj said merging government and industry data together can be challenging, but is crucial to the center’s goal to serve as a focal point for cyber threat analysis in the energy sector.

“Building out that bidirectional data flow is our very top priority, because if we don’t have the data to support the analysis, it’s very hard to put out recommendations to the broader sector if we don’t have the data as a starting point,” Sobieraj said.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.