The Energy Department’s lead office for industry cybersecurity is partnering with key manufacturers in the U.S. energy sector and developing a testing regime for critical systems, as it looks to ensure the transition to renewable energy is underpinned by secure technologies.
The Office of Cybersecurity, Energy Security and Emergency Response (CESER) is in the midst of establishing “Energy Cyber Sense,” a voluntary program for testing the cybersecurity of products and technologies in the energy sector, according to Puesh Kumar, director of CESER.
“How do we start to test some of these critical components for potential hardware or software vulnerabilities before an adversary can exploit them?” Kumar said in an interview, describing the crux of Energy Cyber Sense.
The program was mandated by last year’s Infrastructure Investment and Jobs Act. The legislation authorized approximately $1.9 billion in cybersecurity funding across multiple programs, including $550 million for electrical grid cybersecurity, according to an analysis published by BGR Group.
The push to transition the electric grid to renewable energy is a chance for CESER and its partners to ensure the sector is more secure in the future.
“We have a strategic opportunity unlike what you see with a lot of other sectors and what we haven’t seen in the energy sector before, because we were bolting on cybersecurity,” Kumar said. “As we transform the grid, as we start to integrate a lot of this renewable technology onto the grid, we have an opportunity like no other. From the start, we get to say, ‘How do we ensure that this is secure?’”
The cybersecurity of the electric grid has taken on even more increased urgency amid Russia’s invasion of Ukraine. The White House has warned Russian actors could target U.S. critical infrastructure, including the electric grid, with cyber attacks.
Last year, the White House launched a voluntary Industrial Control Systems Cybersecurity Initiative, starting with the electricity subsector in April. The initiative resulted in over 150 electricity utilities representing almost 90 million residential customers agreeing to install cybersecurity monitoring technologies on their control systems.
The initiative has only bolstered CESER’s work with backing from the highest levels of government.
“We were able to really think through what are the key things that we need to address in an ICS system and an operational technology system,” Kumar said.
The office is continuing to encourage utilities to adopt monitoring technologies, while also examining how it can share cyber event data across the sector. That’s a task complicated by the more than 3,000 electric utilities in the United States, according to Kumar.
“If one company is seeing it, we need to make sure that others see it quickly,” Kumar said. “So that’s work we’re going to be doing with the industry and with the national labs to really look at the analysis and modeling.”
CESER works with electric utilities and companies through the Electricity Subsector Coordinating Council. The office also sits on the Oil and Natural Gas Subsector Coordinating Council. The councils bring together agencies like Energy and the Cybersecurity and Infrastructure Security Agency with chief executives from key industries to coordinate on cybersecurity and other threats.
More recently, CESER established the Securing Energy Infrastructure Executive Task Force to specifically focus on supply chain risks in the energy sector industrial base. The task force is developing a “national cyber-informed engineering strategy” to develop secure design standards, according to Kumar.
“That gives us another group to partner with, and to get to really hear from some of the manufacturers on how do we actually address this very complex problem,” he said.
The Energy Cyber Sense program will also require collaboration with industry, as there’s currently no requirement for manufacturers of critical technologies to have their systems tested by the government.
But the office already has agreements in place for key manufacturers to participate in the existing Cyber Testing for Resilient Industrial Control Systems (CyTRICS) program, which leverages testing by experts at Idaho National Laboratory. Companies who have agreed to participate in CyTRICS testing in recent years include Schneider Electric, Schweitzer Engineering Laboratories and Hitachi Energy.
The existing testing arrangements should help lay a strong foundation for Energy Cyber Sense and other cybersecurity collaborations in the future, according to Kumar.
“They know their systems best — they’ve designed them,” Kumar said of the manufacturers. “So we may find a vulnerability, but we need to partner with them to think through, how do we actually mitigate that vulnerability? And so that partnership we’ve developed with them has been fantastic. And we’re going to continue to grow that with other manufacturers who want to come to the table and partner with us.”