The U.S. Department of Energy on May 14 released a multiyear plan to reduce the risk of energy system disruptions from cyberattacks.
The strategy aims to bring together the DOE, other federal agencies and the private sector to combat a rising tide of cyber incursions from nation-states and criminals, according to the document. The DOE said the plan will provide a "critical foundation" for its recently formed Office of Cybersecurity, Energy Security, and Emergency Response, or CESER, which is charged with undertaking the agency's cybersecurity and incident response activities.
"We must recognize today's realities: resources are limited, and cyber threats continue to outpace our best defenses," the 52-page document said. "To gain the upper hand, we need to pursue disruptive changes in cyber risk management practices."
The plan lays out goals and initiatives the DOE will pursue over the next five years to harden U.S. energy infrastructure, such as the electric grid and oil and gas pipelines, from potential cyber intrusions. The two-fold strategy involves strengthening today's energy systems and developing "game-changing" solutions to ensure more resilient and secure infrastructure.
For its part, the DOE established three goals to help energy delivery systems withstand a major cyber incident while maintaining critical functions. The department will strengthen cybersecurity preparedness through improved information sharing, technical assistance and the reduction of cybersecurity supply chain risk, and it also will coordinate cyber incident response and recovery efforts, including through response exercises. Lastly, the agency will accelerate research, development and demonstration of resilient energy delivery systems.
The DOE's strategy aims to support a May 2017 executive order from President Donald Trump that directed the agency to work with industry to assess the electric grid's ability to respond to a prolonged power outage. Electric power producers, pipeline operators and other segments of the energy industry are contending with rising cyber threats from nation-states including Russia and Iran as well as criminals, terrorists and other bad cyber actors.
In its new multiyear plan, the DOE said energy assets have become a "prime target" for cyberattacks. Between 2013 and 2015, the energy sector experienced more cyber incidents than any other critical infrastructure segment, accounting for 35% of the 796 incidents reported by critical infrastructure operators, according to data compiled by the Industrial Control Systems Cyber Emergency Response Team, known as ICS-CERT, which is part of the U.S. Department of Homeland Security.