DOE releases guidance for strengthening cybersecurity of the grid’s supply chain
The new guidance released today focuses on helping utilities and other energy sector organizations purchase technologies that include cybersecurity protections and features
The Department of Energy released new guidance to help U.S. industry strengthen energy delivery system cybersecurity. Developed through a public-private working group including federal agencies and private industry leaders, the DOE's Cybersecurity Procurement Language for Energy Delivery Systems guidance provides strategies and suggested language to help the U.S. energy sector and technology suppliers build in cybersecurity protections during product design and manufacturing.
“The Energy Department is committed to building a stronger and more secure electric grid through partnerships with industry, state and local governments and other federal agencies,” said Energy Secretary Ernest Moniz. “As we deploy advanced technologies to make the U.S. power grid more reliable and resilient, we must simultaneously advance cybersecurity protections. The cybersecurity guidance released today will help industry further strengthen these technologies and protect our critical energy infrastructure.”
The new guidance released today focuses on helping utilities and other energy sector organizations purchase technologies that include cybersecurity protections and features — improving the overall reliability and security of energy delivery systems and ensuring that the testing, manufacturing, delivery, and installation of new technologies emphasize cybersecurity requirements.
This energy delivery systems guidance builds on the Cybersecurity Procurement Language for Control Systems guidance developed in collaboration between industry, the DOE, its Idaho National Laboratory, and the Department of Homeland Security in 2009.
“Managing supply chain risk is a key cybersecurity challenge,” said White House Cybersecurity Coordinator Michael Daniel. “This new guidance is a great example of the Administration's continued emphasis on building a strong partnership between industry and government. These efforts have produced tangible results, including this resource, which will enable organizations to use the principles in the new Cybersecurity Framework to address supply chain considerations.”
“The electric utility industry continues to build upon our key partnership with the Department of Energy, and this collaborative effort is another great example of how our industry-government partnership is helping to strengthen grid security and resilience,” said EEI President Tom Kuhn. “This guidance will further the discussion of cybersecurity requirements between industry operators and suppliers during the procurement process to help build cybersecurity protections into the nation's evolving energy infrastructure.”
As part of the DOE's broader efforts to support a strong, secure and resilient power grid, the DOE is working with grid owners and operators, national laboratories, universities and other federal agencies to share best practices and deploy new technologies.
In the past year, the DOE has released Cybersecurity Capability Maturity Models for the electricity and oil and gas sectors. These models help organizations evaluate, prioritize and improve their cybersecurity capabilities using a common set of industry practices that helps further strengthen their defenses. Over 230 organizations, including more than 100 utilities, have requested this tool.
At the same time the DOE is developing tools to help grid owners and operators know about unusual activity as soon as possible — enabling quicker and more effective responses. In 2013, the DOE launched the Cybersecurity Risk Information Sharing Program to provide electricity sector organizations with near-real-time cyber threat information and analysis.
To date, eight organizations have installed a DOE-developed information sharing device, which provides continuous monitoring and helps quickly identify potential threats and mitigation tactics. Twenty new organizations are expected to join the program this year.
Between 2010 and 2013, the DOE invested more than $100 million in cybersecurity research, development and commercialization projects. Earlier this month, the DOE made $10 million available to national laboratories and other federally funded research and development centers for competitively-selected projects on new tools and technologies that will further enhance the cybersecurity of energy delivery systems.