US Department of Energy publishes cybersecurity plan

The US Department of Energy, arguably the most important department of the US government, has published its multi-year cybersecurity plan. 

Bruce Walker, assistant secretary at the department, says: “The plan will provide a critical foundation to DoE's newly announced Office of Cybersecurity, Energy Security, and Emergency Response (CESER), which will shift OE's cybersecurity and incident response activities to a new, dedicated office. “The Plan outlines a game-changing strategy for DoE, informed by the energy industry's highest-priority needs, which can continue to be built upon by CESER leadership.” 

In the document, the DoE notes that it has become “increasingly difficult” to keep up with the growing and aggressive cyber attacks in the energy sector. The DoE adds that the energy sector has become a “prime target” for cyber attacks in recent years, and defending against the attacks has become more expensive each year.

“It's tempting to believe that this increase in attacks is horizontal across industries,” says Tim Erlin, director of IT security and risk strategy for Tripwire. “But the data shows that energy organisations are experiencing a disproportionately large increase when compared to other industries.” But the DoE's multi-year plan is designed to counter many or all of these issues and secure the US energy infrastructure. The plan includes:

• boosting threat-sharing with the private sector, including a malicious code repository and exchange;
• curbing supply-chain risk; and
• accelerating research and development to make energy systems more resilient to hacking.

Also, the plan serves as a roadmap for the new CESER, for which President Donald Trump's administration has requested $96 million in the 2019 US Federal budget. A couple of experts on federal cybersecurity issues offer perspective. Michael Magrath, director, global regulations and standards, Vasco Data Security, says: “The DoE will be updating the Cybersecurity Capability Maturity Model. The market has changed since it was published in February 2014.

“We anticipate DoE will incorporate NIST's Digital Identity Guidelines (SP 800-63-3), refreshed in 2017 and advance risk-based, biometric adaptive authentication technologies to protect the nation's energy sector.” Ray DeMeo, chief operating officer, Virsec, says: “We welcome the DOE raising awareness around critical threats to the energy sector and laying out a strategy.

“While the strategy pillars are sound, making them actionable will be challenging – largely in view of the inertia behind legacy systems. “It's critical that we invest with speed and agility, and the roadmap's goal to accelerate game-changing RD&D of resilient systems stands out. “The administration's funding request for $96 million is hopefully just a down payment, because protecting our infrastructure adequately will cost billions.”