The US Department of Energy (DOE) has launched an initiative to enhance the cybersecurity of electric utilities’ industrial control systems (ICS) and secure the energy sector supply chain. The initiative takes the form of a 100-day plan to confront cyber threats from adversaries who seek to compromise critical systems that are essential to US national and economic security.
The plan, a coordinated effort between DOE, the electricity industry, and the Cybersecurity and Infrastructure Security Agency (CISA), has been announced as the Biden Administration has lifted the ban on Chinese-manufactured power system equipment.
“The United States faces a well-documented and increasing cyber threat from malicious actors seeking to disrupt the electricity Americans rely on to power our homes and businesses,” said Secretary of Energy Jennifer M. Granholm in a statement. “It’s up to both government and industry to prevent possible harms—that’s why we’re working together to take these decisive measures so Americans can rely on a resilient, secure, and clean energy system.”
“The safety and security of the American people depend on the resilience of our nation’s critical infrastructure. This partnership with the Department of Energy to protect the US electric system will prove a valuable pilot as we continue our work to secure industrial control systems across all sectors,” said CISA Director (Acting) Brandon Wales.
Over the next 100 days, DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER), in partnership with electric utilities, will continue to advance technologies and systems that will provide cyber visibility, detection, and response capabilities for industrial control systems of electric utilities.
The initiative will modernise cybersecurity defenses and:
Encourage owners and operators to implement measures or technology that enhance their detection, mitigation, and forensic capabilities;
Include concrete milestones over the next 100 days for owners and operators to identify and deploy technologies and systems that enable near real time situational awareness and response capabilities in critical industrial control system (ICS) and operational technology (OT) networks;
Reinforce and enhance the cybersecurity posture of critical infrastructure information technology (IT) networks; and
Includes a voluntary industry effort to deploy technologies to increase the visibility of threats in ICS and OT systems.
In addition, DOE released a new Request for Information (RFI) to inform future recommendations for supply chain security in U.S. energy systems. The RFI is coupled with the DOE revoking the “Prohibition Order Securing Critical Defense Facilities.” This process is aimed at strengthening the domestic manufacturing base and will allow the procurement of some types of bulk power system equipment from China.
In light of these amendments, the Department expects that utilities continue to act in a way that minimises the risk of installing electric equipment and programmable components that are subject to foreign adversaries’ ownership, control, or influence.