Energy Department Releases New Guidance for Strengthening Cybersecurity of the Grid's Supply Chain
As part of the Obama Administration’s commitment to a strong and secure power grid, the Energy Department released new guidance to help U.S. industry strengthen energy delivery system cybersecurity. Developed through a public-private working group including federal agencies and private industry leaders, the Department’s Cybersecurity Procurement Language for Energy Delivery Systems guidance provides strategies and suggested language to help the U.S. energy sector and technology suppliers build in cybersecurity protections during product design and manufacturing.
“The Energy Department is committed to building a stronger and more secure electric grid through partnerships with industry, state and local governments and other federal agencies,” said Energy Secretary Ernest Moniz. “As we deploy advanced technologies to make the U.S. power grid more reliable and resilient, we must simultaneously advance cybersecurity protections. The cybersecurity guidance released April 28th will help industry further strengthen these technologies and protect our critical energy infrastructure.”
The new guidance released April 28th focuses on helping utilities and other energy sector organizations purchase technologies that include cybersecurity protections and features – improving the overall reliability and security of energy delivery systems and ensuring that the testing, manufacturing, delivery, and installation of new technologies emphasize cybersecurity requirements. This energy delivery systems guidance builds on the Cybersecurity Procurement Language for Control Systems guidance developed in collaboration between industry, the Energy Department, its Idaho National Laboratory, and the Department of Homeland Security in 2009.
“Managing supply chain risk is a key cybersecurity challenge,” said White House Cybersecurity Coordinator Michael Daniel. “This new guidance is a great example of the Administration's continued emphasis on building a strong partnership between industry and government. These efforts have produced tangible results, including this resource, which will enable organizations to use the principles in the new Cybersecurity Framework to address supply chain considerations.”
“The electric utility industry continues to build upon our key partnership with the Department of Energy, and this collaborative effort is another great example of how our industry-government partnership is helping to strengthen grid security and resilience,” said EEI President Tom Kuhn. “This guidance will further the discussion of cybersecurity requirements between industry operators and suppliers during the procurement process to help build cybersecurity protections into the nation's evolving energy infrastructure.”
“The new guidelines from the Department of Energy will be helpful in advancing the security precautions of public power utilities,” said Sue Kelly, President and CEO of the American Public Power Association. “By building a foundation of cybersecurity in collaboration with vendors, we can reduce the risk of successful cyber-attacks on energy delivery systems.”
“As electric cooperatives embrace grid modernization, we appreciate the Department of Energy’s efforts to reduce cybersecurity risks inherent in the procurement process,” said Craig Miller, Chief Scientist at the National Rural Electric Cooperative Association. “This timely project raises the bar and helps ensure that utilities – from the smallest to the largest –ask the right questions when purchasing the hardware and software that will help run our electric delivery systems.”
Strengthening U.S. Power Grid Cybersecurity
As part of the Energy Department’s broader efforts to support a strong, secure and resilient power grid, the Department is working with grid owners and operators, national laboratories, universities and other federal agencies to share best practices and deploy new technologies.
In the past year, the Energy Department has released Cybersecurity Capability Maturity Models for the electricity and oil and gas sectors. These models help organizations evaluate, prioritize and improve their cybersecurity capabilities using a common set of industry practices that helps further strengthen their defenses. Over 230 organizations, including more than 100 utilities, have requested this tool.
At the same time the Department is developing tools to help grid owners and operators know about unusual activity as soon as possible – enabling quicker and more effective responses. In 2013, the Energy Department launched the Cybersecurity Risk Information Sharing Program to provide electricity sector organizations with near-real-time cyber threat information and analysis. To date, eight organizations have installed a DOE-developed information sharing device, which provides continuous monitoring and helps quickly identify potential threats and mitigation tactics. Twenty new organizations are expected to join the program this year.
Between 2010 and 2013, the Energy Department invested more than $100 million in cybersecurity research, development and commercialization projects. Earlier this month, the Department made $10 million available to national laboratories and other federally funded research and development centers for competitively-selected projects on new tools and technologies that will further enhance the cybersecurity of energy delivery systems.
Read the full Cybersecurity Procurement Language for Energy Delivery Systems guidance and find more information on the Energy Department's efforts to modernize and secure the power grid.