DOE is Taking a Collaborative Approach to Secure the Electrical Grid

The Department of Energy and Cybersecurity Infrastructure Security Agency (CISA) released new measures to ensure security and resilience of the nation’s power grid in response to various incidents throughout 2022 that threatened electrical substations throughout the U.S.

The product released in February provides substation owners, operators and stakeholders with updated threat information and protective measures that can help improve a substation’s on-site physical security.

DOE saw a need for this multi-layered approach to security after a series of attacks resulted in major property damage and cut off electricity to thousands of residents. Having awareness of the threat environment and solutions is seen as a key step in the right direction.

“While the work has always been ongoing, it was critical to bring it back to the attention of everyone and remind them of those best practices,” DOE Preparedness, Policy and Risk Analysis Deputy Director Mara Winn told GovCIO Media & Research “This helps improve a substation’s on-site physical security, and we wanted to make sure there were resources to guide the awareness of the threat environment, what implementation of protective physical security measures were possible and have that layered security strategy to ultimately reduce or minimize the impact of an attack.”

Securing the power grid from cyberattacks has become evermore critical amid new operating environments that allow for more remote connectivity. Securing the grid means reducing risks for all sectors.

“We know that the energy sector is the underpinning of the other sectors, so it’s absolutely critical to make sure that we have resilient and coordinated critical infrastructure,” Winn said. “That means having that layered security through the day-to-day federal interface with a sector. We also do it in coordination with CISA.”

Collaborations to Improve Cyber Resiliency and Awareness

The new product with CISA is just one of many collaborations at DOE to modernize cybersecurity. For CISA, the agency is striving to amplify reporting methods to better mitigate attacks and streamline response and recovery.

“A secure, web-enabled e-filing system to submit DOE-417 Electric Emergency Incident and Disturbance Reports regarding physical and cyber incidents that occur on the electric grid,” David Mussington, executive assistant director for infrastructure security at CISA, told GovCIO Media & Research. “This allows the reporting entity to simultaneously request submission to NERC, the Electricity Information Sharing and Analysis Center (E-ISAC) and CISA Central.”

Furthermore, the Pre-Ransomware Notification Initiative launched in March allows CISA to warn organizations that ransomware actors gained initial access to their networks.

“Since the start of 2023, CISA has notified more than 60 entities across the energy, health care, water/wastewater, education and other sectors about potential pre-ransomware intrusions, of which several identified and remediated the intrusion before encryption or exfiltration occurred,” Mussington said.

Another effort is the Cybersecurity Risk Information Sharing Program (CRISP), a public-private partnership between DOE and the Electricity Information Analysis Center (EISAC).

“We collaborate with energy-sector partners to facilitate bidirectional sharing of cyber information, and it happens in a timely manner,” Winn said. “This is awareness done in partnership of what threats are hitting our utilities that choose to participate and making sure they get real-time analysis and response mechanisms.”

Winn also highlighted the Cybersecurity Capability Maturity Model, C2M2, a tool that helps industries assess and improve their cybersecurity of their energy systems as well as the Cybersecurity Operational Technology Environment also known as the (CyOTE) initiative.

“CyOTE enhances the energy sector’s ability to detect anomalous behaviors and threats within the operational technology networks,” Winn said. “One of the critical attributes of the energy sector is the integration with the OT networks, and this initiative aims to develop tools and capabilities that provide the electricity sector with timely alerts and actionable information.”

DOE also has a specialized program called Cyber Testing for Resilient Industrial Control Systems (CyTRICS) that partners with stakeholders to identify high-priority OT components. Not only does it perform expert testing and share information about vulnerabilities in the digital supply chain, it also informs improvements in component design and manufacturing of energy technologies.

“It’s a great program because it partners both with utilities so they can understand what they’re procuring, what the risks are and how to design their systems better, but it also partners with the manufacturers because they want to do better and make sure their systems continue to reduce vulnerabilities,” Winn said.

DOE is also looking at how it can ensure the energy infrastructure partners are prioritizing efforts based on the latest threat information.

The agency’s pilot Energy Threat Analysis Center (ETAC) brings experts from industry and government together to jointly analyze and address cyber threats to the energy sector. They make sure they do so in collaboration and ensure any mitigations or responses are done so with the mindset on how this affects the energy system.

“Through this operational approach, we’re going to close the gaps in our collective situational awareness of those threats and improve our ability to mitigate and defend against them because we will be able to support the response to incidents within the energy system in that truly focused and informed way,” Winn said. “We also leverage the incredible capabilities of the national labs and the subject matter experts in different areas like electric, oil and natural gas, and cyber technologies, and we make sure they are sitting at the table bringing that subject matter expertise so that we are fully informed of the capabilities so that our industry partners can leverage all of them to address the threats. “

Measuring Cybersecurity Goals

To prioritize cybersecurity practices to reduce risk to critical infrastructure, CISA in March released an updated set of cross-sector Cybersecurity Performance Goals.

“These goals are applicable across all critical infrastructure sectors and informed by the most common and impactful threats and adversary tactics, techniques and procedures observed by CISA and its government and industry partners, making them a common set of protections that critical infrastructure entities of all sizes should implement,” Mussington said.

The goals include: identify, protect, detect, respond and recover.

While these goals identify the overarching cybersecurity practices that can be implemented throughout each critical infrastructure sector, CISA is working with sector risk management agencies on more specifics.

“In most instances, these goals will likely consist of either new, unique additional goals with direct applicability to a given sector, or materials to assist sector constituents with effective implementation of the existing cross-sector [goals],” Mussington said. “For the energy sector specifically, CISA is participating in a joint DOE/[National Association of Regulatory Utility Commissioners] effort to develop a cybersecurity baseline for electrical utilities and distributed energy resources, which will be published in fall 2023.”