On May 14, 2018, the Department of Energy (DOE) Office of Electricity Delivery & Energy Reliability released its Multiyear Plan for Energy Sector Cybersecurity (“Plan”). The Plan is significantly guided by DOE’s 2006 Roadmap to Secure Control Systems in the Energy Sector and 2011 Roadmap to Achieve Energy Delivery Systems Cybersecurity. Taken together with DOE’s recent announcement creating the new Office of Cybersecurity, Energy Security, and Emergency Response (CESER), DOE is clearly asserting its position as the energy sector’s Congressionally recognized sector-specific agency (SSA) on cybersecurity.
Multiyear Plan for Energy Sector Cybersecurity
Under development over the last year, the Plan aligns with President Trump’s executive order on “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” which calls on government to engage with critical infrastructure owners and operators to identify authorities and capabilities that agencies could employ to support the critical infrastructure cybersecurity. To this end, the Plan lays out DOE’s integrated strategy to reduce cyber risks to the U.S. energy sector. The Plan seeks to leverage strong partnerships with the private sector to strengthen today’s cyber systems and risk management capabilities; and develop innovative solutions for tomorrow’s inherently secure and resilient systems. It identifies three goals to accomplish these priorities. They are:
- Strengthen energy sector cybersecurity preparedness.
- Coordinate incident response and recovery.
- Accelerate game-changing research, development, and demonstration of resilient delivery systems.
Office of Cybersecurity, Energy Security, and Emergency Response
Featured heavily in the Plan is CESER, which was announced by DOE Secretary Perry on February 14, 2018. That announcement stated that CESER would be led by an assistant secretary, which the administration has yet to nominate, and that President Trump’s fiscal year 2019 (FY 19) budget requested $96 million for the new office.
DOE Undersecretary Mark Menezes testified to Congress that “initially, the office will be comprised of the work we currently do” under existing programs. Indeed, DOE’s FY 19 budget request indicates that CESER will be formed from existing reliability programs in the Office of Electricity Delivery & Energy Reliability, which will be renamed the Office of Electricity Delivery (OE). OE will maintain the Transmission Reliability, Resilient Distribution Systems, Energy Storage, and Transmission Permitting and Technical Assistance programs, while CESER will inherit the Cybersecurity for Energy Delivery Systems (CEDS) program, currently led by Deputy Assistant Secretary Henry S. Kenchington, and the Infrastructure Security and Energy Restoration (ISER) program, currently headed by Deputy Assistant Secretary Devon Streit.
CEDS forms the core of DOE’s work on energy sector cybersecurity and aligns with the Plan’s goals of increasing energy cyber preparedness and developing new cybersecurity technologies. Besides conducting cybersecurity research and development, CEDS also oversees DOE’s primary programs for sharing cybersecurity information with the private sector. This includes the Cybersecurity Risk Information Sharing Program (CRISP), which facilitates timely bi-directional sharing of cyber threat information in order to monitor energy sector information technology (IT) networks. At present, 75% of U.S. electric utilities participate in CRISP. CEDS also includes the Cybersecurity for Operational Technology Environment (CYOTE) pilot project, which applies lessons learned from CRISP to monitor operating technology (OT) networks.
According to the budget request, DOE intends to improve both CRISP and CYOTE by integrating utility data into the intelligence community environment to enhance threat information. The request also states that DOE will create a new “Advanced Industrial Control System Analysis Center” within CEDS that will “span the DOE laboratory network and work in collaboration with private sector partners to use the analysis of energy sector supply chain component and model impacts to address system threats and vulnerabilities through technical solutions, share information about findings, and develop mitigation and response solutions.”
ISER provides technical expertise on supporting resiliency of critical infrastructure assets key to energy sector operation and addresses the Plan’s goal of coordinating incident response. ISER’s focus is operational and spans across all hazards facing the energy sector. However, the DOE budget notes that in the next fiscal year, ISER will “build out its effective, timely, and coordinated cyber incident management capability” and “envisions” forming a team of at least six cyber energy responders to support incident response within the energy sector.
DOE’s Emerging Role in Energy Sector Cybersecurity
DOE under the Trump administration is reprioritizing cybersecurity higher on the department’s agenda. To be sure, the Plan and CESER are more a reshuffling of already-existing resources than wholly new programs. But it is clear that DOE is intent on flexing its position under the Fixing America’s Surface Transportation Act (FAST Act) to act as the energy sector SSA on cybersecurity.
DOE’s efforts come as the Department of Homeland Security (DHS) is also increasing its profile on cybersecurity. Utilizing authority under the Cybersecurity Information Sharing Act (CISA), passed just weeks after the FAST Act in 2015, DHS has certified its National Cybersecurity and Communications Integration Center (NCCIC) as a certified portal to accept cybersecurity information. As such, entities enjoy liability protection for sharing cybersecurity information with NCCIC, through programs like Automated Indicator Sharing (AIS) and the even more robust Cyber Information Sharing and Collaboration Program (CISCP).
Those within the energy sector can utilize both DOE’s and DHS’s information sharing programs to strengthen their cybersecurity. Coordination with NCCIC and sharing through AIS or CISCP provides access to the government’s cross-sectoral cybersecurity activities, though reports indicate that businesses have been slow to adopt AIS. Tailored specifically to electricity, DOE’s CRISP and CYOTE represent a more specialized package of information sharing, particularly appropriate for electricity sub-sector stakeholders.
DHS and DOE can be expected to continue asserting jurisdictional claims over cybersecurity issues. Hopefully, this will represent little more than the traditional rivalry between government agencies and result in complementary rather than competing federal cybersecurity programs.
—Eric Hutchins is an associate and Paul Tiao is a partner in Hunton Andrews Kurth’s Washington, D.C., office.