The Department of Energy (DoE) – with help from industry and the Cybersecurity and Infrastructure Security Agency (CISA) – is kicking off a 100-day effort to improve electric infrastructure cybersecurity, the White House and DoE said today.
“The 100-day plan includes aggressive but achievable milestones and will assist owners and operators as they modernize cybersecurity defenses, including enhancing detection, mitigation, and forensic capabilities,” the White House National Security Council said in a statement.
The effort by DoE is the first in a series of similar campaigns that the White House said is “planned for multiple critical infrastructure sectors.”
The White House emphasized the partnership aspect of the electric infrastructure security effort, saying that “protecting our Nation’s critical infrastructure is a shared responsibility of government and the owners and operators of that infrastructure.”
DoE Puts Focus on ICS, Supply Chain
In a separate statement, the Energy Department said the 100-day effort will focus on industrial control systems used by electric utilities, along with improving energy sector supply chain security. The campaign “represents swift, aggressive actions to confront cyber threats from adversaries who seek to compromise critical systems that are essential to U.S. national and economic security,” DoE said.
DoE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) will put the focus on technologies to improve cyber visibility, detection, and response capabilities for utilities operating industrial control systems, the agency said.
Other specific goals of the effort include identifying and deploying systems “that enable near real-time situational awareness and response capabilities” in ICS and operational technology (OT) networks and improving the cybersecurity posture of critical infrastructure IT networks.
RFI Seeks Input on Energy Supply Chain
On top of the 100-day cyber push, DoE today released a new request for information (RFI) seeking input from industry, government, and academia “to inform future recommendations for supply chain security in U.S. energy systems.”
At the same time, a 2020 executive order restricting the use of equipment made by “foreign adversaries” in the United States bulk-power system is coming back into effect after it was suspended for 90 days at the beginning of the Biden administration. The White House said at the time that DoE and the Office of Management and Budget (OMB) would consider issuing a replacement order.
With new life for the executive order, DoE said comments in response to the RFI will enable the agency “to evaluate new executive actions to further secure the nation’s critical infrastructure against malicious cyber activity and strengthen the domestic manufacturing base.”
“The United States faces a well-documented and increasing cyber threat from malicious actors seeking to disrupt the electricity Americans rely on to power our homes and businesses,” said DoE Secretary Jennifer Granholm in a statement today. “It’s up to both government and industry to prevent possible harms – that’s why we’re working together to take these decisive measures so Americans can rely on a resilient, secure, and clean energy system.”
“This partnership with the Department of Energy to protect the U.S. electric system will prove a valuable pilot as we continue our work to secure industrial control systems across all sectors,” added Brandon Wales, CISA’s Acting Director.
Not to be Confused With…
Eric Goldstein, executive assistant director for cybersecurity at CISA, said today at a CISA industrial control systems joint working group meeting that the 100-day cyber push announced by the White House today should not be confused with a plan announced by Homeland Security Secretary Alejandro Mayorkas earlier this month for six cybersecurity sprints geared toward ransomware, ICS security, and cyber workforce development, among other topics.
The goal of the DHS cyber sprint on ICS security, Goldstein said, “is to complement” the plan announced today by the White House by “making a national call to action” for ICS security.
