The distribution systems of the U.S. energy grid — the portions of the grid that carry electricity to consumers — are growing more susceptible to cyber-attacks, in part due to the advent of monitoring and control technology and their reliance on them. However, the magnitude of the possible consequences of such attacks is not fully understood. Reports by the Government Accountability Office (GAO) indicate that the Department of Energy (DOE) needs to refocus and improve their efforts to manage cybersecurity risks and protect the nation’s electric grid.
The 2021 GAO report indicated that although DOE had developed plans “to implement the national cybersecurity strategy for the grid”, these plans “do not fully address risks to the grid’s distribution systems.” For instance, DOE’s plans do not address the supply chain-related vulnerabilities of distribution networks. According to authorities, DOE has prioritized resolving threats to the grid’s production and transmission systems over addressing supply chain risks. Without doing so, DOE’s plans to address grid distribution system cybersecurity will likely be of limited utility.
GAO has once more highlighted these concerns in their annual Priority Open Recommendations report for 2022, where they outlined 26 priority recommendations for the Department of Energy, including improving cybersecurity.
“Recent high-profile cyberattacks targeting the public and private sectors highlight the urgent need to address cybersecurity weaknesses,” warns the GAO report. According to the 2022 annual report, there are three outstanding recommendations that the DOE is required to act upon.
Adoption of Cybersecurity Framework
The first open recommendation asks the Secretary of Energy to take appropriate actions and consult with partners such as the Department of Homeland Security (DHS) and NIST to determine the level of cybersecurity framework adoption by respective entities.
Early in 2022, DOE undertook initial measures to determine framework uptake in the energy sector by tracking requests for a sector-specific cybersecurity toolkit, analyzing polling data, and requesting anecdotal accounts from sector entities on framework use. However, these attempts did not produce enough data for the agency to establish the extent of framework adoption in the energy sector.
To completely execute this suggestion, DOE must effectively implement the planned actions to determine the adoption of the framework by entities within its sector. Until risk management agencies have a more solid understanding of the use of the cybersecurity framework by the critical infrastructure sector, they will be unable to comprehend the success of protection measures or identify where to devote limited resources for cyber risk reduction.
Establish risk management programs
The second open recommendation directs the Secretary of Energy to design a cybersecurity risk management strategy that incorporates the aspects outlined in the GAO’s 2019 report on the topic.
In response to the 2019 report, DOE released its Enterprise Cybersecurity Program Plan (E-CSPP) in January 2022. This plan explains the department’s approach to cybersecurity risk management and the implementation of cybersecurity objectives from an organizational standpoint. In addition, the plan stipulates that energy grid facilities may use the E-CSPP as a model for planning, refining, maturing, and documenting their own cybersecurity programs.
Although the E-CSPP and DOE risk management articulation advice cover most parts of a risk management strategy, they omit a discussion of organizational risk tolerance. DOE may lack an organization-wide understanding of acceptable risk levels and suitable risk response techniques to secure its systems and data unless it takes all necessary steps.
Mitigate significant cybersecurity risks
The final cybersecurity recommendation directs the Energy Secretary to coordinate with DHS and other relevant stakeholders to develop a plan to implement the Federal cybersecurity strategy for the electric grid, and to ensure that the plan addresses key characteristics of a national strategy, including a comprehensive assessment of the grid’s cybersecurity risks.
DOE concurred with this recommendation and indicated in response that it was engaged in an interagency process to produce a National Cyber Strategy Implementation Plan that would consider DOE’s Multiyear Plan for Energy Sector Cybersecurity. However, according to the GAO, these documents do not completely cover all the requirements for implementing a national strategy.
Until DOE ensures it has a plan to implement the federal cybersecurity strategy relating to the grid that addresses all the key characteristics of a national strategy, including a comprehensive assessment of cybersecurity risks, the plan will likely provide limited guidance to decision makers in allocating resources to address risks and challenges.
Tripwire can help mitigate the increasing cyber risks on the industrial control systems. ICS solutions offered by Tripwire help gain network visibility, continuously monitor your status for potential problems and increase your resilience. You can learn more by downloading the Field Guide to Industrial Cybersecurity.