On May 14, 2018, the Department of Energy (“DOE”) Office of Electricity Delivery & Energy Reliability released its Multiyear Plan for Energy Sector Cybersecurity (the “Plan”). The Plan is significantly guided by DOE’s 2006 Roadmap to Secure Control Systems in the Energy Sector and 2011 Roadmap to Achieve Energy Delivery Systems Cybersecurity. Taken together with DOE’s recent announcement creating the new Office of Cybersecurity, Energy Security, and Emergency Response (“CESER”), DOE is clearly asserting its position as the energy sector’s Congressionally-recognized sector-specific agency (“SSA”) on cybersecurity.
Multiyear Plan for Energy Sector Cybersecurity
Under development over the last year, the Plan aligns with President Trump’s Executive Order 13800, which calls on the government to engage with critical infrastructure owners and operators to identify authorities and capabilities that agencies could employ to support critical infrastructure cybersecurity. To this end, the Plan lays out DOE’s integrated strategy to reduce cyber risks to the U.S. energy sector. The Plan seeks to leverage strong partnerships with the private sector to: (1) strengthen today’s cyber systems and risk management capabilities and (2) develop innovative solutions for tomorrow’s inherently secure and resilient systems. It identifies three goals to accomplish these priorities: (1) strengthen energy sector cybersecurity preparedness; (2) coordinate incident response and recovery; and (3) accelerate game-changing research, development and demonstration of resilient delivery systems.
Office of Cybersecurity, Energy Security, and Emergency Response
Featured heavily in the Plan is CESER, which was announced by DOE Secretary Perry on February 14, 2018. The announcement stated that CESER would be led by an Assistant Secretary, which the Administration has yet to nominate, and that President Trump’s FY 19 budget requested $96 million for the new office.
DOE Undersecretary Mark Menezes testified to Congress that “initially, the office will be comprised of the work we currently do” under existing programs. Indeed, DOE’s FY 19 budget request indicates that CESER will be formed from existing reliability programs in the Office of Electricity Delivery & Energy Reliability, which will be renamed the Office of Electricity Delivery (“OE”). OE will maintain the Transmission Reliability, Resilient Distribution Systems, Energy Storage, and Transmission Permitting and Technical Assistance programs, while CESER will inherit the Cybersecurity for Energy Delivery Systems (“CEDS”) program, currently led by Deputy Assistant Secretary Henry S. Kenchington, and the Infrastructure Security and Energy Restoration (“ISER”) program, currently headed by Deputy Assistant Secretary Devon Streit.
CEDS forms the core of DOE’s work on energy sector cybersecurity and aligns with the Plan’s goals of increasing energy cyber preparedness and developing new cybersecurity technologies. Besides conducting cybersecurity research and development, CEDS also oversees DOE’s primary programs for sharing cybersecurity information with the private sector. This includes the Cybersecurity Risk Information Sharing Program (“CRISP”), which facilitates timely bi-directional sharing of cyber threat information in order to monitor energy sector IT networks. At present, 75% of U.S. electric utilities participate in CRISP. CEDS also includes the Cybersecurity for Operational Technology Environment (“CYOTE”) pilot project, which applies lessons learned from CRISP to monitor operating technology (“OT”) networks. According to the budget request, DOE intends to improve both CRISP and CYOTE by integrating utility data into the Intelligence Community environment to enhance threat information. The request also states that DOE will create a new “Advanced Industrial Control System Analysis Center” within CEDS that will “span the DOE laboratory network and work in collaboration with private sector partners to use the analysis of energy sector supply chain component and model impacts to address system threats and vulnerabilities through technical solutions, share information about findings, and develop mitigation and response solutions.”
ISER provides technical expertise on supporting resiliency of critical infrastructure assets key to energy sector operation and addresses the Plan’s goal of coordinating incident response. ISER’s focus is operational and spans all hazards facing the energy sector. However, the DOE budget notes that in the next fiscal year, ISER will “build out its effective, timely, and coordinated cyber incident management capability” and “envisions” forming a team of at least six cyber energy responders to support incident response within the energy sector.
DOE’s Emerging Role in Energy Sector Cybersecurity
DOE, under the Trump Administration, is reprioritizing cybersecurity higher on the Department’s agenda. To be sure, the Plan and CESER are a reshuffling of already-existing resources rather than entirely new programs. But it is clear that DOE is intent on flexing its position under the Fixing America’s Surface Transportation Act (“FAST Act”) to act as the energy sector SSA on cybersecurity.
DOE’s efforts come as the Department of Homeland Security (“DHS”) is also increasing its profile on cybersecurity. Utilizing authority under the Cybersecurity Information Sharing Act, passed just weeks after the FAST Act in 2015, DHS has certified its National Cybersecurity and Communications Integration Center (“NCCIC”) as a certified portal to accept cybersecurity information. As such, entities enjoy liability protection for sharing cybersecurity information with the NCCIC, through programs like Automated Indicator Sharing (“AIS”) and the even more robust Cyber Information Sharing and Collaboration Program (“CISCP”).
Those within the energy sector can utilize both DOE’s and DHS’s information sharing programs to strengthen their cybersecurity. Coordination with the NCCIC and sharing through AIS or CISCP provides access to the government’s cross-sectoral cybersecurity activities, though reports indicate that businesses have been slow to adopt AIS. Tailored specifically to electricity, DOE’s CRISP and CYOTE programs represent a more specialized package of information sharing, particularly appropriate for electricity sub-sector stakeholders.
DHS and DOE can be expected to continue asserting jurisdictional claims over cybersecurity issues. Hopefully, this will represent little more than the traditional rivalry between government agencies, and result in complementary rather than competing federal cybersecurity programs.