Our lives are constantly being intertwined with the digital world, making cyber security a critical component of daily life. And this is especially true when it comes to protecting the nation’s critical infrastructure, which delivers services that are vital to U.S. security, economic prosperity and the safety and well being of Americans.
The President signed two documents that will strengthen these vital systems, including the electric power grid and oil and natural gas, from cyber attack. The first is a new Executive Order 13636 (EO) that directs the U.S. government to work with U.S. companies to share information on threats, and to assist critical infrastructure owners and operators in the protection of their systems by expanding the Enhanced Cybersecurity Services program. To encourage adoption of cybersecurity standards, the EO directs the National Institute of Standards and Technology to lead the development of a voluntary Cybersecurity Framework of baseline practices to reduce cybersecurity risk. I encourage you to respond to the related request for information, comments are due by April 8. The EO also calls for a review of existing cybersecurity regulation. The Energy Department will work closely with the energy sector stakeholders to review the framework and, if necessary, develop a program that helps companies with adopting and implementing the framework.
The Executive Order was developed in tandem with a new Critical Infrastructure Security and Resilience Presidential Policy Directive (PPD) that is designed to reduce vulnerabilities from all hazards including cyber. This includes minimizing consequences, identifying and disrupting threats, and speeding up response and recovery efforts. The PPD defines three strategic imperatives: refine and clarify Federal roles and responsibilities; improve information sharing; and implement an improved analytical capability that will allow the Federal Government to work more effectively with owners and operators of the critical infrastructure.
As the sector-specific agency (SSA) for energy, DOE has a unique role in protecting and enhancing the nation’s critical energy infrastructure. As the Executive Order and PPD are implemented, the Energy Department will work closely with other federal agencies to review the voluntary cybersecurity framework and, if necessary, develop implementation guidance for the industry.
The Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) is a great example of this partnership. This model allows electric utilities and grid operators to assess their cybersecurity capabilities and prioritize their actions and investments for improvement. The ES-C2M2 model will be provided as input for development of the framework.
As new threats to energy delivery systems continue to evolve, we will remained focused on the continued development of cybersecurity capabilities to protect the reliability and resilience of the critical energy infrastructure.