Addressing cybersecurity is critical to enhancing the security and reliability of the nation’s electrical grid. While integrating advanced technologies is essential to building a grid for the 21st century, it is also necessary to continue strengthening protections that mitigate vulnerabilities arising from increased complexity and interdependency. Cybersecurity of advanced technologies, including energy delivery systems, is critical for protecting the energy infrastructure and the integral function that it serves in our lives.
Cybersecurity technologies developed to protect business IT computer systems and networks can break an energy delivery control system. Energy delivery control systems are uniquely designed and operated to control real-time physical processes that deliver continuous and reliable power to support national and economic security. As such, they require security solutions that meet unique performance requirements, design, and operational needs.
DOE plays a major role in protecting and enhancing the cybersecurity of our Nation’s critical infrastructure. Homeland Security Presidential Directive (HSPD) 7 established a national policy for federal departments and agencies to act as “Sector-Specific Agencies” for 18 critical infrastructure sectors. As the Energy Sector-Specific Agency, DOE has a responsibility to promote a resilient infrastructure within the Electricity subsector as well as the Oil and Natural Gas subsector. DOE OE champions effective risk management programs, secure and reliable information sharing and situational awareness, and relevant research and development (R&D) activities.
DOE aligns energy delivery system cybersecurity R&D efforts with the energy sector-led, DOE-facilitated, strategic framework presented in the 2011 Energy Delivery Systems Cybersecurity Roadmap , which is an update of the original 2006 Roadmap to Secure Control Systems in the Energy Sector. The vision of the Roadmap is that resilient energy delivery systems are designed, installed, operated and maintained to survive a cyber incident while sustaining critical functions. The Roadmap, with its energy sector-led strategy and vision, is the outcome of a public-private partnership that engaged all energy sector stakeholders.
To advance the Roadmap vision, DOE's Cybersecurity for Energy Delivery Systems Research and Development Program (CEDS) fosters and actively engages in collaborations among all energy stakeholders from the earliest stages in the research process – utility, vendor, national lab, academic, and government – working together to perform research at the intersection of power system engineering and the computer science of cybersecurity.
The Roadmap has helped produce a number of new technologies that are now being deployed to enhance cybersecurity in the sector including more secure "hardened" SCADA systems, advanced intrusion detection systems, and a secure communications protocol for grid substations. Examples include research and development of:
- Cybersecurity protections for control systems that only allow expected cyber-activity for substation-hardened computers, communication processors, and control system networks.
- Near-real-time cybersecurity situational awareness capabilities for the energy-sector control system environment.
- Role-based access control that enforces a least privilege architecture for energy delivery control systems.
- Mitigations that harden energy-sector communication protocols against cyber-attack and that enforce proper communications within energy delivery control systems.
- A secure information exchange gateway that secures communications between control centers.
- A low-power, small-size technology that provides strong authentication, logging, alarming and secure communications for intelligent field devices operating at the distribution level, and that alerts the central control system if the field device has been subjected to physical tampering.
The following sites summarize specific efforts led by DOE OE and others to address cybersecurity in the electric sector:
Other Cybersecurity Programs and Initiatives
The CEDS National SCADA Test Bed (NSTB) is a one-of-a-kind national resource that draws on the integrated expertise and capabilities of national labs. Established in 2003, the NSTB core capabilities combine a network of the national labs’ state-of-the-art operational system testing facilities with expert research, development, analysis, and training to discover and address critical security vulnerabilities and threats the energy sector faces. National Labs that make up NSTB include:
- Argonne National Laboratory
- Idaho National Laboratory
- Lawrence Berkeley National Laboratory
- Los Alamos National Laboratory
- Oak Ridge National Laboratory
- Pacific Northwest National Laboratory
- Sandia National Laboratories
CEDS issues competitive solicitations for research and development of capabilities that advance cybersecurity for energy delivery control systems. These research and development projects are conducted by collaborations of energy sector stakeholders, including academia, national laboratories, energy sector vendors and utilities, to ensure the developed capability meets energy sector needs.
CEDS also provides funding to the Trustworthy Cyber Infrastructure for the Power Grid (TCIPG) university collaboration, in partnership with DHS, and the Software Engineering Institute (SEI). More on TCIPG and SEI can be found at the links below:
H.R.3183 - The Energy and Water Development and Related Agencies Appropriations Act of 2010 – required the DOE to establish an independent national energy sector cyber security organization. Through a competitive process, DOE selected EnergySec to form the National Electric Sector Cybersecurity Organization (NESCO) and the Electric Power Research Institute (EPRI) to serve as the research and analysis resource for NESCO, called the National Electric Sector Cybersecurity Organization Resource (NESCOR). More about NESCO and NESCOR can be found at the links below:
- National Electric Sector Cybersecurity Organization
- National Electric Sector Cybersecurity Organization Resource
Cybersecurity Risk Management
While cybersecurity risks cannot be completely eliminated, they can be managed through informed decision making processes. Managing cybersecurity risk is critical to the success of the energy sector and the reliable generation and delivery of electricity.
The focus of DOE-OE’s risk management and cybersecurity capabilities development activities is to support organizations in assessing risk to national electric infrastructure and to promote robust cybersecurity practices within the Electricity Subsector. The following resources summarize efforts supported by DOE OE and others to provide a consistent approach to managing cybersecurity risks:
- Cybersecurity Risk Management Process Overview
- Cybersecurity Risk Management Process
- NARUC Cybersecurity for State Regulators Primer
Approaches to securing grid technologies and to protecting privacy should be designed and implemented early in the development lifecycle. In partnership with DHS, DOE developed the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2), which allows electric utilities and grid operators to assess their cybersecurity capabilities and prioritize their actions and investments to improve cybersecurity. This resource, along with Guidelines for Smart Grid Cybersecurity developed by NIST, can be found at the links below: