The Department of Energy is optimistic it can find success in its new framework for building resilient clean energy systems that are capable of withstanding malicious cyberattacks.
The DOE last week unveiled the National Cyber-Informed Engineering Strategy, a bipartisan plan to strengthen the energy sector’s ability to withstand a cyberattack. The plan looks to incorporate more cyber resilience during the manufacturing, development and deployment of computer systems used by energy providers, according to DOE officials.
“The focus of the CIE strategy is to implement cybersecurity knowledge and strategies at the earliest possible phases of the energy system lifecycle,” said Puesh Kumar, director of DOE’s Office of Cybersecurity, Energy Security and Emergency Response.
The DOE effort comes at a critical time for the energy sector, which is a high-profile critical infrastructure target. The ransomware attack against Colonial Pipeline last year also added urgency to efforts to address the threats against critical infrastructure.
That incident disrupted gasoline delivery to the southeastern and eastern U.S. for almost a week in May 2021, causing gasoline prices to spike and gas stations to temporarily shut down as panicked consumers scrambled to secure dwindling fuel supplies.
“The Colonial Pipeline incident was a stark reminder of the imperative to harden the nation’s critical infrastructure against serious and growing threats like ransomware,” Kumar said via email.
Russia's invasion of Ukraine placed renewed pressure on the energy grid as the U.S. and NATO member countries announced sanctions on Russian gas and fuel providers. Allied countries had to shift toward alternative energy sources.
The energy sector in several European Union countries was successfully targeted by cyberattackers following the Ukraine invasion. Threat actors targeted oil trading facilities in Amsterdam-Rotterdam-Antwerp and also took down thousands of wind turbines belonging to Germany’s Enercon. U.S. officials issued repeated warnings of threats to U.S. energy providers related to the Russian invasion and U.S. sanctions.
But cyberthreats to the U.S. energy sector go back more than a decade. In March, the Justice Department unsealed indictments against four Russian government employees for hacking campaigns against global energy targets between 2012 and 2018.
Built-in safeguards
To protect against these heightened threats, the CIE strategy aims to incorporate cybersecurity safeguard into system electronics early that are designed to withstand a sophisticated attack, according to Manny Cancel, senior vice president of the North American Electric Reliability Corp. and president of the Electricity Information Sharing and Analysis Center.
In addition, the plan is to instill better cyber resilience at the academic level so educators help develop workers with the skills required to become cyber aware.
Ben Miller, vice president, professional services and R&D at Dragos, said it’s hard to assign a risk value to the electric grid.
“What we do know is that technology is increasingly interconnected and the threat groups are increasing in number, but also [in] sophistication around critical infrastructure [systems] such as industrial control systems," Miller said via email.
A group of 18 organizations connected to the oil and gas industry pledged to take collective action on cyber resilience during the World Economic Forum in May. The group included some of the world’s top energy companies, including Aramco, Suncor and Occidental Petroleum.
“Energy security is national security,” Megan Samford, vice president and chief product security officer for energy management at Schneider Electric, said via email. “Cyber Informed Engineering is all about designing security directly into the products and systems, focusing on those that are most critical.”