Securing the Clean Energy Cyber Supply Chain: U.S. DOE's New Framework

The U.S. Department of Energy's Office of Cybersecurity, Energy Security, and Emergency Response (CESER) has taken a significant step forward in bolstering the cybersecurity of America's energy sector. CESER has developed a new framework of best practices aimed at securing clean energy cyber supply chains, with a particular focus on key technologies used in managing and operating electricity, oil, and natural gas systems.

This comprehensive framework is the result of collaborative efforts involving energy automation and industrial control system (ICS) manufacturers, as well as the expertise of the Idaho National Laboratory, renowned for its cybersecurity research. The guidelines offer a robust set of recommendations for both suppliers and consumers in the energy sector, emphasizing risk management, transparency, operational resilience, and proactive incident response.

"As new digital clean energy technologies are integrated, we must ensure they are cyber secure to prevent destruction or disruption in services," U.S. National Security Advisor Jake Sullivan said in a June 18th White House statement. "The G7 will work to establish a collective cybersecurity framework for operational technologies for both manufacturers and operators."

10 best cybersecurity practices for energy sector suppliers

There are key components of this framework, starting with the 10 Best Cybersecurity Practices for Suppliers.

1. Implement Secure-by-Design Principles: Integrate security measures from the initial stages of product development.
2. Conduct Regular Security Assessments: Perform thorough and frequent evaluations of products and systems to identify vulnerabilities.
3. Maintain a Software Bill of Materials (SBOM): Keep a comprehensive inventory of all software components used in products.
4. Implement Strong Access Controls: Utilize multi-factor authentication and least privilege principles.
5. Encrypt Sensitive Data: Ensure data protection both in transit and at rest.
6. Provide Timely Security Updates: Develop and distribute patches promptly to address known vulnerabilities.
7. Conduct Third-Party Risk Assessments: Evaluate the security practices of all vendors and partners in the supply chain.
8. Implement Secure Development Practices: Adopt secure coding standards and perform regular code reviews.
9. Maintain Incident Response Plans: Develop and regularly test plans for responding to cybersecurity incidents.
10. Foster Transparency: Clearly communicate security features, practices, and any potential risks to customers.

10 best cybersecurity practices for energy sector consumers

The framework also includes the 10 Best Cybersecurity Practices for Consumers.

1. Conduct Vendor Risk Assessments: Evaluate the security practices of all technology suppliers before procurement.
2. Implement Network Segmentation: Isolate critical systems from less secure networks.
3. Regularly Update and Patch Systems: Promptly apply security updates provided by suppliers.
4. Conduct Regular Security Audits: Perform comprehensive assessments of your cybersecurity posture.
5. Implement Strong Identity and Access Management: Use multi-factor authentication and role-based access controls.
6. Develop and Test Incident Response Plans: Create, maintain, and regularly practice cybersecurity incident response procedures.
7. Provide Cybersecurity Training: Ensure all employees receive regular education on cybersecurity best practices.
8. Monitor Systems Continuously: Implement 24/7 monitoring for potential security threats.
9. Conduct Regular Vulnerability Assessments: Proactively identify and address potential weaknesses in your systems.
10. Maintain an Asset Inventory: Keep a comprehensive and up-to-date list of all hardware and software assets.

The framework focuses on the following key areas:

• Risk management
  Both suppliers and consumers are encouraged to adopt a risk-based approach to cybersecurity. This involves identifying, assessing, and mitigating potential threats throughout the supply chain.

• Transparency
  The framework emphasizes the importance of open communication between suppliers and consumers regarding security practices, potential vulnerabilities, and incident response capabilities.

• Operational resilience
  Guidelines focus on ensuring that energy systems can continue to function or quickly recover in the face of cyber incidents.

• Proactive incident response
  The framework stresses the importance of having well-defined and regularly tested incident response plans to minimize the impact of potential cyberattacks.

The development of this framework represents a crucial step in securing America's energy infrastructure against evolving cyber threats. By providing clear guidelines for both suppliers and consumers, CESER aims to create a more resilient and secure energy sector.

"Supply chain risks, especially within the energy sector, are complex and difficult to identify and manage. The new U.S. Department of Energy's CESER framework is a structured approach to managing complex energy sector cybersecurity risk," said Ken Dunham, Cyber Threat Director at Qualys Threat Research Unit. "CESER includes best practices to conduct risk assessments of third-party vendors in the supply chain, implement network segmentation to limit blast radius and isolate critical systems, regularly patch and update systems, and more. Risk management, with a focus on identifying the risk, with transparency, incident response, and operational resiliency, are critical—especially in areas of critical infrastructure. And the CESER framework approach supports this."

The manufacturing sector experienced the second highest number of cyberattacks among U.S. industries last year at 218, with only the healthcare sector experiencing more attacks, according to FBI data. On a global scale, nearly half of critical manufacturers are at risk of a cyberattack, with many organizations lacking visibility into their broader business ecosystems to successfully fend off an attack. 

To combat the heightened risk, the Biden Administration has taken an increased interest in fortifying U.S. manufacturing and supply chain security. In November, the administration created the White House Council on Supply Chain Resilience, which was formalized earlier this month by Executive Order. 

At the agency level, the DOE has been working with energy distributors in recent months to improve cybersecurity. The department created similar "baselines" in February aimed at improving the security of distribution systems and distributed energy resources.

The department also rolled out $30 million in funding in January to fund research, development, and demonstration projects focused on improving the cybersecurity of clean energy resources.

"It's great to see a convergence between recommendations from the Department of Energy and what cyber insurers demand," said Jose Seara, CEO and Founder at DeNexus. "It's time for regulations, cybersecurity best practices, and insurance to get aligned and truly enable energy companies to make progress with their security control and maximize their budget for the best protection of business operations."

As clean energy technologies continue to play an increasingly important role in the country's power systems, the implementation of these best practices will be vital in ensuring the reliability and security of the energy supply. It's a reminder that cybersecurity in the energy sector is not just about protecting digital assets, but about safeguarding critical infrastructure that millions of Americans depend on every day.