What Can We All Learn From the U.S. Department of Energy’s Cybersecurity Strategy?

In June 2018, the Department of Energy (DOE) released its cybersecurity strategy, which covers the period from 2018 to 2020. The 44-page document comes at time of increased awareness around the risk of cyberattacks against the nation’s infrastructure. Bruce J. Walker, assistant secretary at the DOE’s Office of Electricity, noted as much in his written testimony to the U.S. Senate Committee on Energy and Natural Resources on March 1, 2018:

“Our adversaries understand that the energy sector is a valuable target because of the assets that the sector controls; including, our defense critical energy infrastructure. Accordingly, we have seen an increased interest in vulnerabilities of the ‘operating technology,’ or OT, of energy delivery systems and other critical infrastructure as well. The heavy use of OT systems has made electric utilities, oil and natural gas providers, hydro and nuclear facilities, and water utilities prime targets for OT-related cyber attacks.”

What’s In the DOE’s Updated ‘Cybersecurity Strategy’ Document?

The DOE’s cybersecurity strategy outlined four main goals to help the agency improve its own cybersecurity as well as that of the nation:

  1. Deliver high-quality IT and cybersecurity solutions.
  2. Continually improve cybersecurity posture, which covers all five functions of the National Institute for Standards and Technology (NIST) Cybersecurity Framework (CSF).
  3. Transition from IT owner to IT broker for better customer focus.
  4. Excel as stewards of taxpayer dollars.

For the DoE, accomplishing these four goals will require leveraging four “Principles for Success” across the entire agency:

  1. “One Team, One Fight” — The need for the agency to act in a unified manner given the level of threat posed by malicious actors and nation states.
  2. Employment of Risk Management Methodology — This principle is grounded in the need to make the best use of limited resources and to continuously assess threats and derive lessons-learned
  3. Prioritized Planning and Resourcing — As the document notes, “Department planning, budgeting, and execution without cybersecurity at the fore can, as history has revealed at the Department, at other agencies, and in the private sector, result in harm that can cascade exponentially, leading to mission failure and, as importantly, loss of stakeholder trust.”
  4. Enterprisewide Collaboration — This principle recognizes the need for the agency to collaborate across its vast network and to adopt a “collaborative engagement” approach based on “encouraging and receiving input.”

Unlike the 2015 version, the DOE’s current “Cybersecurity Strategy” document contains a greater level of detail and, more importantly, an implementation plan, a performance plan with clear key performance indicators (KPIs), and an outline of the strategic alignment of the 2018 strategy with other federal cybersecurity efforts.

The strategy document exhibits improvements in the DOE’s own cybersecurity maturity with concepts such as information sharing “in near-real time,” taking a risk-management-based approach to prioritizing investments and improving responses, and developing continuous diagnostics and mitigation (CDM) capabilities, as opposed to point-in-time assessments. In his testimony, Walker noted that “continuous monitoring of critical networks and shared situational awareness is of utmost importance in protecting against malicious cyber activities.”

How Is the DOE’s Guidance Relevant to the Energy Sector?

While written primarily as an internal guide, the DOE strategy document has value that extends beyond the walls of the DOE. Organizations in the energy sector will note that the DOE strategy document builds on previous foundations, such as the “Cybersecurity Capability Maturity Model (C2M2),” which seeks to identify gaps by looking at cybersecurity maturity across 10 domains. Unfortunately the C2M2 hasn’t been updated since 2014, with and there is only a handful of resources at the intersection of the C2M2 and the NIST CSF, such as the “Energy Sector Cybersecurity Framework Implementation Guidance,” which was released in 2015. Also related is the “Electricity Subsector Cybersecurity Risk Management Process (RMP)” guidelines of 2012, which provide a multilevel view of risk management across the organization, the business mission and dimensions, and the information and operational technology dimensions.

For the energy sector, this is just another step in the industrywide initiative to make concrete progress in cybersecurity and cyber resilience. Nowhere is this pressure more evident that in the latest update to the National Association of Regulatory Utility Commissioners (NARUC)’s “Cybersecurity: A Primer for State Utility Regulators,” which was last updated in January 2017. This primer, while aimed at policymakers “charged with making decisions about the electric, gas, water, communications, and transportation systems that are vital to everyday life,” provides a list of more than 100 key questions for regulators to ask of regulated entities.

But the DOE “Cybersecurity Strategy” document also contains indicators of things to come for organizations in the energy sector, such as Objective 2.4, which provides guidance on incident analysis and response: “Develop, in collaboration with Energy sector owners and operators, information reporting requirements to form common operating picture.” This is part of the DOE’s ongoing effort to develop “cutting-edge cybersecurity solutions to strengthen and coordinate incident response capabilities and share resources.”

What Can Other Sectors Learn From the DOE?

Beyond the energy and government sectors in general, the DOE’s “Cybersecurity Strategy” document also provides a road map for chief information security officers (CISOs) and business leaders looking to specify their organization’s own approach and prioritize for the years ahead. The strategy document contains key items that should be part of any organization’s cybersecurity strategy, including:

  • A list of key challenges that the document sets out to address;
  • A reasonable number of clearly articulated goals for the time period;
  • An implementation plan that includes major tasks and activities;
  • A performance plan with KIPs; and
  • A list of foundational documents (standards, frameworks, etc.) such as those mentioned in Appendix D.

To make tangible improvements to the nation’s infrastructure, organizations across the country — and across industries — must adhere to the principles outlined in the DOE guidance. What better time to start than during National Cybersecurity Awareness Month (NCSAM)? As we transition from week three (“It’s Everyone’s Job to Ensure Online Safety at Work”) to week four (“Safeguarding the Nation’s Critical Infrastructure”), security professionals and nontechnical employees working in all sectors should consider the above guidance as they perform their daily jobs and understand how everyone’s online behavior can directly or indirectly impact an organization’s — or even the nation’s — security posture.

Christophe Veltsos

InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

Chris Veltsos is a professor in the Department of Computer Information Science at Minnesota State University, Mankato...