Bottom Line Up Front: The Department of Energy (DOE) will implement new cybersecurity programs to enhance energy sector resilience. DOE’s announcement coincides with the Senate Energy and Natural Resources Committee’s support for the DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER). Expect to see resilience to cyber attacks in future government procurement activities.

On March 18, 2021, CESER announced several new research programs designed to enhance the safety and resilience of the U.S. energy sector. The Trump administration established CESER to protect critical energy infrastructure by assisting oil, natural gas, and electricity industries secure their infrastructure. Currently, energy infrastructure faces threats not only from climate and natural hazards, but also evolving and increasing physical and cyber threats.

CESER aims to broaden its protections for energy infrastructure with new programs focusing on: (1) global supply chain security, (2) electromagnetic and geomagnetic interference, and (3) the next generation of cybersecurity.

1. To secure against vulnerabilities in globally-sourced technologies deployed in the U.S. energy sector, CESER is joining forces with the Schweitzer Engineering Laboratories in the Cyber Testing for Resilient Industrial Control System program. By testing various hardware and software used in the energy sector, CESER will be able to identify and address potential security vulnerabilities within industrial control systems.
2. Electromagnetic pulse attacks and geomagnetic disturbance events have the potential to overload and damage energy systems. By researching and assessing systemic vulnerabilities to these types of events, CESER will be better able to develop methods for protecting against and mitigating the impacts of electromagnetic and geomagnetic interference on energy infrastructure.
3. When looking forward toward the next generation of cybersecurity, CESER will aid in the training of future cybersecurity experts and support the research and development of new cybersecurity technologies. Next month, CESER plans to announce a new funding opportunity to support partnerships with universities, with the goal of fostering new and innovative security solutions.

DOE acknowledges that securing critical energy infrastructure remains vital to U.S. national interests, and CESER’s programs will be at the forefront of DOE’s efforts to improve the resiliency and reliability of the energy sector.  Fortunately, this appears to be an area where the White House and the Senate agree.

A March 25, 2021 letter from the bipartisan leaders of the Senate’s Energy and Natural Resources Committee to Energy Secretary Jennifer Granholm urges prioritizing cybersecurity at DOE and maintaining CESER’s leadership role in the face of persistent threats to the power grid. The Committee’s letter cites a Government Accountability Office report, warning that the nation’s electrical grid is “increasingly at risk from cyberattacks,” recommending that DOE include cybersecurity as a priority effort in its plans to protect these systems.

What does this mean for stakeholders in the energy sector?

The most likely scenario involves a combination of additional resources and increased expectations for resilient systems, at least for those systems purchased or used by the Federal government:

• 2021 National Defense Authorization Act (NDAA) appropriated $37.5 million dollars and 82 full-time equivalent personnel for Homeland Security’s Stakeholder Engagement and Requirements program.
• NDAA amends the Homeland Security Act of 2002, authorizing the Department of Homeland Security (DHS) to appoint a Cybersecurity State Coordinator in each of the fifty states who is responsible for building strategic public and voluntary private sector relationships to facilitate the development and maintenance of secure and resilient infrastructure.
• NDAA also requires new military construction contracts include an evaluation of the life-cycle designed cost and the energy security and energy resilience capabilities of facilities built under new contracts.

Congress’s intent with the DHS appropriation to provide assistance to critical infrastructure appears to be supported by the White House:

• In February 2021, the General Services Administration confirmed it would continue to incorporate cybersecurity requirements historically used in military procurement contracts into government-wide acquisition contracts (GWACs), incrementally raising the bar for civilian agencies’ procurement requirements.
• On April 1, 2021 Deputy National Security Advisor Anne Neuberger said in an interview with the Associated Press that the government committed to assisting electric utilities, water districts and other critical industries to protect themselves against cyberattacks.
• On April 6, 2021, DOE announced it had earmarked $8 million to fund development of cyber-physical concepts for ensuring the resiliency and security of electric grid infrastructure.
  • Funding opportunity includes sponsored collaboration with universities to install, operate and maintain energy infrastructure that remains able to perform essential functions after a cyber-attack.