DOE report highlights ‘capability gaps’ in cybersecurity

04 June 2018

The US Administration recognises the growing security risk of cyber threats and has prioritised overcoming these challenges, Energy Secretary Rick Perry said in a statement marking one year since President Donald Trump signed Executive Order (EO) 13800. In the EO, titled Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, the president directed departments and agencies to develop multiple reports to further their understanding of the cybersecurity risks to the country and focus on opportunities to mitigate those risks.

The EO was divided into three sections addressing cybersecurity for federal networks, critical infrastructure, and the country overall. They built upon the existing federal framework for addressing cybersecurity risk management, while also calling for broad policy reviews by multiple government departments and agencies.

The DOE and the Department for Homeland Security partnered with other federal agencies and electric industry stakeholders from across the country to conduct the analysis required under the EO. On publication of that report on 30 May, the DOE said: "While it was found that no lasting damage - physical, cyber-physical, or otherwise - has been observed from the cyberattacks and intrusions targeting US utilities that have been reported to date, there are key trends that are increasing the risk of significant cyber incidents."

The DOE has taken an important step forward, Perry said in the same statement, through the recent creation of the Office of Cybersecurity, Energy Security, and Emergency Response (CESER), which he said would further strengthen DOE's ability to play a vital role protecting energy infrastructure from cyber threats, physical attacks, and natural disasters.

"As the sector specific agency for the energy sector, DOE will continue to work with the Department of Homeland Security, our National Laboratories, public, and private sector partners to improve cybersecurity practices and develop next-generation tools and capabilities that can be leveraged to better understand and mitigate cyber vulnerabilities in the energy sector," Perry said.

The report says existing "capability gaps" fall largely into seven main categories: cyber situational awareness and incident impact analysis; roles and responsibilities under cyber response frameworks; cybersecurity integration into state energy assurance planning; electric cybersecurity workforce and expertise; supply chain and trusted partners; public-private cybersecurity information sharing; and resources for national cybersecurity preparedness.

"These takeaways will build on the already robust collaboration between government and industry on electricity sector cybersecurity," the DOE said. "Continuing to enhance these partnerships is critical to closing identified gaps in cybersecurity preparedness and response capabilities, limiting the potential scope and duration of a significant cyber incident and reducing impacts to the critical national economy, defence, and lifeline functions which the electric grid supports," it added.

Researched and written
by World Nuclear News