The U.S. Department of Energy (DOE) released the National Cyber-Informed Engineering (CIE) Strategy to enhance engineering training, tools, and practices to construct cyber-resilient clean energy systems. The Strategy emphasises early adoption of cybersecurity technology in designed systems to decrease cyber risks and vulnerabilities, especially foreign actor threats.
Pursuant to congressional direction, the Office of Cybersecurity, Energy Security, and Emergency Response (CESER)-led Securing Energy Infrastructure Executive Task Force (SEI ETF) developed the National CIE Strategy, building on foundational work developed at Idaho National Laboratory.
“Building a powerful and resilient grid that can withstand the full gamut of modern cyber threats begins at the design level,” said Jennifer M. Granholm, U.S. Secretary of Energy.
She added that through this strategy, the DOE lays out a plan to ensure that the once-in-a-generation investment from the Bipartisan Infrastructure Act safeguards the energy sector and delivers a stronger, cleaner electric grid.
The National CIE Strategy outlines the application of cybersecurity technology throughout the engineering design lifecycle of grid development. It also assures that automated grid systems are built to be resilient and cyber security.
The Strategy is structured around five pillars: Awareness, Education, Development, Current Infrastructure, and Future Infrastructure — and tries to design out cyber weaknesses to lessen or eradicate them. Even if a cyberattack is successful, the CIE Strategy aims to reduce the likelihood of interruptions to the nation’s essential energy infrastructure.
The National Defence Authorisation Act for Fiscal Year 2020 directed DOE to convene a multi-stakeholder working group, comprised of senior technical leaders from across government, industry, academia, and the DOE National Laboratories, to develop a new strategy to defend the nation’s energy infrastructure against cybersecurity threats, vulnerabilities, and risks in the most critical industrial control systems.
CESER established the Securing Energy Infrastructure Executive Task Force to lead the creation of the National CIE Strategy, discover new classes of security vulnerabilities in industrial control systems, and evaluate the technology and standards utilised to secure industrial control systems.
Constant Obstacles in Cybersecurity
The industrial control systems that operate the vital energy infrastructure are subject to increasingly severe and complex cyberattacks by tenacious enemies. Energy systems must be designed to withstand purposeful cyber penetration, exploitation, and misuse to prevent interruptions to the nation’s vital energy services.
Traditional engineering includes a substantial amount of safety and failure mode analysis, but these risk management approaches rarely account for the threats posed by an intelligent and capable adversary with the intention of denying, disrupting, or destroying a critical function through cyber means. Most cybersecurity solutions are “bolted on” towards the end of the engineering lifecycle, as opposed to being fundamentally designed into the system.
CIE is an emerging technique for integrating cybersecurity into the idea, design, development, and operation of any physical system with digital connectivity, monitoring, or control. It employs design decisions and technical controls to minimise or even remove cyber-enabled attack vectors or to lessen the impact of an attack.
While specialised information technology and operational technology cybersecurity experts bring strong cybersecurity capabilities to securing today’s energy systems, many of the engineers and technicians who design and operate these energy systems lack the education and training necessary to engineer systems for cybersecurity from the outset, in the same way, they engineer systems for safety.