The U.S. Department of Energy has released the 2011 Roadmap to Achieve Energy Delivery Systems Cybersecurity. Developed as an update to the 2006 Roadmap to Secure Control Systems in the Energy Sector, this report outlines a strategic framework over the next decade among industry, vendors, academia and government stakeholders to design, install, operate, and maintain a resilient energy delivery system capable of surviving a cyber incident while sustaining critical functions.
“Increased insight from private-public collaborations will allow us to better protect the nation’s energy delivery systems that keep our lights on and the power flowing,” said U.S Energy Secretary Steven Chu. “The 2011 Roadmap takes the necessary steps to strengthen the security and reliability of our country’s electric grid, in a climate of increasingly sophisticated cyber incidents.”
Based on ideas and input from the energy sector, the 2011 Roadmap signifies a continued effort by public and private stakeholders to identify steps to build, deploy, and improve the cyber resilience of the nation’s computer-based systems that manage operational processes in the electric, oil, and natural gas industries. The 2011 Roadmap also supports the Administration’s goal of building a 21st century clean energy economy supported by a secure, reliable, electricity system delivering power to American homes and businesses.
“This update marks a continued effort by public and private energy sector stakeholders to reduce cyber vulnerabilities that could disrupt the nation's ability to deliver power and energy,” said White House Cybersecurity Coordinator Howard A. Schmidt. “It extends the commitment of industry and government to work in partnership to develop, deploy, and maintain resilient energy delivery systems that sustain the essential energy services our national security, safety, and economy depend upon.”
“The Roadmap, in addition to the North American Electric Reliability Corporation’s (NERC’s) current efforts, proactively addresses evolving cybersecurity threats and vulnerabilities that threaten electricity reliability,” said Gerry Cauley, president and chief executive officer at NERC and chairman of the Electricity Sub-sector Coordinating Council. “This public-private partnership brings together the expertise from government and industry to ensure the security and reliability of the bulk power system.”
Developed by the Energy Sector Control Systems Working Group, a partnership of energy infrastructure cybersecurity leaders from government and industry, the 2011 Roadmap to Achieve Energy Delivery Systems Cybersecurity outlines five strategies that must be pursued to achieve the report’s agenda. The five strategies include:
- Build a Culture of Security. When integrated with reliability practices, a culture of security ensures sound risk management practices are periodically reviewed and challenged to confirm that established security controls remain in place and changes in the energy delivery system or emerging threats do not diminish their effectiveness.
- Assess and Monitor Risk. Assessing and monitoring risk gives companies a thorough understanding of their current security posture, enabling them to continually assess evolving cyber threats and vulnerabilities, their risks, and responses to those risks.
- Develop and Implement New Protective Measures to Reduce Risk. In this strategy, new protective measures are developed and implemented to reduce system risks to an acceptable level as security risks—including vulnerabilities and emerging threats—are identified or anticipated. These security solutions are built into next-generation energy delivery systems, and appropriate solutions are devised for legacy systems.
- Manage Incidents. When proactive and protective measures fail to prevent a cyber incident, detection, remediation, recovery, and restoration activities minimize the impact of an incident on an energy delivery system. Post-incident analysis and forensics enable energy sector stakeholders to learn from the incident.
- Sustain Security Improvements. Sustaining aggressive and proactive energy delivery systems security improvements over the long term requires a strong and enduring commitment of resources, clear incentives, and close collaboration among stakeholders. Energy sector collaboration provides the resources and incentives required for facilitating and increasing sector resilience.
Visit 2011 Roadmap to Achieve Energy Delivery Systems Cybersecurity to view the full report.
Key Documents that Support 2011 Roadmap Also Released
DOE also released two documents this week that support the 2011 Roadmap goals.
- The Vulnerability Analysis of Energy Delivery Control Systems report, prepared by Idaho National Laboratory, describes the common vulnerabilities on energy sector control systems, and provides recommendations for vendors and owners of those systems to identify and reduce those risks.
- The Department of Energy, in collaboration with the National Institute of Standards and Technology and the North American Electric Reliability Corporation, released a draft of the Electricity Sector Cybersecurity Risk Management Process Guideline for public comment. The Risk Management Process Guideline offers a flexible approach to managing cybersecurity risks across all levels of the organization, and is available public comment until October 28, 2011.