Attacks and Vulnerabilities
Critical infrastructure
News
Regulation, Standards and Compliance
Supply Chain Security
Threat Landscape

DOE, EPA support NSM-22 focused on critical infrastructure security and resilience

May 01, 2024
DOE, EPA support NSM-22 focused on critical infrastructure security and resilience

​​The U.S. Department of Energy (DOE) welcomes the release of National Security Memorandum 22 (NSM-22) on Critical Infrastructure Security and Resilience by President Joe Biden. The memorandum enhances the role of Sector Risk Management Agencies (SRMAs), including DOE, in leading risk management efforts in collaboration with energy asset owners and operators, state, local, tribal, and territorial (SLTT) partners, international partners, manufacturers, academia, and other stakeholders. Likewise, the Environmental Protection Agency (EPA) highlights the initiative, as it takes important steps to secure the nation’s water infrastructure.

The NSM-22 will help ensure U.S. critical infrastructure continues to provide the nation a strong and innovative economy, protect American families, and enhance collective resilience to disasters before they happen, while also strengthening the nation for generations to come. It also replaces a decade-old presidential policy document on critical infrastructure protection and launches a comprehensive effort to protect U.S. infrastructure against all threats and hazards, current and future. 

NSM-22 mentioned that the DOE shall carry out its statutory responsibilities to address the short-, mid-, and long-term energy challenges facing the nation, including those implicating electricity, petroleum, natural gas, nuclear material, and other energy resources and services, in coordination with relevant federal departments and agencies, as appropriate. Consistent with authorities, DOE leads the policy, preparedness, risk analysis, technical assistance, research and development, operational collaboration, and emergency response activities for the U.S. energy sector. 

By clarifying the role of the SRMA, the NSM reinforces DOE’s role in addressing short- and long-term energy challenges facing the nation. As the SRMA, DOE continues to be a federal lead for policy, preparedness, risk analysis, technical assistance, research and development, operational collaboration, and emergency response activities for the U.S. energy sector. 

Within the DOE, the Office of Cybersecurity, Energy Security, and Emergency Response (CESER) will hold primary responsibility for the execution of day-to-day SRMA responsibilities. Critical to this mission will be CESER’s continued partnership with the Electricity Subsector Coordinating Council (ESCC), Oil and Natural Gas Coordinating Council (ONG SCC), state energy and emergency officials, and others in the energy sector.  

NSM-22 also encourages the establishment of minimum requirements and accountability mechanisms for the security and resilience of critical infrastructure. DOE will work with energy sector stakeholders and regulators to take stock of existing resilience, security, and reliability requirements and identify gaps that could benefit from new requirements to keep pace with the growing climate, cyber, and physical risks facing the sector. 

The memorandum also prioritizes operational collaboration models with private sector partners to reduce risk to critical infrastructure, which DOE has underway through a number of efforts, including the Energy Threat Analysis Center (ETAC) pilot.  

“The actions taken by the Biden-Harris Administration will support federal agencies, the intelligence community, and our stakeholders to be even more empowered to prioritize security as we build a resilient clean energy future,” Jennifer M. Granholm, U.S. Secretary of Energy, said in a media statement. “We refuse to turn a blind eye to any risks facing our critical infrastructure, and today’s announcement strengthens President Biden’s whole-of-government approach to prepare for and mitigate against emerging threats and hazards to our energy infrastructure.”

The DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) detailed that a large majority of the critical energy infrastructure in the U.S. is owned and operated by private companies so it is crucial that lines of communication between the federal government and these companies remain open and that we approach risk management with a sense of shared responsibility. 

“CESER facilitates both the Electricity Subsector Coordinating Council (ESCC) and the Oil and Natural Gas Subsector Coordinating Council (ONGSCC) in partnership with the Department of Homeland Security and other agencies,” Puesh M. Kumar, director of the DOE’s CESER, wrote in a Tuesday post. “These groups bring executives from the energy sector together regularly to identify security and resilience challenges and advance policy, technology, and preparedness solutions. The ESCC, in particular, is led by 30 CEOs who work hand-in-hand with DOE to advance the security and resilience of the energy sector in partnership with the highest levels of government.” 

Kumar added “We work closely with the DOE National Laboratories who are powerhouses of expertise when it comes to energy systems, cybersecurity, modeling, and capabilities to advance the security of the nation’s energy systems through advanced research, development, and demonstration. The world-class subject matter experts at the laboratories are part of the extensive network of resources that make the DOE an incredibly effective SRMA for the energy sector and I am proud of the work we do together.” 

While DOE has a time-tested SRMA model, there is always room for improvement, he identifies. “In the coming months, we will work to develop an Energy Sector Risk Assessment in close coordination with the private sector and will undertake a series of additional implementation activities including the development of an energy SRMA operating plan and contributing to a cross-sector National Risk Assessment Plan.”

Earlier this week, the DOE released a summary report on the potential benefits and risks of artificial intelligence (AI) use for critical energy infrastructure, as part of the federal administration’s approach towards harnessing the benefits of AI and ensuring its responsible and safe deployment. The agency also provides an initial risk assessment on AI for the critical energy infrastructure.

“Cybersecurity and climate change threats pose serious risks to the drinking water and wastewater services that people in this country rely on every day, and recent cyber attacks on water systems underscore the urgency of increased and coordinated action to protect public health and the environment,” Janet McCabe, deputy administrator at the EPA, said in a media statement. “The Biden-Harris Administration is leading a comprehensive effort to secure our nation’s critical infrastructure against all threats, and the efforts outlined in the new National Security Memorandum are vital to ensuring that EPA and other federal entities are taking the necessary steps to safeguard public health and our economy.”

Commenting on the release of NSM-22, Mark E. Green, a Republican from Tennessee and House Committee on Homeland Security Chairman, and Andrew Garbarino, a Republican from New York and Subcommittee on Cybersecurity and Infrastructure Protection Chairman said that with the Cybersecurity and Infrastructure Security Agency’s (CISA) role solidified. Also, it identified that the 16 critical infrastructure sectors reaffirmed and that the Department of Homeland Security (DHS) is better positioned to lead the whole-of-government approach to the nation’s cyber defense and prevent visibility gaps across industry sectors that impact the daily lives of Americans. 

“We look forward to seeing updates to the Sector-Specific Plans, which are core to effectively implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA),” they added in their statement. “As most critical infrastructure entities are privately owned and operated, we will continue to conduct oversight of CISA to ensure it is working to bolster critical infrastructure resiliency through strengthening public-private partnerships––not by adding additional burdens on the private sector.”

Earlier this year, President Biden signed an executive order aimed at enhancing the capabilities of the DHS to counter maritime cyber threats. The action is in response to increasing concerns over threats to U.S. critical infrastructure from nation-states and broader security issues related to the reliance on overseas supply chains. Additionally, it addresses worries about cyber risks to port facilities and maritime transportation, prompting a shift in crane manufacturing back to the U.S., particularly due to concerns regarding threats from China.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

Related

CISA debuts encrypted DNS implementation guidance for federal agencies aligned with zero trust strategy
CISA debuts encrypted DNS implementation guidance for federal agencies aligned with zero trust strategy
Vulnerabilities in GE Healthcare Vivid ultrasound system could allow malicious insiders to install ransomware, access patient data
Vulnerabilities in GE Healthcare Vivid ultrasound system could allow malicious insiders to install ransomware, access patient data
Relyens, Cynerio partner to introduce advanced healthcare cybersecurity solution to European market
Relyens, Cynerio partner to introduce advanced healthcare cybersecurity solution to European market
Cybellum joins forces with M-ISAC to help Japanese MDMs improve cybersecurity
Cybellum’s Product Security Platform 3.0: Risk Edition enables threat modeling, risk and compliance management at scale 
ABS Consulting, Hexagon partner to empower industries with improved asset management solutions
ABS Consulting, Hexagon partner to empower industries with improved asset management solutions
OPSWAT
OPSWAT Academy debuts authorized training program to empower global cybersecurity capabilities
Exalens
Exalens, Approach Cyber partner to boost cybersecurity across industrial, IIoT environments
Australian-NCSC-coordinates-response-to-major-health-information-ransomware-breach
Australian NCSC coordinates response to major health information ransomware breach
Senator Vance issues warning on China-backed Volt Typhoon threat to US critical infrastructure
Senator Vance issues warning on China-backed Volt Typhoon threat to US critical infrastructure
NIST releases finalized security guidelines for controlled unclassified information in SP 800-171r3, SP 800-171Ar3
NIST releases finalized security guidelines for controlled unclassified information in SP 800-171r3, SP 800-171Ar3