Analysis
Attacks and Vulnerabilities
News
Reports
Utilities: Energy & Power, Water, Waste

GAO report presses upon DOE to improve efforts to manage cybersecurity risks, work on electric grid resilience

July 11, 2022
GAO report presses upon DOE to improve efforts to manage cybersecurity risks, work on electric grid resilience

A recent report from the U.S. Government Accountability Office (GAO) has identified eight additional priority recommendations for the U.S. Department of Energy (DOE), bringing the total number to 26. Among the recommendations, the GAO called for improving cybersecurity, bringing about worker protections, and building electric grid resilience. 

“The energy sector is part of the nation’s critical infrastructure that provides essential services that underpin American society,” GAO said in a report released last week. “Recent high-profile cyberattacks targeting the public and private sectors highlight the urgent need to address cybersecurity weaknesses. Implementing three priority recommendations, such as developing a cybersecurity risk management strategy, would improve DOE’s efforts to manage cybersecurity risks and to protect the nation’s electric grid,” it added.

The recommendations call upon the Secretary of Energy to take steps that consult with respective sector partners, such as the sector coordinating council, Department of Homeland Security (DHS), and National Institute of Standards and Technology (NIST), as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. 

Secondly, the Secretary of Energy should develop a cybersecurity risk management strategy that includes the key elements identified in the report. Thirdly, the Secretary of Energy, in coordination with the DHS and other relevant stakeholders, should develop a plan to implement the federal cybersecurity strategy for the electric grid and ensure that the plan addresses the key characteristics of a national strategy, including a full assessment of cybersecurity risks to the electric grid. 

Addressing the first recommendation, the congressional watchdog said that the DOE did not explicitly agree or disagree with the recommendation. “In early 2022, the agency took initial steps to determine framework adoption for the energy sector by tracking requests for a sector-based cybersecurity toolkit, assessing polling data, and obtaining anecdotal reports on framework use from sector entities. However, those efforts did not provide sufficient information for the agency to determine the level and type of framework adoption throughout the energy sector,” the report added. 

DOE officials said that they were exploring additional strategies, such as leveraging data from trade associations and carrying out additional feedback sessions with other groups, to obtain broader information across the sector, the GAO report said. “DOE is also exploring other steps to collect more information, such as learning new approaches to measuring adoption and engaging with national laboratories to report on sector usage of the framework and other derivative frameworks aligned with NIST guidance,” it added. 

To fully implement this recommendation, the DOE needs to implement these planned steps effectively to determine framework adoption among entities within its sector, the GAO report said. “Until sector risk management agencies have a more comprehensive understanding of the use of the cyber framework by the critical infrastructure sectors, they will be limited in their ability to understand the success of protection efforts or to determine where to focus limited resources for cyber risk mitigation,” it added.

GAO said that the DOE agreed with its second recommendation. “In January 2022, DOE issued its Enterprise Cybersecurity Program Plan (E-CSPP), which outlines the department’s approach to cybersecurity risk management and the implementation of cybersecurity requirements from an organizational perspective. The plan further specifies that departmental elements may refer to and leverage the E-CSPP as a template to plan, refine, mature, and document their own cybersecurity programs,” it added. 

The GAO report said that the E-CSPP, along with DOE risk management amplification guidance, addresses most elements of a risk management strategy. However, neither the E-CSPP nor most of the departmental element plans we reviewed included a detailed discussion of organizational risk tolerance. 

As of April 2022, DOE had not provided additional documentation of its cybersecurity risk tolerance, according to the report. “In order to fully implement this recommendation, DOE should ensure that its plans provide such a discussion. Until it does so, the department may lack a clear organization-wide understanding of acceptable risk levels and appropriate risk response strategies to protect its systems and data,” it added. 

The DOE agreed with the GAO’s third recommendation. “In its response to our report, DOE stated that it was working through an interagency process to develop a National Cyber Strategy Implementation Plan that would consider DOE’s Multiyear Plan for Energy Sector Cybersecurity. However, those documents do not fully address all of the key characteristics needed to implement a national strategy, such as fully assessing cybersecurity risks to the electricity grid,” it added. 

As of May 2022, DOE did not have an estimated date for issuing a report related to these efforts, the GAO report said. While DOE considers its measures sufficient to close this recommendation, additional actions are needed. To fully address the recommendation, DOE should develop a plan for implementing the federal cybersecurity strategy for the electric grid, ensure that the program addresses the key characteristics of a national strategy, and coordinate that plan with the DHS and other relevant stakeholders. 

Until DOE ensures that it has a plan to implement the federal cybersecurity strategy relating to the grid that addresses all of the key characteristics of a national strategy, including a full assessment of cybersecurity risks, GAO said. The guidance that the plan provides decision-makers in allocating resources to address risks and challenges will likely be limited, it added. 

To build electric grid resilience, GAO recommended that the Secretary of Energy should establish a plan, including time frames, to guide the agency’s efforts to develop tools for resilience planning. The plan would include performance measures for resilience, a framework for resilience planning, and additional information on the cost of long-term power outages. The DOE agreed with the recommendation, in principle. Secondly, the report suggested that the Secretary of Energy should develop and implement a department-wide strategy to coordinate its efforts that defines goals and measures progress to enhance the resilience of the electricity grid to the risks of climate change. Here, the DOE agreed with the recommendation.

Last week, GAO revealed in a report that the Department of Defense’s (DOD) Industrial Base Policy office does not yet have a consolidated and comprehensive strategy to cover risk mitigation to the industrial base. Instead, the office uses a combination of four previously issued reports created for other requirements because it devoted its resources to completing other priorities.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow's emergency detection systems
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow’s emergency detection systems
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations