Attacks and Vulnerabilities
Control device security
Critical infrastructure
Industrial Cyber Attacks
News
Risk & Compliance
Utilities: Energy & Power, Water, Waste

Department of Energy calls for inputs on challenges facing energy sector supply chain

November 29, 2021
energy sector supply

The Federal Register published on Monday a request for information (RFI) from the Department of Energy (DOE) seeking consultation from stakeholders on various issues including cybersecurity, faced in the energy sector supply chain. These inputs will assist the department to build an energy sector industrial base that is diverse, resilient, and competitive while meeting economic, national security, and climate objectives.  

The RFI seeks inputs from all stakeholders involved directly and indirectly in the supply chains of energy and energy efficiency technologies, including but not limited to U.S. industry, researchers, academia, local governments, labor organizations, and civil society. ‘Cybersecurity and digital components’ was one of the issues on which the DOE sought responses to improve its understanding of interests, concerns, challenges, and policy needs of the private sector and communities at large, with respect to the manufacturing processes of the evolving energy sector supply chain and industrial base. 

The DOE has sought direction from the industry on how the government should approach the hardening of digital components for the energy sector supply chain and industrial base against physical and virtual tampering and national security threats. It also asked how the federal government should prioritize the protection of digital component supply chains.

Responses to the DOE RFI “will be reviewed and considered on a rolling basis but are due no later than 5 p.m. (ET) on Jan. 15, 2022,” it said. Online submissions are strongly preferred.

Cyber threats to the critical infrastructure, including a rise in ransomware attacks, are a growing national security concern that can be triggered through digital component supply chain vulnerabilities, and there are several national initiatives underway to counter this threat. The DOE has asked in its RFI if there are energy sector-specific considerations or priorities the government should consider to support the hardening of digital component supply chains against cyber threats including the use of ransomware

The DOE also called for direction on the various steps that the government should adopt to improve the trustworthiness of digital components in the energy sector supply chain industrial base and reduce reliance on untrusted software suppliers, integrators, and maintenance. 

Given the highly dynamic and complex nature of the global digital component supply chains, the DOE has asked stakeholders what policies should the government pursue to examine the provenance of digital components in energy sector systems. The agency also seeks to take into account how the government should approach prioritizing digital components and/or systems to manage supply chain risk.

The DOE also recognizes that providers of digital components may not have the same supply chain security requirements as asset owners in the energy sector. Given the interconnected nature and transitive risk among different digital components that comprise energy sector systems, the RFI seeks to know from industrial stakeholders how the government should address gaps and/or ensure consistency for supply chain security requirements for digital components.

As aggregated and curated data emerges as a global commodity and is now a critical part of global digital supply chains, it presents a cyber supply chain risk similar to that posed by software; specifically, malicious manipulation can cause significant and nearly impossible-to-detect system failures. With the increasing application of artificial intelligence/machine learning capabilities to energy sector systems, the DOE RFI has sought to know what policy steps the government could take to manage the cyber supply chain risk of data.

The DOE also looks into how the government can encourage and/or incentivize private sector owners and operators of energy sector critical infrastructure to include more national security risk considerations in their business risk decisions.

Addressing the issue of cybersecurity talent, the DOE has asked for information on what specific skills are needed to develop and increase the workforce to support building, operating, and maintaining secure digital components for the energy sector industrial base. It also sought information on if there is a skills gap and/or supply gap in the workforce that develops and maintains software for industrial control systems (ICS), and of those skills, which ones are lacking in current education/training programs. The RFI also asked for details on what resources including time and structures would be needed to train the cybersecurity workforce.

The DOE RFI also asked industrial partners what other input should the federal government be aware of to support a resilient supply chain of cybersecurity and digital components.

The initiatives taken by the DOE come at a time when a public interest researcher, Michael Mabee has repeatedly raised concerns about the security of the critical electric sector. He has carried out investigations on the security of the critical electric sector and detected the presence of Chinese transformer threats, which has now been confirmed by the administrations of two U.S. Presidents – Donald Trump and Joe Biden.

Mabee has called upon the DOE and the U.S. administration to immediately “through a Presidential Executive Order and a Department of Energy Emergency Order, protection of the entire electric grid against known threats must be made mandatory.”

Cybersecurity expert Joe Weiss brought attention to a recent publication by Norway-based assurance and risk management company DNV on the Recommended Practice for cybersecurity for power grid protection devices. 

“The Recommended Practice is necessary because it addresses Operational Technology (OT) network security including patching, hardening, zones and conduits, secure remote access as well as programmatic elements,” Weiss wrote in a blog post. “However, necessary as it is, the Recommended Practice is not yet sufficient. To be sufficient, the Recommended Practice needs to address the Level 0,1 devices which have no cyber security, authentication, or cyber logging and the grid physics issues which can cause physical damage,” he added.

Weiss had recently pointed out that there needs to be a better way to protect control systems and the processes that they monitor and control, in the wake of the rising cybersecurity attacks on critical infrastructure networks. He drew focus to the fact that since it’s the process that counts, not the data, the focus of cybersecurity should be accordingly redirected. 

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation