The DOE’s National Cyber-Informed Engineering Strategy seeks to implement cyber-informed engineering (CIE) practices into the nation’s energy infrastructure in preparation for the increased load and risk from evolving sustainable sources. Their recommendations include prioritizing CIE-related upgrades, maintaining an open-source library of CIE tools, and testing for the effectiveness of CIE-based implementations.
In an effort to ready US grid infrastructure to bear the load of sustainable energy sources, the Department of Energy (DOE) released a report titled “National Cyber-Informed Engineering Strategy”. In the words of Alejandro Moreno, the acting assistant secretary for energy efficiency and renewable energy at the DOE, “This crucial report lays out key cybersecurity challenges associated with wide-scale distributed energy deployment so clean energy industries and other stakeholders can work to reduce risks and protect American families.”
Cyber-informed engineering (CIE) is a hot topic of industrial defense, especially when it comes to critical national infrastructure. That entails baking cybersecurity considerations into the build of industrial complexes and inserting them where lacking today.
The report sums up that while an attack on the grid wouldn’t have a significant impact on energy reliability today, if the grid were to sustain pressure in the future – given the growth projections of future distributed energy resources (DER) – things might be different.
To that end, this document lays out DOE-backed recommendations for pushing the proposed solution (cyber-informed engineering) forward with greater alacrity. “The focus of the CIE strategy is to implement cybersecurity knowledge and strategies at the earliest possible phases of the energy system lifecycle,” noted Puesh Kumar, director of DOE’s Office of Cybersecurity, Energy Security and Emergency Response.
The report recommendations are divided into five subsets: Awareness, Education, Development, Current Infrastructure, and Future Infrastructure. However, it is beneficial to focus on how the guidelines apply to action-oriented areas, such as cybersecurity and managed security.
Make cyber-informed engineering (CIE) a household name
One of the first recommendations is to “embed CIE into formal education, training, and credentialing.”
To do this, the DOE suggests that utilities “develop a pipeline of CIE practitioners through education, training, and certification of CIE knowledge and skills.”
This pipeline of CIE-informed practitioners could be educated in-house or by outsourced teams. While CIE knowledge is still emerging, it might be beneficial to look to external training resources in order to ensure focused, comprehensive education. Going with a managed option also allows you access to a team of subject-matter experts dedicated to maintaining the most current CIE knowledge and training.
ITEGRITI specializes in critical national infrastructure defense and provides security training and awareness, organizational change management (if you decide to design a team in-house), and policy and supplier assessments (to ensure your third parties adhere to the same CIE best practices that you do), among other cybersecurity services.
Know how CIE relates to specific implementations
While not legally binding, the implementations outlined in a mature cyber-informed engineering approach must be acknowledged and maintained in order to be of any use.
Consequently, organizations that have a system for complying with cybersecurity policies will likely have the framework in place to be able to adhere to the full recommendations of the Development section and be able to reap the full benefits of a continually maintained CIE strategy.
As outlined in the Development section of the report, organizations are to:
- “Leverage the DOE National Laboratories, academia, government partners, and industry to continually improve and expand the applicability of CIE.
- Create and leverage a CIE Center of Excellence to execute the maturation of CIE.
- Create and maintain an open-source library of CIE tools, case studies, and lessons that support
designers, manufacturers, and asset owners and operators in applying CIE principles.”
Much of this comes down to leadership. If an organization lacks clear direction from a CISO, for example, chances are high that these initiatives will fall through the cracks or fail to get picked up in the first place. ITEGRITI offers CISO advisory services, workforce support, and even a technology advisory and steering committee (vCompliance Team) to get these best practices off the ground. Other managed services, including virtual CISO services (vCISO), force-multiply smaller security teams and enable them to keep up with CIE implementation.
Implement CIE to existing infrastructure
This is where the rubber hits the road. The section on Current Infrastructure specifies that energy organizations are to “use a consequence-driven approach to identify and apply CIE principles to the nation’s systemically important critical infrastructure already commissioned and in service today.” In other words, take real steps to apply cyber-informed engineering to energy systems already in use. It’s time to start where we are and work backwards, with the hope that these principles will become baked in as energy resources evolve in the future.
To that end, power utilities are encouraged to:
- “Prioritize current infrastructure to apply CIE principles and identify needed upgrades.
- Identify, document, and promote methods to apply CIE principles to reduce high-consequence
impacts on a variety of existing infrastructure types that offer a high return on investment.
- Develop methods to assess and validate the effectiveness of infrastructure upgrades and
mitigations identified through CIE.
- Embed CIE into procurement decisions and provide incentives to asset owners who invest in
applying CIE principles to secure high-priority existing infrastructure.”
Again, all these implementations come with the right amount of leadership and the right amount of peoplepower, something that has been hard to come by in a lot of municipal utilities and throughout critical infrastructure as a whole.
ITEGRITI has deep experience across critical infrastructure cybersecurity programs, compliance, risk, and audit. Contact us today to learn how we can leverage this experience to help you accomplish your cybersecurity goals.
Contact Us: https://itegriti.com/contact/
ITEGRITI Services: https://itegriti.com