DOE Pivots Security Strategy as ‘Smart’ Tech Use Soars

As energy services integrate more “smart” technologies, and as these technologies make their way into people’s homes, the Department of Energy (DOE) is refocusing its cyber strategy on securing a system that has become increasingly vulnerable: operational technology (OT).

The DOE is designated as the Sector Risk Management Agency for the energy sector and is responsible for maintaining and securing the power grid. Currently, the department is focused on increasing threat monitoring to operational systems, DOE CIO Ann Dunkin said at AFCEA’s Energy, Infrastructure, and Environment summit last week.

“Every one of those entry points that you and I have, and the utility companies have, is an entry point for cyber criminals to break in,” Dunkin said. “We have to secure not just you know the operation center, but your house, and your car, and the batteries on your house and your thermostat. … Those are connected to the grid, and the last thing we want to hear is that someone’s Nest thermostat brought the grid down in D.C.”

The DOE is working on increasing visibility into its four federal Power Marketing Administrations (PMAs), which operate electric systems and sell the electrical output of federally owned and operated hydroelectric dams.

“I think that we are moving in the right direction with the PMAs, because OT is the huge area that we have neglected in the past,” Dunkin said. “So, working closely with them on understanding their operational technology and getting it well instrumented, so that we can get really good data from the PMAs.”

Meanwhile, DOE’s Office of Cybersecurity, Energy Secuity Emergency Response (CESAR) is partnering with the private energy sector to advance threat monitoring in the OT and industrial control systems (ICS) environment.

“For a very long time, we’ve done a really good job on IT side,” said CESAR Director Puesh Kumar. “OT is where we’re seeing a lot of cyber adversaries focus, and that’s the part of the network that can actually have impacts to energy delivery. We really need to get visibility. Ann and her team are thinking about that visibility into the PMA networks, we’re thinking about it and working with the energy sector to also deploy similar technologies.”

As the department deploys advanced monitoring systems, it will also look at information-sharing between OT systems to get a holistic picture of the cyber-threat landscape.

Looking ahead, the DOE sees an opportunity to build enhanced OT security into the grid. The Infrastructure Investment and Jobs Act designated $62 billion for the DOE, focused on transitioning to clean energy and updating a decades-old power grid.

“This is a strategic opportunity like we’ve never had before,” Kumar said. “In many ways, with the grid of the past, we were bolting on cybersecurity. I think we have an opportunity now that we can all be seizing upon, where we actually design the grid with cyber-informed engineering. We’re engineering things more securely from the get-go.”