Puesh Kumar, director of the Energy Department’s Office of Cybersecurity Energy Security and Emergency Response (CESER), detailed several steps that the agency is taking to implement executive branch and DoE supply chain security policies during a virtual event hosted by FCW on March 16.
The threat of cyberattacks on critical infrastructure are a growing concern, especially as supply chain systems are increasingly interconnected, digitized, and remotely operated. In response to this concern and directives from the White House, the Department of Energy (DoE) has released several reports detailing cybersecurity threats, vulnerabilities, and risks to supply chains for digital components in energy sector systems.
In February 2021, President Biden released Executive Order 14017, America’s Supply Chains, directing Federal agencies to develop plans to build resilient, diverse, and secure supply chains to ensure U.S. economic prosperity and national security. On Feb. 24 of this year, DoE Secretary Jennifer Granholm submitted America’s Strategy to Secure the Supply Chain for a Robust Clean Energy Transition to President Biden in response to the EO. Since then, DoE has produced 14 reports assessing several critical components of the energy sector.
Kumar talked about one of the reports one of the reports during his March 16 presentation, along with steps that DoE is taking to boost security in several of the energy subsectors.
“Digital components in the U.S. energy sector systems are vulnerable and subject to cyber supply chain risks stemming from a variety of threats, vulnerabilities, and impacts,” Kumar said. “In constructing this report we looked at how we could get visibility of these threats so that we could mitigate them and respond to them before any real harm is done.”
The DoE CESER report identifies key cyber supply chain vulnerabilities including:
- Reliance on untrusted foreign suppliers and software developers;
- Reliance on opaque and highly dynamic global supply chains for digital goods and services;
- High and often unrecognized reliance on ubiquitous key digital components in energy sector systems that have the potential for cascading effects if concurrently compromised; and
- Fragmentation and inconsistent oversight of interdependent cyber supply chains.
The report also highlights “key cyber threats including national security threats from adversary nations with sophisticated intelligence collection and cyber capabilities and threats from criminal actors employing ransomware attacks via digital supply chains,” Kumar said.
Public-Private Partnerships Combating Threats
As the front-line team addressing emerging cyber threats to the energy infrastructure, a critical part of CESER’s work is engaging with state, local, Tribal, and territory officials and their industry partners. “Cyber at the energy department is a team effort,” Kumar explained.
More than 80 percent of U.S. energy infrastructure is owned by the private sector and fuels the transportation industry, powers households and businesses, and distributes other energy sources that drive the economy.
“The energy infrastructure is a very complex sector and protecting it cannot be solely on the shoulders of the Federal governments or private organizations. We lean on this foundation of public/private partnerships to better secure this critical infrastructure,” Kumar said.
To help meet cyber and supply chain threats, DoE established the Electricity Subsector Coordinating Council to serve as the principal liaison between leadership in the Federal government and in the electric power sector to coordinate efforts to prepare for national-level incidents or threats to critical infrastructure.
The agency also established the Oil and Natural Gas Subsector Coordinating Council to coordinate oil and natural gas security strategies, activities, policy, and communication across the sector to support the nation’s homeland security mission.