Dive Brief:
- The Department of Energy released a new framework of best practices for securing clean energy cyber supply chains, including key technologies used to manage and operate electricity, oil and natural gas systems.
- The principles outline 10 best cybersecurity practices for suppliers, as well as 10 for consumers, with a focus on risk management, transparency, operational resilience and proactive incident response.
- The Biden administration called out the heightened need for such guidance as the threat of cyberattacks against the energy sector continues to grow from both foreign and domestic actors.
Dive Insight:
The Energy Department's Office of Cybersecurity, Energy Security, and Emergency Response developed the guidelines with input from energy automation and industrial control system manufacturers, as well as the Idaho National Laboratory, which specializes in cybersecurity research.
The department lists 10 best practice areas for both suppliers and end users. They include priorities such as maintaining vulnerability management processes for suppliers that follow industry best practices, as well as providing product support, including security patches and mitigations throughout the lifecycle of an end user transaction.
For end users, the department encourages the inclusion of contractual language for “those terms, conditions, and testing requirements that will influence your security outcomes,” and working with suppliers to fully understand and integrate appropriate cybersecurity controls and platforms.
The U.S. is not alone in its boosted efforts related to manufacturing cybersecurity — the issue was discussed among leaders at the G7 Summit in Apulia, Italy, earlier this month. Officials there committed to "continue discussions" on how to improve cybersecurity resilience in key sectors, including how to improve supply chain security.
"As new digital clean energy technologies are integrated, we must ensure they are cyber secure to prevent destruction or disruption in services," National Security Advisor Jake Sullivan said in a June 18 White House statement. "The G7 will work to establish a collective cybersecurity framework for operational technologies for both manufacturers and operators."
The cyber threat to U.S. critical manufacturing is growing. The sector experienced the second highest number of cyberattacks among U.S. industries last year at 218, falling behind only the healthcare sector, according to FBI data. On a global scale, nearly half of critical manufacturers are at risk of a cyberattack, with many organizations lacking visibility into their broader business ecosystems to successfully fend off an attack.
To combat the heightened risk, the Biden administration has taken an increased interest in fortifying U.S. manufacturing and supply chain security. In November, the administration created the White House Council on Supply Chain Resilience, which was formalized earlier this month by executive order.
At the agency level, the DOE has been working with energy distributors in recent months to improve cybersecurity. The department created similar "baselines" in February aimed at improving the security of distribution systems and distributed energy resources.
The department also rolled out $30 million in funding in January to fund research, development and demonstration projects focused on improving the cybersecurity of clean energy resources.