In late June, the U.S. Department of Energy unveiled the “National Cyber-Informed Engineering Strategy,” a bipartisan plan designed to strengthen the energy sector’s ability to withstand cyberattacks. The plan is designed to incorporate more cyber resilience during the manufacturing, development, and deployment of computer systems used by energy providers.

According to Puesh Kumar, DOE’s director of the Office of Cybersecurity, Energy Security, and Emergency Response, the U.S. energy sector faces ever-evolving cybersecurity threats. “According to the 2022 Office of the Director of National Intelligence (DNI) Annual Threat Assessment, our adversaries maintain capabilities to launch cyberattacks that could disrupt critical infrastructure, including industrial control systems in the U.S. energy sector,” he said. “Cybersecurity attacks on critical infrastructure are particularly consequential, and ensuring the security, reliability, and resilience of these systems is a top priority for the U.S. Department of Energy’s (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER) and its partners in government and the private sector.”

Jennifer Granholm, secretary of the DOE, added that each stage of the clean energy transformation will bring with it an opportunity and an imperative to further increase security, reliability, and resilience in American’s energy sector.

“This framework, grown from earlier Congressional direction regarding threats to the nation’s energy sector, advocates for an evolutionary shift across the energy industry and related institutions, including researchers, standards bodies, Federal partners, and others,” she said. Its recommendations reflect expertise and insight from energy companies, energy systems and cybersecurity manufacturers, standards bodies, researchers, DOE National Laboratories, and Federal partners in the cybersecurity and engineering mission space. It encourages the adoption of a “security-by-design” mindset within the Energy Sector Industrial Base, which refers to building cybersecurity into the nation’s energy systems at the earliest possible stages, rather than trying to secure these critical systems after deployment.

Granholm added that the Cyber-Informed Engineering (CIE) further guides DOE’s cyber workforce development by helping the agency and its partners focus on the strategic intersection between cybersecurity and engineering, addressing gaps in how it trains engineers and technicians and providing them with the means to build in security from the ground up. “When our workforce is properly educated and supported, we are better positioned to manufacture and maintain the tools that help us prevent and quickly recover from cyberattacks,” she said.

And, according to Kumar, the release of the CIE supports CESER’s five priorities. Those priorities are: 1) Strengthening the visibility of cyber threats in energy systems; 2) Addressing supply chain risks; 3) Promoting security- and resilience-by-design; 4) Building cyber and resilience capacity in the private sector and the State, local, territorial, and tribal communities; and 5) Being prepared to respond in partnership with the DOE’s government and industry partners when a cyber incident occurs in the energy sector. “CIE, in many ways, cuts across all those priorities through its five pillars: awareness, education, development, current infrastructure, and future infrastructure,” he said.