“Despite improving defenses, it has become increasingly difficult for energy companies to keep up with growing and aggressive cyberattacks,” the document states.
The department is trying to change that dynamic through a strategy to boost threat-sharing with the private sector, curb supply-chain risk, and accelerate research and development to make energy systems more resilient to hacking.
The strategy will serve as a roadmap for the new Office of Cybersecurity, Energy Security, and Emergency Response.
“Today, any cyber incident has the potential to disrupt energy services, damage highly specialized equipment, and threaten human health and safety,” Bruce Walker, an assistant secretary of Energy, said in the plans.
The document acknowledges the risk of cascading power disruptions due to the interconnectivity of the country’s energy systems. As a result, the department is looking to improve its response ability to cyber incidents, which it says “may require a different set of resources, personnel, and skills than traditional energy disruptions.”
DOE officials also want to expand the department’s Cybersecurity Risk Information Sharing Program, which shares threat data with the private sector, and set up a virtual “malicious code repository” for organizations to exchange a trove of malicious files for analysis.
Alongside DOE’s cybersecurity efforts, regulators and lawmakers have moved to make the grid more resilient to hacking.
A ruling issued last month by the Federal Energy Regulatory Commission requires utilities to implement security controls on everyday electronics like laptops and flash drives that interact with “low-impact” systems. Legislation currently before the House of Representatives, meanwhile, would set up a voluntary DOE program for testing the security of ICS products.
The DOE strategy follows a Department of Homeland Security advisory in March that Russian government hackers had been collecting data on industrial control systems (ICS) in the U.S. energy sector as part of a two-year hacking campaign.
Such reconnaissance on the ICS that underpin the power sector is one thing, but documented cases of malware tailored to attack those systems are much rarer. The last decade has seen just a handful of them, with one example coming last August when hackers caused an oil and gas plant in Saudi Arabia to shut down.
ICS security specialists have drawn lessons from each of those high-profile malware incidents, and regulations in recent years have strengthened cybersecurity considerably in the energy and nuclear sectors.