On May 14, 2018, the Department of Energy (“DOE”) Office of Electricity Delivery & Energy Reliability released its Multiyear Plan for Energy Sector Cybersecurity (the “Plan”). The Plan is significantly guided by DOE’s 2006 Roadmap to Secure Control Systems in the Energy Sector and 2011 Roadmap to Achieve Energy Delivery Systems Cybersecurity. Taken together with DOE’s recent announcement creating the new Office of Cybersecurity, Energy Security, and Emergency Response (“CESER”), DOE is clearly asserting its position as the energy sector’s Congressionally-recognized sector-specific agency (“SSA”) on cybersecurity.
Multiyear Plan for Energy Sector Cybersecurity
Under development over the last year, the Plan aligns with President Trump’s Executive Order 13800, which calls on the government to engage with critical infrastructure owners and operators to identify authorities and capabilities that agencies could employ to support critical infrastructure cybersecurity. To this end, the Plan lays out DOE’s integrated strategy to reduce cyber risks to the U.S. energy sector. The Plan seeks to leverage strong partnerships with the private sector to: (1) strengthen today’s cyber systems and risk management capabilities and (2) develop innovative solutions for tomorrow’s inherently secure and resilient systems. It identifies three goals to accomplish these priorities: (1) strengthen energy sector cybersecurity preparedness; (2) coordinate incident response and recovery; and (3) accelerate game-changing research, development and demonstration of resilient delivery systems.
Office of Cybersecurity, Energy Security, and Emergency Response
Featured heavily in the Plan is CESER, which was announced by DOE Secretary Perry on February 14, 2018. The announcement stated that CESER would be led by an Assistant Secretary, which the Administration has yet to nominate, and that President Trump’s FY 19 budget requested $96 million for the new office.
DOE Undersecretary Mark Menezes testified to Congress that “initially, the office will be comprised of the work we currently do” under existing programs. Indeed, DOE's FY 19 budget request indicates that CESER will be formed from existing reliability programs in the Office of Electricity Delivery & Energy Reliability, which will be renamed the Office of Electricity Delivery (“OE”). OE will maintain the Transmission Reliability, Resilient Distribution Systems, Energy Storage, and Transmission Permitting and Technical Assistance programs, while CESER will inherit the Cybersecurity for Energy Delivery Systems (“CEDS”) program, currently led by Deputy Assistant Secretary Henry S. Kenchington, and the Infrastructure Security and Energy Restoration (“ISER”) program, currently headed by Deputy Assistant Secretary Devon Streit.
CEDS forms the core of DOE’s work on energy sector cybersecurity and aligns with the Plan’s goals of increasing energy cyber preparedness and developing new cybersecurity technologies. Besides conducting cybersecurity research and development, CEDS also oversees DOE’s primary programs for sharing cybersecurity information with the private sector. This includes the Cybersecurity Risk Information Sharing Program (“CRISP”), which facilitates timely bi-directional sharing of cyber threat information in order to monitor energy sector IT networks. At present, 75% of U.S. electric utilities participate in CRISP. CEDS also includes the Cybersecurity for Operational Technology Environment (“CYOTE”) pilot project, which applies lessons learned from CRISP to monitor operating technology (“OT”) networks. According to the budget request, DOE intends to improve both CRISP and CYOTE by integrating utility data into the Intelligence Community environment to enhance threat information. The request also states that DOE will create a new “Advanced Industrial Control System Analysis Center” within CEDS that will “span the DOE laboratory network and work in collaboration with private sector partners to use the analysis of energy sector supply chain component and model impacts to address system threats and vulnerabilities through technical solutions, share information about findings, and develop mitigation and response solutions.”
ISER provides technical expertise on supporting resiliency of critical infrastructure assets key to energy sector operation and addresses the Plan’s goal of coordinating incident response. ISER’s focus is operational and spans all hazards facing the energy sector. However, the DOE budget notes that in the next fiscal year, ISER will “build out its effective, timely, and coordinated cyber incident management capability” and “envisions” forming a team of at least six cyber energy responders to support incident response within the energy sector.
DOE’s Emerging Role in Energy Sector Cybersecurity
DOE, under the Trump Administration, is reprioritizing cybersecurity higher on the Department’s agenda. To be sure, the Plan and CESER are a reshuffling of already-existing resources rather than entirely new programs. But it is clear that DOE is intent on flexing its position under the Fixing America’s Surface Transportation Act (“FAST Act”) to act as the energy sector SSA on cybersecurity.
DOE’s efforts come as the Department of Homeland Security (“DHS”) is also increasing its profile on cybersecurity. Utilizing authority under the Cybersecurity Information Sharing Act, passed just weeks after the FAST Act in 2015, DHS has certified its National Cybersecurity and Communications Integration Center (“NCCIC”) as a certified portal to accept cybersecurity information. As such, entities enjoy liability protection for sharing cybersecurity information with the NCCIC, through programs like Automated Indicator Sharing (“AIS”) and the even more robust Cyber Information Sharing and Collaboration Program (“CISCP”).
Those within the energy sector can utilize both DOE’s and DHS’s information sharing programs to strengthen their cybersecurity. Coordination with the NCCIC and sharing through AIS or CISCP provides access to the government’s cross-sectoral cybersecurity activities, though reports indicate that businesses have been slow to adopt AIS. Tailored specifically to electricity, DOE’s CRISP and CYOTE programs represent a more specialized package of information sharing, particularly appropriate for electricity sub-sector stakeholders.
DHS and DOE can be expected to continue asserting jurisdictional claims over cybersecurity issues. Hopefully, this will represent little more than the traditional rivalry between government agencies, and result in complementary rather than competing federal cybersecurity programs.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code