Roadmap for Energy Cyber Security

Wednesday, September 21, 2011 @ 06:09 PM gHale

There is a new roadmap out there for public-private sector initiatives designed to improve cyber security for the nation’s energy delivery system.

The “2011 Roadmap to Achieve Energy Delivery Systems Cybersecurity” outlines a ten-year strategic framework for industry, vendors, academia, and government stakeholders to design, install, operate, and maintain a resilient energy delivery system capable of surviving a cyber incident while sustaining critical functions, said U.S. Department of Energy (DOE) officials.

RELATED STORIES
Top Research Priorities for Cyber Security
One Flip Means Victims for Hackers
Executive Fear: APT Attacks
Survey: For Security, Talk, but No Action

The roadmap, developed by the public-private Energy Sector Control Systems Working Group, offers five strategies to make the U.S. energy delivery system more secure from cyber attacks.

The first strategy is to develop a culture of security. “When integrated with reliability practices, a culture of security ensures sound risk management practices are periodically reviewed and challenged to confirm that established security controls remain in place and changes in the energy delivery system or emerging threats do not diminish their effectiveness”, the DOE said.

Second, energy companies should assess and monitor risk to provide an understanding of their current security posture and enable them to assess evolving cyber threats and vulnerabilities, as well as possible responses.

Third, the energy industry should develop and implement new protective measures to reduce risks. Protective measures are already going into next-generation energy delivery systems and a protective measure upgrade should be a part of legacy systems, the roadmap said.

Fourth, the industry should improve its ability to manage cyber incidents. “When proactive and protective measures fail to prevent a cyber incident, detection, remediation, recovery, and restoration activities minimize the impact of an incident on an energy delivery system. Post-incident analysis and forensics enable energy sector stakeholders to learn from the incident”, the DOE said.

Fifth, the industry should work to sustain security improvements. This requires a commitment of resources, incentives, and collaboration among stakeholders, the report said.

In addition, the DOE released two documents designed to support the roadmap: the “Vulnerability Analysis of Energy Delivery Control Systems” prepared by Idaho National Laboratory and a draft of the “Electricity Sector Cybersecurity Risk Management Process Guideline” prepared by the National Institute of Standards and Technology and the North American Electric Reliability Corporation.