DOE Cybersecurity Office to Brief New Report on Electric Grid

WASHINGTON — Federal officials will brief a new report outlining the key cybersecurity recommendations for clean energy integration, grid modernization and distributed energy resources on Monday, Nov. 7.
The report was prepared by the Department of Energy’s Office of Cybersecurity, Energy Security and Emergency Response and the Office of Energy Efficiency and Renewable Energy.
During the virtual briefing, the Idaho National Laboratory will provide a briefing on the energy sector threat landscape and its significance for distributed energy resources.
The report notes that the U.S. electric grid is undergoing significant changes as the U.S. transitions to a clean energy future and stresses that it is important, while this occurs, to ensure that cybersecurity is incorporated into new devices, systems, and infrastructure and that “security by design” is a core component of these systems.
The report provides an overview of cybersecurity considerations that should be considered by the power sector, including utilities and distributed energy resources operators, providers, integrators, developers, and vendors.
However, agency officials note the report is not meant to be a comprehensive review of cybersecurity considerations for the energy industry, but rather will serve as a catalyst for further conversations between industry and government stakeholders.
“The industry must partner with the energy sector and government efforts to address these challenges over the next decade,” the report says. “This means ensuring that new controls and software interfaces for these smart devices are cybersecure and standardized to mitigate emerging cyber risks.
“Securing the [electric grid] also will require addressing the varying ways that DER operate, including their different controls and the fact that owner/operator entities do not have a defined role in securing the grid. Other challenges include assessing how cyberattacks could affect grid operations,” it says.
The report notes that existing cybersecurity standards and best practices, such as multifactor authentication, endpoint detection and response, encryption, and a skilled and empowered security team, may need to be refined for specific deployment use cases.
“When implementing cybersecurity requirements, grid and planners should build cyberdefenses with the goal of surviving an attack while maintaining critical functionality,” the report says.
“Future systems must be designed, built, and operated in an enforced zero-trust model where data is validated using cryptographically secure mechanisms informed by standards, testing, and vulnerability assessments. Broad industry involvement is key to the development, approval, and implementation of robust cybersecurity standards.”
Dan can be reached at [email protected] and at https://twitter.com/DanMcCue.