Energy Sector Cyber Security

In 2006, the US Dept. of Energy issued an Energy Sector Security Roadmap with specific goals and milestones. We scored the progress on the roadmap in an earlier blog, and it did drive DoE’s research funding and other efforts in the intervening years.

This month the roadmap has been updated in the Roadmap to Achieve Energy Delivery Systems Cybersecurity, September 2011. The vision has changed slightly since the last roadmap:

By 2020, resilient energy delivery systems are designed, installed, operated, and maintained to survive a cyber incident while sustaining critical functions.

This broken down into five strategies:

  1. Build a culture of cybersecurity
  2. Assess and monitor risk
  3. Develop and implement new protective measures to reduce risk
  4. Manage incidents
  5. Sustain security improvements

The best aspect of the previous roadmap was retained — specific near, mid and long term milestones for each of the five strategies. For example a mid-term milestone for manage incidents is “real-time forensics capabilities commercially available”. A mid-term milestone for assess and monitor risk is “majority of asset owners baselining their security posture using energy subsector specific metric”.

You can view all of the strategies and milestones concisely on page 5 of the roadmap. Each strategy is addressed in more depth in Section 4.

The sector roadmap business has become a cottage industry with the clones in the water sector and efforts in other sectors. ICSJWG has a group working on a roadmap of roadmaps. The effort put in developing a roadmap is only worthwhile if the sector is going to put 10+ as much effort in making the roadmap.

Section 2 of the document talks about the progress made, and not made, in meeting the milestones from the 2006 document. The chart on page 12 quickly shows where milestones were met and where the electric sector fell short. There is more text around the related efforts and milestones. DoE deserves praise for both tailoring their efforts to meet the milestones and performing an honest assessment of the results. (FD: Digital Bond receives research funding from DoE, and our DoE funded Bandolier project gets a nice mention on page 11.)