- The U.S. Department of Energy has released a multiyear plan to guide cybersecurity research and development (R&D) for efficiency and renewable power applications, focused on improving resilience for operational technologies and boosting stakeholder awareness of vulnerabilities, the department announced Wednesday.
- DOE said the Cybersecurity Multiyear Program Plan, issued last month by its Office of Energy Efficiency and Renewable Energy (EERE), aims to strengthen systems critical to renewables, manufacturing, buildings and transportation, "all of which are increasingly interconnected and vulnerable to cyber-attack."
- The federal government has warned of increasing cyberattacks targeting energy technologies and associated industrial control systems. In July, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency recommended utilities make plans to manually operate equipment that could be compromised by an attack.
As complex energy systems become more integrated with other critical infrastructure operations, DOE officials say an overarching plan is needed to guide cybersecurity in the utility sector.
EERE's increased attention to cybersecurity is the result of "recent advancements made in functionality and interoperability" to renewable and efficiency technologies, according to the report, "that now make cybersecurity a more pressing issue." New technologies, including advanced solar inverters, "must be designed with cybersecurity as a requirement."
Through the multiyear program plan, the agency "is pursuing a holistic and unified strategy to advance cybersecurity R&D and preparedness across the renewable power, energy efficiency, and transportation sectors," EERE Assistant Secretary Daniel Simmons said in a statement.
The strategy aims to accelerate "cyber-resilience R&D" for efficiency and renewable energy operational technologies, said officials, and to increase stakeholder awareness of security threats and issues. EERE said its activities will help mitigate common threats and vulnerabilities in hardware and software throughout its portfolio, including power electronics, sensors, control systems, and information communication technology.
"Coupled with robust engagement and partnership with industry, academic, and government stakeholders, the R&D activities in this plan will strengthen the cybersecurity of emerging technologies throughout the EERE portfolio," Simmons said.
The agency said the strategy will also facilitate more engagement with industry, academia and other government offices "to ensure EERE's early-stage research meets its goals without duplicating efforts."
EERE's plan includes examples of recent projects supporting the security approach, including a new tool launched by the Federal Energy Management Program that maps potential cyber tactics and techniques officials say could be used by an attacker if vulnerabilities are not resolved. DOE is also looking to harden electric vehicle smart charging stations from attack through its Vehicle Technologies Office, where it has incorporated security requirements into recent funding for projects.
According to the report, technologies developed by EERE are part of DOE's strategy to secure American energy. "As EERE technologies become more affordable with corresponding market uptake, it becomes a mission priority to integrate these technologies into the Nation's energy systems," the report said.
EERE said it is proposing to research and develop vulnerability assessments that will help stakeholders to "quantify, evaluate, and test for the effectiveness and timeliness" of different cybersecurity vulnerability mitigation technologies and strategies. And it will develop solutions allowing stakeholders to proactively instrument and monitor systems "for effective response and mitigation efforts."
"Cyber threats targeting EERE technologies present an immediate risk to the integrity and availability of energy infrastructure and other systems critical to the nation's economy, security, and well-being," Alex Fitzsimmons, deputy assistant secretary for energy efficiency, said in a statement. "New technologies must be designed with cybersecurity as a requirement."