0%
About the CyTRICS Program
Testing Cyber Resilience of Operational Technology in the Energy Sector
CyTRICS partners across stakeholders to identify high priority operational technology (OT) components, perform expert testing, share information about vulnerabilities in the digital supply chain, and inform improvements in component design and manufacturing.
CyTRICS leverages best-in-class test facilities and analytic capabilities at four DOE National Laboratories and strategic partnerships with key stakeholders including technology developers, manufacturers, asset owners and operators, and interagency partners.
CyTRICS program supports the following:
- Supply Chain Executive Orders
- National Defense Authorization Act of 2020 (Sec. 5726 Pilot Program)
- Multiple critical infrastructure sub-sectors, including electricity, oil & natural gas, wind and other renewables, hydroelectrics, and other federal partners
- Expanding laboratories involved
- Commercial partners for testing
Industrial Control System Advisory (ICSA-21-075-02)
General Electric Universal Relay family
March 16, 2021 – DHS released the following bulletin describing a set of vulnerabilities which have just been mitigated by General Electric (GE) on their Universal Relay (UR) family of products. The bulletin contains vulnerabilities reported to GE by the CyTRICS program, including one high-impact vulnerability (CVSS 9.8).
CyTRICS Highlights
CyberScoop
Electric Equipment Vendor Schweitzer Joins US Testing Program to Defend Grid from Hacking Threats
Sean Lyngaas
March 19, 2021
SecurityWeek
Here’s How Security Flaws in GE Relays Could Be Exploited in Real World Attacks
Eduard Kovacs
March 19, 2021
DOE Press Release
DOE Announces Cybersecurity Programs for Enhancing Safety and Resilience of U.S. Energy Sector
March 18, 2021
SANS Insittute Blog
Shining Some Light on Solarwinds and ICS
By Tim Conway
February 15, 2021
Software Bills of Materials Energy Webinar
CyTRICS provided insights for Energy Sector use of Software Bills of Materials for supply chains
Video of the presentation
January 26, 2021
DOE Press Release
DOE CESER Partners with Schneider Electric to Strengthen Energy Sector Cybersecurity and Supply Chain Resilience
September 23, 2020
Protect Our Power Blog
Ensuring Electric Grid Supply Chain Security
By Steven T. Naumann, Former V.P., Transmission and NERC Policy, Exelon
East Tennessee Economic Council Press Release
Cyber Security is National Security
Highlights from DOE Press Release
October 5, 2020
Cyber, Intelligence, and Security
Securing Critical Supply Chains: Strategic Opportunities for the Cyber Product International Certification (CPICTM) Initiative
By Paul Stockton
September 2018
Power Magazine
Power Sector, Federal Entities Scramble to Close Supply Chain Security Gap
CyTRICS is highlighted by Pedro Pizarro of Edison Electric Institute
September 20, 2020
Innovative Components
Prioritization Methodology
An approach to prioritizing OT components for testing that incorporates key factors including operational impact, prevalence, and national security interest. This approach provides a strategic, transparent rationale for testing components that optimizes security impact.
Standardized Testing Process
DOE has developed and refined a standardized approach to enumerating and vulnerability testing firmware and software subcomponents. Standardization ensures consistency, repeatability, and comparability of results, to scale up testing and automation across Labs and partners.
Standardized Reporting and Repository
CyTRICS captures testing results in a standard, bill of materials format that captures granular “digital ingredients” to the subcomponent level, to rapidly identify embedded high-risk components and subcomponents. The program features a central repository of testing results for comprehensive, sector-wide analysis of systemic risks and vulnerabilities.
Vendor Agreements
CyTRICS partners with top manufacturers and utilities in the sector to sign participation Agreements to frame mutual cooperation prior to conducting testing. The standard agreement establishes types of software and firmware testing to be performed, timely disclosure of vulnerabilities identified during testing, and coordinated disclosure of vulnerability information with impacted asset owners, federal agencies, and energy sector stakeholder.
Sponsors and Participating Laboratories
Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER)
The Office of Cybersecurity, Energy Security, and Emergency Response (CESER) addresses the emerging threats of tomorrow while protecting the reliable flow of energy to Americans today by improving energy infrastructure security and supporting the Department of Energy’s national security mission. CESER’s focus is preparedness and response activities to natural and man-made threats, while ensuring a stronger, more prosperous, and secure future for the nation.
>> Read more on CyTRICS
Idaho National Laboratory is a world leader in providing industrial control system (ICS) cybersecurity research and development. The laboratory’s distinctive history in protecting critical infrastructure systems puts the lab at the forefront of thought leadership and applied innovation in critical infrastructure cybersecurity testing. INL uses a comprehensive approach to developing ICS cybersecurity research to meet the energy sector’s needs identified by the DOE, utilities, and other organizations.
>> Read more on INL Cyber
Other Participating Laboratories
