Testing Cyber Resilience of Operational Technology in the Energy Sector
CyTRICS partners across stakeholders to identify high priority operational technology (OT) components, perform expert testing, share information about vulnerabilities in the digital supply chain, and inform improvements in component design and manufacturing.
CyTRICS leverages best-in-class test facilities and analytic capabilities at four DOE National Laboratories and strategic partnerships with key stakeholders including technology developers, manufacturers, asset owners and operators, and interagency partners.
CyTRICS PROGRAM SUPPORTS:
Supply Chain Executive Orders
National Defense Authorization Act of 2020 (Sec. 5726 Pilot Program)
Multiple critical infrastructure sub-sectors, including electricity, oil & natural gas, wind and other renewables, hydroelectrics, and other federal partners
Expanding laboratories involved
Commercial partners for testing
How the Energy Department Can Improve Cybersecurity in the Energy Industry
By Tasha Jhangiani and Madison Lockett
Hitachi Energy and INL Testing of Relion® 670 Series’ RED670
Hitachi Energy and the DOE CESER CyTRICS program partnered to perform component enumeration and vulnerability testing of a Relion® 670 Series’ RED670. As a result of the testing, CyTRICS researchers noted significant improvements in the security posture of the Relion® 670 Series firmware over the past 10 years. Researchers also observed that Hitachi Energy has avoided common security weakness that other industry stakeholders continue to struggle with and has invested in the security of the Relion® 670 Series’ RED670 product.
CyTRICS shared a number of vulnerabilities with Hitachi Energy which were rapidly addressed with the following mitigation alerts published by Hitachi Energy’s Product Security Incident Response Team (PSIRT):
Prioritization Methodology An approach to prioritizing OT components for testing that incorporates key factors including operational impact, prevalence, and national security interest. This approach provides a strategic, transparent rationale for testing components that optimizes security impact.
Standardized Testing Process DOE has developed and refined a standardized approach to enumerating and vulnerability testing firmware and software subcomponents. Standardization ensures consistency, repeatability, and comparability of results, to scale up testing and automation across Labs and partners.
Standardized Reporting and Repository CyTRICS captures testing results in a standard, bill of materials format that captures granular “digital ingredients” to the subcomponent level, to rapidly identify embedded high-risk components and subcomponents. The program features a central repository of testing results for comprehensive, sector-wide analysis of systemic risks and vulnerabilities.
CyTRICS partners with top manufacturers and utilities in the sector to sign participation Agreements to frame mutual cooperation prior to conducting testing. The standard agreement establishes types of software and firmware testing to be performed, timely disclosure of vulnerabilities identified during testing, and coordinated disclosure of vulnerability information with impacted asset owners, federal agencies, and energy sector stakeholder.