Cyber Testing for Resilient Industrial Control Systems (CyTRICS )

Testing Cyber Resilience of Operational Technology in the Energy Sector

CyTRICS partners across stakeholders to identify high priority operational technology (OT) components, perform expert testing, share information about vulnerabilities in the digital supply chain, and inform improvements in component design and manufacturing.

CyTRICS leverages best-in-class test facilities and analytic capabilities at four DOE National Laboratories and strategic partnerships with key stakeholders including technology developers, manufacturers, asset owners and operators, and interagency partners.

CyTRICS PROGRAM SUPPORTS:

Supply Chain Executive Orders
National Defense Authorization Act of 2020 (Sec. 5726 Pilot Program)
Multiple critical infrastructure sub-sectors, including electricity, oil & natural gas, wind and other renewables, hydroelectrics, and other federal partners
Expanding laboratories involved
Commercial partners for testing

CyTRICS Highlights

Nextgov

How the Energy Department Can Improve Cybersecurity in the Energy Industry
By Tasha Jhangiani and Madison Lockett

August 4, 2021

NREL Press Release

Workshop Presents New Approaches to Cybersecurity for Critical Infrastructure Supply Chains

July 31, 2021

Bloomberg: Cybersecurity

Biden Rushes to Protect Power Grid as Hacking Threats Grow
By Shaun Courtney and Michael Riley

April 14, 2021

CyberScoop

Schweitzer Joins U.S. Testing Program to Defend Grid from Hacking Threats
By Sean Lyngaas

March 19, 2021

SecurityWeek

Here’s How Security Flaws in GE Relays Could Be Exploited in Real World Attacks
By Eduard Kovacs

March 19, 2021

SANS Insittute Blog

Shining Some Light on Solarwinds and ICS
By Tim Conway

February 15, 2021

Software Bills of Materials Energy Webinar

CyTRICS provided insights for Energy Sector use of Software Bills of Materials for supply chains
Video of the presentation

January 26, 2021

Tom Alrich's Blog

We Need to Regulate These Guys – SolarWinds edition

January 31, 2021

Protect Our Power Blog

Ensuring Electric Grid Supply Chain Security
By Steven T. Naumann, Former V.P., Transmission and NERC Policy, Exelon

East Tennessee Economic Council Press Release

Cyber Security is National Security
Highlights from DOE Press Release

October 5, 2020

Institute for National Security Studies

Securing Critical Supply Chains: Strategic Opportunities for the CPIC Initiative
By Paul Stockton

September 2018

Power Magazine

Power Sector, Federal Entities Scramble to Close Supply Chain Security Gap
By Pedro Pizarro, Edison Electric Institute

September 20, 2020

Industrial Control Systems Announcements

https://www.energy.gov/ceser/articles/doe-announces-hitachi-abb-power-grids-participation-cytrics-program

hitachi energy logo cytrics

Hitachi Energy and INL Testing of Relion® 670 Series’ RED670

Hitachi Energy and the DOE CESER CyTRICS program partnered to perform component enumeration and vulnerability testing of a Relion® 670 Series’ RED670. As a result of the testing, CyTRICS researchers noted significant improvements in the security posture of the Relion® 670 Series firmware over the past 10 years. Researchers also observed that Hitachi Energy has avoided common security weakness that other industry stakeholders continue to struggle with and has invested in the security of the Relion® 670 Series’ RED670 product.

CyTRICS shared a number of vulnerabilities with Hitachi Energy which were rapidly addressed with the following mitigation alerts published by Hitachi Energy’s Product Security Incident Response Team (PSIRT):

The CyTRICS program team values our partnership with Hitachi Energy and we look forward to further testing opportunities.

More Info on Hitachi Patches and Updates

Past Announcements

Industrial Control System Advisory (ICSA-21-075-02) - General Electric Universal Relay family

dhs cisa logo

Industrial Control System Advisory (ICSA-21-075-02) – General Electric Universal Relay family
This contains vulnerabilities reported to GE by the CyTRICS program, including high-impact vulnerability, CVSS 9.8

March 16, 2021

Director of National Intelligence Guidance for Energy Sector Supply Chain Assurance

cytrics national intelligence guidance on supply chains Director of National Intelligence Guidance for Energy Sector Supply Chain Assurance

April 2021

Innovative Components

Prioritization Methodology
An approach to prioritizing OT components for testing that incorporates key factors including operational impact, prevalence, and national security interest. This approach provides a strategic, transparent rationale for testing components that optimizes security impact.

Standardized Testing Process
DOE has developed and refined a standardized approach to enumerating and vulnerability testing firmware and software subcomponents. Standardization ensures consistency, repeatability, and comparability of results, to scale up testing and automation across Labs and partners.

Standardized Reporting and Repository
CyTRICS captures testing results in a standard, bill of materials format that captures granular “digital ingredients” to the subcomponent level, to rapidly identify embedded high-risk components and subcomponents. The program features a central repository of testing results for comprehensive, sector-wide analysis of systemic risks and vulnerabilities.

Vendor Agreements
CyTRICS partners with top manufacturers and utilities in the sector to sign participation Agreements to frame mutual cooperation prior to conducting testing. The standard agreement establishes types of software and firmware testing to be performed, timely disclosure of vulnerabilities identified during testing, and coordinated disclosure of vulnerability information with impacted asset owners, federal agencies, and energy sector stakeholder.

DOE Energy Cyber Programs

Cyber-Informed Engineering (CIE)

Engineering out potential risks and ensuring resiliency

Cyber Testing for Resilient Industrial Control Systems (CyTRICS)

Testing resilience for Energy OT

Software Bill of Materials (SBOM) Proof of Concept

Exploring a proof-of-concept for the Energy community

Consequence-driven Cyber-informed Engineering (CCE)

Thinking like the adversary

Operational Technology (OT) Defender Fellowship

Elite training for Energy sector front-line managers

Contact Info

INL NHS Media Contact

Ethan Huffman

Phone: 208-526-5015

Send a Message

DOE Energy Cyber Programs

Virginia Wright

Send a Message

Federal Sponsor

Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) addresses the emerging threats of tomorrow while protecting the reliable flow of energy to Americans today by improving energy infrastructure security and supporting the Department of Energy’s national security mission. CESER’s focus is preparedness and response activities to natural and man-made threats, while ensuring a stronger, more prosperous, and secure future for the nation. >> Read more on CyTRICS

Participating Laboratories