Partnering with Energy Sector Entities to Identify and Defend Critical Control Systems
The Securing Energy Infrastructure Executive Task Force (SEI ETF) is a voluntary group of senior leaders representing energy sector asset owners and operators, vendors/manufacturers, standards organizations, research and academic institutions, National Laboratories, and government agencies. The U.S. Department of Energy formed the SEI ETF as directed by Section 5726 of the National Defense Authorization Act for Fiscal Year 2020 (NDAA 2020).
The SEI ETF formed a series of advisory groups and technical project teams to pursue several taskings mandated by the statute, including evaluating technology and standards for industrial control systems (ICS), identifying categories of ICS vulnerabilities, and developing a National Cyber-Informed Engineering Strategy. Published deliverables are highlighted here. Several deliverables may be in draft form as the SEI ETF concludes its work and examines opportunities to continue moving these work products forward with the energy industry.
Given the abundance of industrial control systems (ICS) cybersecurity standards today, it can be challenging for users to determine which are the best fit for their organization. The SEI ETF developed an interactive matrix that contains over 75 standards in a searchable and sortable format to help organizations apprehend the body of standards, how they interrelate, and how they apply.
The Reference Architecture for Electric Energy OT was developed to address gaps in existing architecture models, and provides a baseline from which domain-specific profiles can be derived. The SEI ETF further developed profiles for four domain-specific applications, including substation, generation, distributed energy resources, and operation/network control center.
SEI ETF members are now working with the International Society of Automation (ISA) to include the profiles in the ISA/International Electrotechnical Commission (IEC) 62443 series of standards.
The SEI ETF has identified 20 categories of security vulnerabilities in industrial control systems (ICS). These 20 categories are distinct from those already documented in information technology (IT), go beyond vulnerabilities arising from the implementation of ICS systems, and include those arising from design, architectural, operational, and human factors.
The MITRE Corporation is launching an ICS/OT Special Interest Group (SIG) in May 2022 to explore the inclusion of these categories in MITRE’s Common Weakness Enumeration (CWE) database. Email firstname.lastname@example.org to join and see the ICS-OT SIG Overview for more details.
The Department of Energy (DOE) and INL have developed a framework to guide the application of cybersecurity principles across the engineering design lifecycle. The Cyber-Informed Engineering (CIE) framework and body of knowledge drives the inclusion of cybersecurity as a foundational element of risk management for engineering of functions aided by digital technology. Cyber-Informed Engineering provides a framework for a change in philosophy and engineering practices to proactively secure existing digital infrastructure and build new systems designed to withstand the modern and future cyber-adversary.