The '2011 Roadmap to Achieve Energy Delivery Systems Cybersecurity' outlines a ten-year strategic framework for industry, vendors, academia, and government stakeholders to design, install, operate, and maintain a resilient energy delivery system capable of surviving a cyber incident while sustaining critical functions.
Developed by the public-private Energy Sector Control Systems Working Group, the roadmap offers five strategies to make the US energy delivery system more secure from cyber attacks.
First, the report recommends developing a culture of security. “When integrated with reliability practices, a culture of security ensures sound risk management practices are periodically reviewed and challenged to confirm that established security controls remain in place and changes in the energy delivery system or emerging threats do not diminish their effectiveness”, the DOE said.
Second, energy companies should assess and monitor risk to provide an understanding of their current security posture and enable them to assess evolving cyber threats and vulnerabilities, as well as possible responses.
Third, the energy industry should develop and implement new protective measures to reduce risks. Protective measures are already being built into next-generation energy delivery systems and upgrade of legacy systems should be undertaken, the roadmap noted.
Fourth, the industry should improve its ability to manage cyber incidents. “When proactive and protective measures fail to prevent a cyber incident, detection, remediation, recovery, and restoration activities minimize the impact of an incident on an energy delivery system. Post-incident analysis and forensics enable energy sector stakeholders to learn from the incident”, the DOE advised.
Fifth, the industry should work to sustain security improvements. This requires a commitment of resources, incentives, and collaboration among stakeholders, the report stressed.
Also this week, DOE released two documents designed to support the roadmap: the 'Vulnerability Analysis of Energy Delivery Control Systems' prepared by Idaho National Laboratory and a draft of the 'Electricity Sector Cybersecurity Risk Management Process Guideline' prepared by the National Institute of Standards and Technology (NIST) and the North American Electric Reliability Corporation (NERC).