Statement from Secretary Perry:

“This Administration recognizes the growing security risk of cyber threats and has prioritized overcoming these challenges facing our Nation, as outlined in Executive Order 13800. The Department of Energy (DOE) has taken an important step forward through the recent creation of the Office of Cybersecurity, Energy Security, and Emergency Response (CESER), which will further strengthen DOE’s ability to play a vital role protecting energy infrastructure from cyber threats, physical attacks, and natural disasters.

As the Sector Specific Agency for the energy sector, DOE will continue to work with the Department of Homeland Security, our National Laboratories, public, and private sector partners to improve cybersecurity practices and develop next-generation tools and capabilities that can be leveraged to better understand and mitigate cyber vulnerabilities in the energy sector.”

Executive Summary:

Addressing the mounting risk of cyber-attacks and threats to the U.S. electric grid is a national security imperative for the United States.  To address this growing challenge, President Trump issued Section (e) of Executive Order 13800 on “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” one year ago. This Executive Order called for an assessment of the potential scope and duration of a prolonged power outage associated with a significant cyber incident, as well as an evaluation of the readiness and gaps in the United States’ ability to manage and mitigate consequences of a cyber incident against the electric subsector. The Departments of Energy and Homeland Security partnered with other federal agencies and electric industry stakeholders from across the United States to conduct the analysis required under the executive order. 

While it was found that no lasting damage—physical, cyber-physical, or otherwise—has been observed from the cyberattacks and intrusions targeting U.S. electric utilities that have been reported to date there are key trends that are increasing the risk of significant cyber incidents. The report released today identifies gaps around enhancing cyber incident response capacity, developing high-priority plans, augmenting scarce and critical resources, and understanding and characterizing response efforts to catastrophic incidents. Existing capability gaps fall largely into seven main categories: Cyber Situational Awareness and Incident Impact Analysis; Roles and Responsibilities under Cyber Response Frameworks; Cybersecurity Integration into State Energy Assurance Planning; Electric Cybersecurity Workforce and Expertise; Supply Chain and Trusted Partners; Public-Private Cybersecurity Information Sharing; and Resources for National Cybersecurity Preparedness.

These takeaways will build on the already robust collaboration between government and industry on electricity sector cybersecurity. Continuing to enhance these partnerships is critical to closing identified gaps in cybersecurity preparedness and response capabilities, limiting the potential scope and duration of a significant cyber incident and reducing impacts to the critical national economy, defense, and lifeline functions which the electric grid supports.

View the whole report HERE.