US DOE introduces supply chain cybersecurity principles to bolster global energy infrastructure security

The U.S. Department of Energy (DOE) rolled out Supply Chain Cybersecurity Principles, developed in collaboration with the Idaho National Laboratory. The principles establish best practices for cybersecurity throughout the supply chain that support energy infrastructure and can help secure equipment and technologies before they are exploited by cyber actors seeking to cause destruction or disruption to critical infrastructure. Developed for manufacturers and end users alike, these principles create a framework to strengthen key technologies used globally to manage and operate electricity, oil, and natural gas systems. 

The Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) crafted the Supply Chain Cybersecurity Principles, incorporating feedback from industrial control systems (ICS) manufacturers and asset owners involved in CESER’s supply chain research. This development also integrates findings from the Idaho National Laboratory. CESER has established 10 Supply Chain Cybersecurity Principles specifically tailored for suppliers, alongside a separate set of 10 principles geared towards end-users.

Prominent energy sector suppliers and manufacturers such as GE Vernova, Schneider Electric, Hitachi Energy, Schweitzer Engineering Laboratories, Rockwell Automation, Siemens, Siemens Energy, and Honeywell have endorsed the principles, supporting enhanced security measures.

The agency is also launching an effort with its international government and industry partners to align the principles to existing requirements, develop guidance for interpreting and adopting the principles, and identify gaps where international coordination could advance supply chain security throughout the global energy sector.

“Energy systems around the world face continuous cyber attacks and are vulnerable to disruption. As new digital clean energy technologies are integrated, we must ensure they are cyber secure to prevent destruction or disruption in services,” Jake Sullivan, National Security Advisor, said in a White House statement on Tuesday. “This is a global issue and at the G7 Leaders’ Summit in Apulia, President Biden and G7 leaders committed to taking critical action to strengthen the cybersecurity of the global supply chain of key technologies used to manage and operate electricity, oil, and natural gas systems across the world.”  

He added that the G7 will work to establish a collective cybersecurity framework for operational technologies for both manufacturers and operators. “This builds on the White House Council on Supply Chain Resilience’s work to strengthen supply chains critical to America’s economic and national security. It also builds upon the efforts of the U.S. Department of Energy (DOE) and Idaho National Laboratory which have brought tremendous expertise to bear in securing operational technologies to date.”

The Supply Chain Cybersecurity Principles characterize the foundational actions and approaches needed to deliver strong cybersecurity throughout the vast global supply chains that build energy automation and ICS. The principles aim to create an enduring framework to drive best practices while informing international coordination to advance those practices into the future. 

In developing these principles, the U.S. is issuing a collective call to action for ICS suppliers and end users across the globe to support and adopt the principles. The principles characterize the best practices that are exhibited today by cybersecurity leaders in the energy industry and can help to create shared expectations that ripple throughout the supply chain, informing and lifting up manufacturers, and owners and operators with less mature supply chain risk management efforts. 

“As we build our clean energy future, it is critical that we incorporate strong cybersecurity protections,” David M. Turk, Deputy Secretary of Energy, said in a media statement. “Together with our G7 allies, we’re helping ensure energy infrastructure worldwide is more reliable and resilient against tomorrow’s threats and challenges.”   

“The U.S. energy sector is a target for cyber criminals and for foreign adversaries, alike,” said Deputy National Security Advisor for Cyber and Emerging Technologies Anne Neuberger. “The Biden-Harris Administration is prioritizing the security and resilience of our critical energy infrastructure with this global initiative, emphasizing the importance of aligning individual supply chain security efforts for operational technology used in the energy sector.”

When it comes to suppliers, the Supply Chain Cybersecurity Principles prescribed include impact-driven risk management that embeds consideration of impacts, including those in the organization’s own upstream supply chains, throughout the entire systems engineering lifecycle, seeking to manage risks to functions that are aided by digital technologies. 

It also covered framework-informed defenses that incorporate appropriate principles and practices from recognized cybersecurity frameworks into the design of the organization’s defenses of its critical functions, infrastructure, and information; and cybersecurity fundamentals that follow relevant domain-specific regulations and international standards, and consider secure and cyber-informed engineering and design principles, to produce products and deliver services with appropriate security features and controls.

The CESER also laid down using a secure systems development lifecycle process informed by internationally accepted frameworks and standards to encourage adequate security practices throughout an offering’s lifecycle; providing appropriate information to end users and the public regarding cybersecurity posture, interoperability, product security, testing methods, independent verifications, and software and hardware composition of products; and providing hardening and secure implementation guidance to end users, including transparent information on default settings and behaviors that must be changed or managed in implementation. 

The principles also included lifecycle support and management that provides appropriate product support, including security patches and mitigations, from a transaction through the announced end of lifecycle support; and maintaining a vulnerability management process, aligned to industry best practices and applicable coordinated vulnerability disclosure processes, for the responsible handling and coordinated disclosure of vulnerabilities.

It also laid down developing and maintaining appropriate incident response plans for incidents within its own environments and when supporting end users in responding to incidents involving products or services; and continually improving the organization’s practices and offerings by identifying and implementing adaptations informed by observations, insights, and lessons learned from ongoing operations, end-user experiences, and incident response.

For end-users, the DOE Supply Chain Cybersecurity Principles directed embedding consideration of impacts, specifically including those in upstream supply chains, throughout the entire systems engineering lifecycle, seeking to manage risks to functions that are aided by digital technologies. 

They also prescribed incorporating appropriate principles and practices from recognized cybersecurity frameworks into the design of the organization’s defenses of its critical functions, infrastructure, and information; and following relevant domain-specific regulations and international standards, and considering secure and cyber-informed engineering and design principles, to employ products and services in a secure manner, taking into account accumulated technical and security debt. 

The principles also laid down engaging with suppliers to understand the security features and controls of their offering to ensure they are adequate for the intended purpose or identify necessary compensating controls; including contractual language for those terms, conditions, and testing requirements that will influence security outcomes, and which they are able and willing to enforce; while also developing and maintaining appropriately secure operating environments, following suppliers’ hardening and secure implementation guidance.

The DOE Supply Chain Cybersecurity Principles also prescribed that end-users conduct business planning and provide resources to acquire, maintain (including patch management and fixes recommended by the supplier), and replace equipment through its lifecycle, considering continued availability of supplier technical support; and maintain a risk-informed vulnerability management process that aligns with the supplier’s published process for coordinated disclosure of vulnerabilities discovered through use of their products.

The principles also said to proactively coordinate supplier support during response to incidents involving their products or services; and continually improve the organization and its practices by adapting from observations, insights, and lessons learned from ongoing operations, supplier experiences, and incident response.

In April, the DOE released a summary report on the potential benefits and risks of artificial intelligence (AI) use for critical energy infrastructure, as part of the federal administration’s approach towards harnessing the benefits of AI and ensuring its responsible and safe deployment. The agency also provides an initial risk assessment on AI for the critical energy infrastructure.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.