Transcription
EERE CybersecurityMultiyear ProgramPlanReport to CongressRevised May 2021United States Department of EnergyWashington, DC 20585
(This page is left intentionally blank)
Department of Energy May 2021Message from the SecretaryI am pleased to provide you with the EERE Cybersecurity Multiyear Program Plan. This reportdescribes Federal agency cybersecurity strategies and activities for operational technologieswithin the Office of Energy Efficiency and Renewable Energy (EERE). In addition, this reportincludes milestones to track progress toward identified goals.This report is being provided to the following agencies and Members of Congress: The Honorable Patrick LeahyChairman, Senate Committee on Appropriations The Honorable Richard C. ShelbyVice Chairman, Senate Committee on Appropriations The Honorable Rosa L. DeLauroChairwoman, House Committee on Appropriations The Honorable Kay GrangerRanking Member, House Committee on Appropriations The Honorable Dianne FeinsteinChair, Subcommittee on Energy and Water DevelopmentSenate Committee on Appropriations The Honorable John KennedyRanking Member, Subcommittee on Energy and Water DevelopmentSenate Committee on Appropriations The Honorable Marcy KapturChairwoman, Subcommittee on Energy and Water DevelopmentHouse Committee on Appropriations The Honorable Mike SimpsonRanking Member, Subcommittee on Energy and Water DevelopmentHouse Committee on AppropriationsIf you have any questions or need additional information, please contact me or Ms. KatherineDonley, Deputy Director for External Coordination, Office of the Chief Financial Officer, at (202)586-0176.Sincerely,Jennifer GranholmEERE Cybersecurity Multiyear Program Plan Page ii
Department of Energy May 2021List of S/CERTDOEEDSEEREEISA 2007EPAct OTPLCPVR&DRD&DSCADASETOVTOAdvanced Manufacturing OfficeAmerican National Standards InstituteAmerican Society of Heating, Refrigerating and Air-Conditioning EngineersBuildings Cybersecurity FrameworkBuilding Technologies OfficeOffice of Cybersecurity, Energy Security, and Emergency ResponseDistributed Control SystemsDistributed Denial of ServiceDistributed Energy ResourceU.S. Department of Homeland SecurityU.S. Department of Homeland Security, Industrial Control Systems CyberEmergency Response TeamU.S. Department of EnergyEnergy Delivery SystemsOffice of Energy Efficiency and Renewable EnergyEnergy Independence and Security Act of 2007Energy Policy Act of 2005Executive OrderElectric VehicleElectric Vehicle Supply EquipmentFacilities Cybersecurity Maturity ModelFacilities Cybersecurity FrameworkFederal Energy Management ProgramFiscal YearGrid Modernization InitiativeHeating, Ventilation, and Air ConditioningIndustrial Control SystemsInternational Electrotechnical CommissionInstitute of Electrical and Electronic EngineersInformation TechnologyMultiyear Program PlanOperational TechnologyProgrammable Logic ControllersPhotovoltaicResearch and DevelopmentResearch Development and DeploymentSupervisory Control and Data AcquisitionSolar Energy Technologies OfficeVehicle Technologies OfficeEERE Cybersecurity Multiyear Program Plan Page i
Department of Energy May 2021Executive SummaryThis report responds to legislative language set forth in the Energy and Water, LegislativeBranch, and Military Construction and Veterans Affairs Appropriations Act, 2019 (H.R. 5895)Conference Report, page 149.Within available funds for EERE, the conferees include not less than 20,000,000 to bringcybersecurity into early-stage technology R&D so that it is built into new technology forthis effort to encompass all EERE programs. Within 180 days of enactment of this Act,the Department shall submit to the Committees on Appropriations of both Houses ofCongress a multi-year program plan for this effort to encompass all EERE programs.The U.S. Department of Energy (DOE) Office of Energy Efficiency and Renewable Energy (EERE)has prepared this Cybersecurity Multiyear Program Plan (MYPP) to guide cybersecurity researchand development (R&D) for EERE technologies. This MYPP aligns with the U.S. Department ofEnergy Cybersecurity Strategy 1 and with the DOE's Office of Cybersecurity, Energy Security, andEmergency Response (CESER) Cybersecurity R&D coordination and integration efforts. EEREsupports the DOE operational structure to formalize coordination and execute our programoffices implementation plans for cybersecurity as an active member of a cross-agencymechanism that formally integrates current and planned cybersecurity RD&D investments andensures strategy alignment. Implementation will also be carried out in close coordination withother relevant governmental offices and agencies, such as the Department of HomelandSecurity (DHS) and the Department of Commerce’s National Institute of Standards andTechnology (NIST).0FEERE’s mission is to conduct early-stage energy research in the transportation, buildings,manufacturing, and renewable power sectors. Technologies developed by EERE are part ofDOE’s strategy to advance energy dominance and ensure a secure, reliable, resilient,affordable, and enduring supply of American energy. As EERE technologies become moreaffordable with corresponding market uptake, it becomes a mission priority to integrate thesetechnologies into the Nation’s energy systems.The focus of EERE’s early-stage research is to effectively integrate renewable generation at thebulk power and distribution levels, and to advance energy efficiency and storage technologies,as well as intelligent demand management in the buildings, manufacturing, and transportationsectors. Sensors and controls that are connected to communicate through the Internet orother information technology (IT) platforms are key to fully integrating EERE technologies todeliver on more affordable and efficient energy use. Many semiconductor devices for sensors,U.S. Department of Energy Cybersecurity Strategy. %202018-2020-Final-FINAL-c2.pdf.1EERE Cybersecurity Multiyear Program Plan Page i
Department of Energy May 2021controls, and power electronics in EERE technologies are identical or very similar, so EERE mustaddress cybersecurity cohesively. A reliable and resilient energy supply depends on improvingcybersecurity defenses and mitigating the cyber vulnerabilities of these technologies.This MYPP supports the implementation of White House Executive Order (EO) 13800 2, whichdirects Federal agencies to support cyber risk management efforts for critical infrastructure,and to work with the energy sector to identify, protect, detect, respond, and recover fromcyberattacks targeting energy infrastructure. It also utilizes the NIST Framework for ImprovingCritical Infrastructure Cybersecurity (the Framework) 3 as recommended by the EO to guideEERE’s R&D activities, and will leverage other NIST standards and the investments of otherFederal agencies.1F2FAll R&D discussed in this report will be planned and executed in coordination with CESER, DOE’sdesignated lead on cybersecurity, to enhance synergy and mitigate duplication.Current Situation EERE’s offices develop operational technologies and systems (“EERE technologies”)critical to all 16 of the Department of Homeland Security's critical infrastructuressectors 4.EERE and its stakeholders are addressing, and must continue to address, evolving cyberthreats to secure these infrastructures.EERE’s increased attention to cybersecurity is the result of recent advancements madein functionality and interoperability in EERE technologies that now make cybersecurity amore pressing issue. New technologies must be designed with cybersecurity as arequirement.Cyber threats targeting EERE technologies present an immediate risk to the integrity andavailability of energy infrastructure and other systems critical to the Nation’s economy,security, and well-being.3F EERE's Strategy Support the goals of White House EO 13800, align with DOE’s Office of ElectricityDelivery and Energy Reliability Multiyear Plan (MYP) for Energy Sector Cybersecurity 5and complement cyber strategies from DHS and the Department of Defense.4FWhite House Executive Order (EO) 13800. T Framework for Improving Critical Infrastructure Cybersecurity. https://www.nist.gov/cyberframework.4Department of Homeland Security. ectors5DOE’s Office of Electricity Delivery and Energy Reliability MYP for Energy Sector les/2018/05/f51/DOE Multiyear Plan for Energy Sector Cybersecurity 0.pdf.2EERE Cybersecurity Multiyear Program Plan Page ii
Department of Energy May 2021 Accelerate cybersecurity R&D to strengthen technologies and systems that are critical totransportation, buildings, renewable power, and manufacturing, which are increasinglyinterconnected and vulnerable.Empower EERE stakeholders to better identify, protect, detect, respond to, and recoverfrom evolving cyber threats and vulnerabilities through R&D focused on cybersecurity ofenergy delivery systems.Facilitate robust engagement and partnership with industry, academic, and governmentstakeholders to ensure EERE’s early-stage research accurately tracks the dynamic needsof operational technology cybersecurity without duplicating ongoing efforts.Provide a unified approach towards improving the cybersecurity of EERE technology,and support flexibility of focus at the technology office level to address the diversity ofrisk profiles: Renewable Energy. EERE R&D has contributed to falling costs of renewableenergy technologies and increased use in U.S. electricity generation. The longterm security and sustainability of this success requires increased cyberresilience of systems that are increasingly integral to our Nation’s electricityinfrastructure. New renewable energy technologies, such as advanced solarinverters, must be designed with cybersecurity as a requirement. Transportation. Vehicles are increasingly connected through newcommunication capabilities and electrification requiring connection to the grid toenhance performance. However, malicious actors could exploit thesecapabilities to disrupt or deny normal operations and functionality of consumers,public fleets, electric-vehicle charging stations, and the electric grid. Manufacturing. Digitization and automation have greatly increased thecomplexity and inherent risk of globally distributed cyber-physical supply chainsin manufacturing. Advances in automation technologies, including sensors andcontrols, hold promise for increased performance, energy efficiency, andeconomic growth, but have also introduced new cyber vulnerabilities. Buildings. With 350,000 Federal facilities, 5.5 million commercial buildings, and118 million homes, connected devices and systems offer building owners,managers, and occupants increased performance, physical security, productivity,energy management options, and value across a host of products. Proliferationof these technologies presents new cyber threats and vulnerabilities to buildingsand their business and residential occupants.Achieve the following goals and objectives across represented sectors and technologyoffices. This unified approach includes integrated projects that take advantage ofsynergies across these four sectors. EERE activities that map to the Framework’s corefunctions are delineated by italics within the sub-bullets.Goal 1: Accelerate Cyber Resilience R&D of EERE Operational Technologies1.1 Improve cybersecurity defenses and resilience. Enhance EERE stakeholders’ ability todetect and protect against cyber threats and vulnerabilities. Develop metrics andEERE Cybersecurity Multiyear Program Plan Page iii
Department of Energy May 2021consequence analysis to prioritize future cyber resilient R&D opportunities.1.2 Mitigate vulnerabilities. Improve capability to respond to threats and mitigatevulnerabilities in a timely manner. Identify actionable cyber defense capabilities for EEREstakeholders and validate solutions.1.3 Next-generation cyber resilient technologies. Defend against evolving cyber threats bydesigning new EERE technologies with cybersecurity as a requirement, such as adaptive andself-healing technology solutions and systems resilient to cyberattacks.Goal 2: Increase EERE Stakeholder Cybersecurity Awareness2.1 Improve situational awareness. EERE stakeholders must improve their ability to identifycritical EERE cyber technology threats, vulnerabilities, and defenses through R&D, training,assessments, adopting, and implementing cybersecurity risk management best practices.2.2 Enhance EERE technology cybersecurity maturity. EERE stakeholders will research,develop, implement, and assess cybersecurity best practices to protect EERE technology,including cybersecurity maturity and tools. 65F2.3 Identify opportunities for EERE stakeholder participation in cyber incident responseexercises. Enhance understanding of EERE stakeholder cyber exercise requirements toadvanced preparedness and ability to rapidly recover from cyberattacks, including incidentresponse and recovery plans and engagement with appropriate sector-specific agencies(SSAs).EERE’s holistic and unified approach addresses these goals by investing in cybersecurity R&Dand preparedness measures across its technology offices. Its R&D activities aim to mitigatecommon threats and vulnerabilities in hardware and software throughout its portfolio,including, but not limited to: power electronics, sensors, control systems, and informationcommunication technology. These technologies are driving increased connectivity andinteroperability of both new and legacy systems. Innovations made to secure machine learningalgorithms for cyber analytics or converged legacy and smart system environments can beimplemented in technologies across transportation, renewable power, buildings, andmanufacturing sectors.A holistic approach to the cyber challenge will also help better identify critical communications,device architectures, and associated cyber vulnerabilities across EERE’s diverse portfolio.The common elements of existing frameworks and models will be used by EERE technology offices asappropriate, thereby ensuring a unified and coordinate approach; for example, the Federal Energy ManagementProgram’s Facilities Cybersecurity Maturity Model. E Cybersecurity Multiyear Program Plan Page iv
Department of Energy May 2021Stakeholders will be able to better develop and implement cyber best practices from otherindustries to drive future sector-specific or cross-cutting cyber R&D to achieve resilience.Cybersecurity is a continuous process, not an end state. Realization of EERE’s overallcybersecurity goals requires this MYPP to be accompanied by robust engagement andpartnership with industry, academic, and government stakeholders. See Appendix C for anoverview of each office’s technological focus area in 2019.EERE Cybersecurity Multiyear Program Plan Page v
Department of Energy May 2021EERE CYBERSECURITY MULTIYEAR PROGRAMPLANTable of ContentsExecutive Summary .iIntroduction . 1EERE Cyber Strategy . 2EERE’s Integration and Storage Priorities Require Cybersecurity . 3EERE’s Cyber Risk Landscape . 5Detecting and Mitigating OT Cyber Vulnerabilities. 6Limited Cybersecurity Protection . 7Identifying Cybersecurity Threats . 7Workforce Lacking Resources . 7MYPP Goal 1: Accelerate R&D of EERE Cybersecurity Operational Technologies . 9Key Challenges. 9Objectives and Activities . 10Integrated Solutions. 11Performance Targets . 11MYPP Goal 2: Increase EERE Cybersecurity Situational Awareness . 13Key Challenges. 13Objectives and Activities . 14Integrated Solutions. 15Performance Targets . 16Current Projects . 17EERE Cybersecurity MYPP Milestones . 18Conclusion . 22Appendix A: References . 23Appendix B: Statutory and Executive Authorities for Cybersecurity . 25Appendix C: Cybersecurity Focus Areas by EERE Office . 27Appendix D: Converged Cyber and Physical Devices. 29EERE Cybersecurity MYPP Page vi
Department of Energy May 2021IntroductionThe U.S. Department of Energy's (DOE’s) Office of Energy Efficiency andRenewable Energy (EERE) 7 invests in research and development (R&D)of technologies used in the generation, distribution, storage, andconsumption of energy. The Department of Homeland Security (DHS)has warned of increasing cyberattacks targeting energy technologiesand associated industrial control systems (ICS), which are essential tothe operations of technology and systems across EERE offices (“EEREtechnologies”). 86F7FEERE technologies represent a large and diverse number of devices,equipment, and systems, but share common vulnerabilities acrossvarious aspects of Operational Technology (OT), which includes but isnot limited to: ICS, supervisory control and data acquisition (SCADA)systems, distributed control systems (DCS), and other control systemconfigurations such as programmable logic controllers (PLC) often foundin the industrial sectors and critical infrastructures. 9 EERE focus areasinclude:8F Power Electronics. Power electronics have enabled newperformance capabilities and are pervasive across EEREtechnologies, introducing hardware with various vulnerabilitiesin both new and legacy technologies.Sensors, Control Systems, and Communications. Advances indigitization, automation, and enterprise integration havecontributed to the rapid progression and sophistication of EEREtechnologies. Often, greater efficiency or savings can beachieved by systems optimization enabled by sensors andcontrols even without the same devices being installed.However, the cyber-physical convergence of operational andINTEGRATIONREQUIRESCYBERSECURITYAdvances in functionality andinteroperability within thetransportation,manufacturing, buildings, andrenewable power sectorshave significantly impactedthe demand profiles of theU.S. electric grid. EEREtechnology and systeminnovation will influence thegrid of tomorrow bycontributing toimprovements to renewablebulk power technologies,energy storage, andintelligent load control.Previously many of thesetechnologies, equipment, andsystems were non-connectedto the Internet and thus hadminimal cybersecurityvulnerabilities. Current EERER&D integrates newfunctionalities andcapabilities for enhancedflexibility and resiliency,which introduces cybervulnerabilities that need tobe continuously addressed.DOE’s Office of Energy Efficiency and Renewable Energy. cyrenewable-energy.8EERE is organized across 11 offices: Solar Energy Technologies Office, Wind Energy Technologies Office, WaterPower Technologies Office, Geothermal Technologies Office, Bioenergy Technologies Office, Vehicle TechnologiesOffice, Fuel Cells Technologies Office, Building Technologies Office, Advanced Manufacturing Office, Federal EnergyManagement Program, and the Weatherization and Intergovernmental Programs Office.9National Institute of Standards and Technologies. May 2015. “Guide to Industrial Control Systems (ICS).” NISTSpecial Publication 800-82 Rev 2.7EERE Cybersecurity MYPP Page 1
Department of Energy May 2021informational technologies represents potential newattack surfaces as some technologies have prioritizedfunctionality over security.MELTDOWN &SPECTRE Connectivity. EERE technologies are increasinglyinternet- and grid-connected, bringing newopportunities for energy savings, agility to changinggrid conditions, and consumer comfort – but alsoexpanding the cyberattack surface. Legacy Systems. Operational equipment generallyfaces a much longer lifespan than informationtechnology (IT) and lacks basic cyber defenses.Improving the cybersecurity of systems dependent onlegacy equipment is difficult and costly.EERE Cyber StrategyThe EERE R&D portfolio aims to reduce the threat ofmalicious actors exploiting vulnerabilities that would disruptcritical energy efficient and renewable energy infrastructuresvital to our Nation’s economy, national security,environment, and well-being. This EERE CybersecurityMultiyear Program Plan (MYPP) outlines the approach,encompassing all EERE programs, to further bringcybersecurity into early-stage technology R&D so newtechnology is more cyber-resilient by design to betteridentify, protect, detect, respond to, and recover from cyberthreats and vulnerabilities.This MYPP aligns with DOE’s Office of Electricity Delivery andEnergy Reliability Multiyear Plan (MYP) for Energy SectorCybersecurity 10 11, which discusses three overarching goals:1) Strengthen energy sector cybersecurity preparedness; 2)Coordinate cyber incident response and recovery; and 3)Accelerate game-changing R&D of resilient energy delivery9F10FPublicly disclosed in January2018, Meltdown and Spectrerepresent a class of wideranging vulnerabilities thataffects nearly everycomputer chipmanufactured in the last 20years.These hardware flaws allowmalicious actors to bypasssystem security protectionsin a wide range of systemscritical to EERE technologiesand critical energyinfrastructure, fromindustrial control systemsused in advancedmanufacturing to buildingautomation.Exacerbating the challenge,Meltdown and Spectre takeadvantage of a hardwareflaw across multiple vendorsand hardwaremanufacturers. DHS ICSCERT has warned thatsoftware patches to protectagainst these vulnerabilitieshave had limited success inmitigating the threat.Solutions can also evenseverely reduce thecapabilities required by EEREtechnologies and systemssuch as ICS/SCADA andbuilding automationDOE’s Office of Electricity Delivery and Energy Reliability MYP for Energy Sector les/2018/05/f51/DOE Multiyear Plan for Energy Sector Cybersecurity 0.pdf.11The DOE Office of Electricity Delivery and Energy Reliability responsibility for Energy Sector cybersecurity hastransferred to the DOE Office of Cybersecurity, Energy Security, and Emergency Response (CESER)10EERE Cybersecurity MYPP Page 2
Department of Energy May 2021systems. EERE’s core mission is to support early-stage R&D, thus, the focus of its activitiesaligns with Goal 3.EERE focuses on early-stage research and development of innovative EERE technologies andtools that prioritizes cybersecurity. Given the speed and rate at which cyber threats evolve, thesecond focus is on EERE stakeholder preparedness and improved situational awareness toinform R&D needs. This MYPP supports implementation of White House Executive Order(EO) 13800 12, which supports cyber risk management for critical infrastructure owners andoperators. 1311F12FThe Director of the EERE Federal Energy Management Program (FEMP) is leading the EEREefforts in cybersecurity and will continue to lead these implementation efforts. FEMP is the onlyoffice within EERE to have a dedicated security and resilience program; additionally, FEMPprovides a convening role across and within the federal government to understand and addresskey energy and water cybersecurity challenges within federal facilities – many of which areaddressed by technologies developed by EERE offices. FEMP’s subjective and objectiveexperience on cybersecurity provides a useful lens in which to view overall goals and progresstowards integrating cybersecurity into EERE’s programmatic activities. Integration across EEREensures that lessons learned from cybersecuring R&D activities related to system componentscommonly found in operational technologies (OT) are coordinated to ensure efficient use ofresources.EERE plans to continue to work with industry, academic, and government partners to ensurethat this MYPP is successfully accomplished. It will leverage existing activities from industry,like work currently being conducted by professional societies such as the American Society ofHeating, Refrigerating and Air-Conditioning Engineers (ASHRAE), American National StandardsInstitute (ANSI), International Electrotechnical Commission (IEC), the Institute of Electrical andElectronic Engineers (IEEE), Society of Automotive Engineering (SAE) International, and others.These stakeholders also provide input back to EERE on key cybersecurity challenges andresearch needs.EERE’s Integration and Storage Priorities Require CybersecurityGrid modernization is increasing the digitization, automation, and complexity of energyinfrastructure. As the cost of renewable energy technologies such as utility-scale onshore windand photovoltaic solar fall, adoption has increased. EERE is working to improve grid integrationto increase the flexibility of those and other generation, storage, and demand “resources” viaWhite House Executive Order (EO) 13800. ity-federal-networks-critical-infrastructure/.13EO 13800 encourages Federal agencies to use the NIST Framework to address cyber risk while protecting criticalinfrastructures. EERE’s activities map directly to the five Framework Core Functions (identify, protect, detect,respond, and recovery). This ensures that while EERE offices face diverse threats across technology and actors,EERE technologies will be better equipped to address, respond to, and recover from cyber threats.12EERE Cybersecurity MYPP Page 3
Department of Energy May 2021cross-cutting initiatives such as the Grid Modernization Initiative (GMI) 14. In addition, officespecific initiatives such as improving advanced power electronics from the AdvancedManufacturing Office and developing adaptive control technologies from the BuildingTechnologies Office are critical to a future, more flexible grid.13FEERE’s portfolio-based approach to energy storage increases the reliability, resiliency, anddiversity of the electric grid. The Energy Storage Grand Challenge takes a holistic view ofenergy storage technologies from next-generation battery technologies to electric vehicles 15, toenergy-efficient, grid-interactive building technologies 16, to pumped storage hydropower, toHydrogen at Scale 17.14F15F16FEERE stakeholders face both consumption and generation cyber challenges. End users mustsimultaneously deal with the cyber-performance of systems that include technologiesdeveloped by EERE funded R&D interconnected with other devices, including those embodiedin the Internet of Things (IoT). 18 The number of business that use IoT devices almost doubledbetween 2014 and 2019 and the worldwide number of IoT devices is expected to triplebetween 2018 and 2023 to 43 billion devices. 19 This increasing interconnectivity oftechnologies and devices increases their overall cyber vulnerability and the need to improve thecyber resilience of EERE developed technologies. This MYPP considers the overlappingvulnerabilities and solutions by utilizing a systems perspective on cybersecurity, recognizingthat individual fixes will not successfully resolve all cybersecurity issues on their own.17F18FAttention to state-of-th
The U.S. Department of Energy (DOE) Office of Energy Efficiency and Renewable Energy (EERE) has prepared this Cybersecurity Multiyear Program Plan (MYPP) to guide cybersecurity research and development (R&D) for EERE technologies. This MYPP aligns with the U.S. Department of Energy Cybersecurity Strategy 0F 1
