DOE cyber arm preps risk management tool
- By Mark Rockwell
- Mar 14, 2019
The federal cybersecurity agency designated with protecting the energy sector is creating a tool that could help commercial electric critical infrastructure providers put a price tag on managing cybersecurity risk for their networks.
Karen Evans, assistant secretary for the Department of Energy's Office of Cybersecurity, Energy Security, and Emergency Response, said company executives don't want a lot of granular detail on cybersecurity technology, they want to see the bottom line.
"They want to know for 'X' amount of dollars how much risk is being reduced in the enterprise," Evans said. "We're working on a tool right now that will answer that question."
Evans said at a March 14 meeting of the DOE's Energy Electricity Advisory Board that CESER is working with the Energy Department's National Labs on a formula the tool will use.
Earlier this week, DOE officials said CESER would get $157 million for grid cybersecurity to support early-stage research and development to improve security and resilience that will help private infrastructure providers "harden and evolve" their systems against man-made and natural events.
Part of the challenge, experts said, is keeping ahead of cyber threats to the electrical infrastructure as they move down through bulk supply systems to distribution systems.
Evans wants the tool to be easy to use for a wide range of personnel and provide actionable information that doesn't have to be decoded among internal operations.
"We want the interfaces to be really simple, so that your cybersecurity person can sit with your engineer and say, 'We need to ask for $10,000 and here's all the risk points that we're going to reduce.'"
Quantifying risk reduction is a critical piece of protecting electric critical infrastructure, according to Evans and experts at the event participating on a cybersecurity panel.
Critical infrastructure providers, said Scott Aaronson, vice president, security and preparedness at the Edison Electric Institute, have reached a more mature level of understanding of the threat to their facilities.
Instead of fearing individual attackers and their specific tactics, he said, critical infrastructure providers learn what they can protect against, but they are also preparing for an almost inevitable breach.
"You can't protect 100 percent of everything 100 percent of the time," he said. "That's a sign of maturity," he said. Electrical providers, he said, have to prepare to recover as quickly and as effectively as possible.
Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at [email protected] or follow him on Twitter at @MRockwell4.