Granholm says cyber R&D is a priority at DOE

Department of Energy Secretary Jennifer Granholm on Thursday said cybersecurity research and development will be a top priority for DOE technology programs in the agency's fiscal year 2022 budget and rebutted suggestions that the administration was not sufficiently prioritizing cybersecurity in the wake of multiple high-profile intrusions.

"I know from our industry partners that I have spoken to that they are totally focused on it and I am completely committed to getting them, and us the tools and the intelligence and the cyber response that they need to address the threats that are out there," Granholm said during a House Appropriations subcommittee hearing.

The secretary's comments were in response to questions from Rep. Mike Simpson (R-Idaho), the subcommittee's ranking member, who said the DOE's budget overview lacked any mention of cybersecurity.

"I was concerned to see not a single mention of cybersecurity in the DOE's budget overview," he said. "Cyber threats like these are persistent and increasing. As our world becomes more reliant on Internet-connected capabilities and technologies, we know that the cybersecurity challenge in front of us will increase in scope."

Simpson cited the hacking campaign against SolarWinds, the notable uptick in ransomware and the intrusion into a Florida community's water treatment plant that nearly resulted in the town's water supply being poisoned with dangerous levels of lye.

Granholm said she is refocusing the Energy Department's Office of Cybersecurity, Energy Security, and Emergency Response (CESER) on providing grid operators with threat intelligence and response capabilities. "I'm also going to be making sure that cyber R&D is a focus for all of our technology programs," she added.

In written testimony, the secretary also noted a 100-day plan announced by the White House in April to shore up the country's electrical grid.

The secretary also touted the April 12 hiring of Puesh Kumar, who led cybersecurity engineering at Southern California Edison, to head CESER on an acting basis.

Cybersecurity regulations can vary based on industrial sectors. For the water and wastewater treatment industry -- such as the Florida facility compromised earlier this year -- the Environmental Protection Agency is responsible for cybersecurity regulations. For the electrical industry, it falls to DOE.

In the aftermath of multiple cybersecurity incidents this past year, Biden administration officials have responded with their own flurry of efforts from various departments and agencies. The 100-day DOE plan to assess the country's grid is only one of those efforts.

At the White House, the administration has still not unveiled its wide-ranging cybersecurity executive order and is now devising a new plan to confront ransomware. Both the Justice Department and Homeland Security Department have established their own ransomware task forces.

Also at DHS, Secretary Alejandro Mayorkas during his confirmation hearing pledged to conduct reviews of the agency's two premiere cybersecurity programs -- Einstein and Continuous Diagnostics and Mitigation.

Asked about the status of Mayorkas' reviews, a spokeswoman for the Cybersecurity and Infrastructure Security Agency today declined to comment.