A new office created last month by Energy Secretary Rick Perry to strengthen the department’s focus on cyber security will work with government and industry to address threats to the energy sector and focus on research and development efforts with longer term payoffs, a Department of Energy official said on Thursday.
“These activities will develop the next-generation of cyber security control systems, components and devices, including enhancing our ability to share time critical data with industry to detect, prevent and recover from cyber events,” Bruce Walker, assistant secretary for the Office of Electricity Delivery and Energy Reliability, told a Senate panel.
The Office of Cybersecurity, Energy Security, and Emergency Response (CESER) will work with the Department of Energy’s national laboratories on the R&D efforts to “improve cyber security and resilience and to harden and evolve critical grid infrastructure,” Walker said. The new office “will build upon what we do today, significantly increase the department’s focus on energy infrastructure protection and will enable more coordinated preparedness and response to physical and cyber threats as well as natural disasters,” he told the Committee on Energy and Natural Resources, which held a hearing to examine the cyber security posture of energy critical infrastructure in the U.S.
In his written testimony, Walker said that initially work that CESER does is currently done in two of his divisions: Infrastructure Security and Energy Restoration, and Cybersecurity and Emerging Threats Research and Development.
The Department of Energy is requesting just over $95 million in FY ’19 for CESER, which Walker said will also have responsibilities for coordinating efforts with other government agencies and the private sector around threats to the energy sector.
The CESER Office will report to the Undersecretary of Energy.
Robert Lee, CEO of the cyber security firm Dragos, suggested three recommendations to the panel regarding the CESER office. First, he said, is that the office receives multi-year funding and provide “greater operational support” to priority areas, including “risk consequence driven cyber informed engineering.” This area, Lee said, is already one that has been “highlighted” by the department.
Second, Lee said, is that the office be the hub for “de-duplicating efforts” in the department and labs to avoid unnecessary overlap with the private sector. Finally, he said, CESER should take advantage of the “insights and intelligence” on threats that exist in private sector and Information Sharing and Analysis Centers that already exist to collect and share information about cyber threats.
Such partnerships “will ensure we don’t recreate efforts and all achieve security to our infrastructure,” Lee said. Lee previously worked for the National Security Agency.
Citing U.S. intelligence agencies, Walker said cyber threats to the energy sector are “increasing in number and sophistication,” adding that “Our adversaries understand the energy sector is a valuable target because of the assets the sector controls, including our defense energy critical infrastructure.