Welcome to the new Energy Central β€” same great community, now with a smoother experience. To login, use your Energy Central email and reset your password.

Intelligent Utility
Richard "Dick" Brooks
Richard "Dick" Brooks
Expert Member
Top Contributor
Β·Posted in Intelligent Utility
Sat, Nov 2

Ask Microsoft Copilot, What is the difference between the DOE Secure by Design principles and the CISA Secure by Design principles

My interview from November 4 on this very topic with Deb Radcliff is now available online (23 minutes)

I asked Microsoft Copilot: "What is the difference between the DOE Secure by Design principles and the CISA Secure by Design principles"

The DOE (Department of Energy) and CISA (Cybersecurity and Infrastructure Security Agency) Secure by Design principles both aim to integrate cybersecurity into the design and development of systems and products, but they have different focuses and scopes:

DOE Secure by Design Principles

  • Focus: Primarily on the U.S. energy sector.

  • Scope: Emphasizes Cyber-Informed Engineering (CIE), which integrates cybersecurity considerations into the conception, design, development, and operation of energy infrastructure systems.

  • Key Elements:

    • Awareness: Educating stakeholders about cybersecurity risks.

    • Education: Training engineers and other professionals in cybersecurity best practices.

    • Development: Building secure systems from the ground up.

    • Current Infrastructure: Securing existing systems.

    • Future Infrastructure: Ensuring new systems are designed with security in mind.

CISA Secure by Design Principles

  • Focus: Broad application across various technology products and services.

  • Scope: Aims to shift the cybersecurity burden from consumers to manufacturers, ensuring products are secure from the design phase.

  • Key Elements:

    • Ownership: Manufacturers take responsibility for the security of their products.

    • Transparency: Emphasizing openness about security measures and vulnerabilities.

    • Leadership: Encouraging executive-level commitment to cybersecurity.

In summary, while the DOE principles are tailored to the energy sector and emphasize a holistic approach to cybersecurity throughout the lifecycle of energy systems, the CISA principles are broader and focus on ensuring that technology products are secure from the outset, with a strong emphasis on transparency and manufacturer responsibility.

So, if you are interested in principles that apply only to the OT domain in an energy ICS environment and don't care about products being "Secure by Default", then choose the DOE principles based on IEC 62443. If you are interested in managing Cyber Risk as Business Risk across an enterprise, both IT and OT domains, then choose the more holistic CISA Secure by Design principles and practices. Thank you Microsoft Copilot.

Β