Cybersecurity guidance within the energy industry is fractured, inconsistent and incomplete. This April 8th letter (linked below) from Congress to DOE Secretary Granholm recommends that DOE initiate steps to ensure greater alignment with new cybersecurity incident reporting legislation for the entire energy industry, not just the Bulk Electric System as manifested in NERC CIP regulations. Congress should be commended for acknowledging the need for greater harmony and collaboration across the many sectors of energy industry infrastructure and the broader need to ensure harmonization across all 16 critical infrastructure sectors.
Incident reporting is one of the "low hanging fruits" that DOE could have a profound positive impact in advancing harmonization with other government initiatives. Software Supply Chain Risk Management (C-SCRM) is another "low hanging fruit" where the energy industry is departing from the broader government initiatives and plans, which could benefit from DOE guidance toward greater harmonization and improved efficiencies.
Executive Order 14028, NIST Guidelines and requirements from other government agencies, i.e. FDA are directing software vendors to provide a "Software Bill of Materials" (SBOM) along with timely vulnerability disclosures and other "attestations" that a software consumer needs to asses the risks associated with a software product and vendor. Presently, there are no NERC CIP standards in development that align with these broader government initiatives. DOE could address this gap by recommending the adoption of NIST and CISA guidelines to support Executive Order 14028 as standard practice across the energy industry critical infrastructure sectors under DOE's domain. The DOE could take small, but valuable steps toward harmonization with other government initiatives across all critical infrastructures by recommending the following items:
- Require software vendors to provide software consumers with a "Software Bill of Materials" (SBOM) Industry Analyst, "Gartner predicts that by 2025, 60 percent of organizations building or procuring critical infrastructure software will mandate and standardize SBOMs in their software engineering practices."
- Require software vendors to provide timely, automated, vulnerability disclosure reports (VDR) following industry standards described by ISO 29147:2018 which will enable software customers to achieve the following:
• reducing risk by remediating vulnerabilities and informing users;
• minimizing harm and cost associated with the disclosure;
• providing users with sufficient information to evaluate risk due to vulnerabilities;
• setting expectations to facilitate cooperative interaction and coordination among stakeholders
Replace energy industry specific questionnaires sent to software vendors with "attestations" from software vendors of their cybersecurity policies and practices as required by the broader government initiatives , and other information required to conduct a comprehensive Cyber Supply Chain Risk Management assessment following NIST guidelines to satisfy Executive Order 14028.
DOE could make significant progress toward achieving the goals outlined in the April 8th letter from Congress and eliminate the duplicative and wasteful efforts imposed on software vendors resulting from differing requirements coming from the energy industry and broader government initiatives aimed at implementing Executive Order 14028 guidelines, which DOE itself will likely be expected to follow. These small steps can be accomplished by DOE in relatively short order by leveraging the practices, resources and tools available for SBOM, Vulnerability Disclosure Reporting (VDR) and Vendor Attestations provided by NIST, CISA and other agencies working on Executive Order 14028 implementation that are available now.
[UPDATE May 15, 2022: DOE CESER has published a Fact Sheet that gives me reason to believe that harmonization of the Energy industry cybersecurity initiatives with other government initiatives for Executive Order 14028 is possible, but not yet part of the DOE goals on cybersecurity.