Developing a cybersecurity risk management strategy would improve the Department of Energy’s (DOE) efforts to manage cybersecurity risks and protect the nation’s electric grid, the Government Accountability Office (GAO) said in its latest annual priority recommendations report to the agency.
GAO outlined 26 priority recommendations for DOE that fall into eight focus areas – including improving cybersecurity.
“The energy sector is part of the nation’s critical infrastructure that provides essential services that underpin American society,” GAO noted in the report. “Recent high-profile cyberattacks targeting the public and private sectors highlight the urgent need to address cybersecurity weaknesses.”
The first open recommendation directs the Energy Secretary to consult with the Department of Homeland Security (DHS), the National Institute of Standards and Technology, and other sectors to develop methods for determining the level and type of cyber framework adoption by entities across their respective areas.
According to GAO, DOE neither agreed nor disagrees with the recommendation. But in early 2022, DOE did take initial steps to determine framework adoption for the energy sector – including tracking requests for a sector-based cybersecurity toolkit, assessing polling data, and obtaining anecdotal reports on framework use from sector entities.
However, those efforts did not provide sufficient information for the agency to determine the level and type of framework adoption throughout the energy sector, GAO said.
To fully implement this recommendation, DOE needs to implement these planned steps effectively to determine framework adoption among entities within the energy sector, GAO explained.
“Until agencies have a more comprehensive understanding of the use of the cyber framework by critical infrastructure sectors, they will be limited in their ability to understand the success of protection efforts or determine limited resources for cyber risk mitigation,” GAO stated.
The second open recommendation instructs the Secretary of Energy to develop a cybersecurity risk management strategy that includes the elements identified in GAO’s original report on the issue delivered in 2019.
DOE agreed with this recommendation, and in January 2022 DOE issued its Enterprise Cybersecurity Program Plan (E-CSPP). The E-CSPP outlines the department’s approach to cybersecurity risk management and implementation of cybersecurity requirements from an organizational perspective.
However, neither the ECSPP nor most of the departmental element plans the GAO reviewed included a detailed discussion of organizational risk tolerance.
“As of April 2022, DOE had not provided additional documentation of its cybersecurity risk tolerance,” GAO noted. “To fully implement this recommendation, DOE should ensure that its plans provide such a discussion. Until it does, the department may lack a clear organization-wide understanding of acceptable risk levels and appropriate risk response strategies to protect its systems and data.”
The last cyber-related recommendation directs the Energy Secretary to coordinate with DHS and other relevant stakeholders to develop a plan aimed at implementing the Federal cybersecurity strategy for the electric grid, and ensuring that the plan addresses key characteristics of a national strategy – including a full assessment of cybersecurity risks to the grid.
DOE also agreed with this recommendation and in response stated that it was working through an interagency process to develop a National Cyber Strategy Implementation Plan that would consider DOE’s Multiyear Plan for Energy Sector Cybersecurity. However, those documents do not fully address all the characteristics needed to implement a national strategy, GAO said.
According to GAO, DOE must develop a plan for implementing the Federal cybersecurity strategy for the electric grid, ensure that the plan addresses the key characteristics of a national strategy, and coordinate that plan with DHS and other relevant stakeholders.
“Until DOE ensures that it has a plan aimed at implementing the Federal cybersecurity strategy – relating to the grid – [that] addresses all of the key characteristics of a national strategy, the guidance that the plan provides decision-makers in allocating resources to address risks and challenges will likely be limited,” GAO said.