The US Energy Department issued the guidance “Energy Sector Cybersecurity Framework Implementation Guidance” for organizations operating in the industry.

The Energy industry is constantly under attack, the number of hacking campaigns that are targeting the sector is increasing exponentially. Energy companies and utilities have to adopt a proper cyber security posture in order to mitigate the cyber threats. Some of the pillars for the approach of cyber security in the Energy industry are the development of efficient risk management strategies, the adoption cyber best practices and the sharing of information regarding the threats, the incidents and the countermeasures.

On Jan. 8, the US Energy Department has released a voluntary guidance, titled “Energy Sector Cybersecurity Framework Implementation Guidance” for organizations operating in the industry. The Energy Sector Cybersecurity Framework Implementation Guidance was prepared in response to the Cybersecurity Framework released by the National Institutes of Standards and Technology in 2014. The document highlights the necessity to improve the collaboration between the private industry and government entities to mitigate cyber threats.

e1

The guidance proposes principles and effective practices of risk management to develop a comprehensive cybersecurity framework necessary to improve the security and resilience of critical infrastructure in the Energy sector.

“The U.S. Department of Energy (DOE), as the Energy Sector-Specific Agency, worked with the Electricity Subsector and Oil & Natural Gas Subsector Coordinating Councils along with other Sector-Specific Agencies to develop this Framework Implementation Guidance specifically for energy sector owners and operators. It is tailored to the energy sector’s risk environment and existing cybersecurity and risk management tools and processes that organizations can use to implement the Framework. ” reads the guidance.

The Energy Sector Cybersecurity Framework Implementation Guidance is designed to assist the organizations operating in the energy sector to:

  • Evaluate the current level of cyber security reached by the organization.
  • Characterize a target cybersecurity posture.
  • Characterize existing cybersecurity risk management programs identifying gaps and possible improvement in compliance with the Guidance. It is suggested to prioritize the gaps based on the potential damages caused by a cyber attack.
  • Identify existing sector tools, standards, and guidelines that could be adopted to support the implementation of an effective cyber security framework.
  • Effectively demonstrate and communicate the risk management approach and the use of the Framework to both internal and external stakeholders.

The Energy Sector Cybersecurity Framework Implementation Guidance shows how organizations that adopt C2M2 can align their security posture with the specification of the NIST Framework. The guidance also proposes a range of other existing tools and practices that can support the adoption of a Cybersecurity Framework. The Guidance was accepted positively by organizations operating in the Energy Sector that consider it a guidance that was developed by the industry, for the industry.

Energy organizations are a privileged target of cyber attacks for this reason the implementation of the NIST Cybersecurity Framework is a necessary step to secure our society.

Pierluigi Paganini