About the Control Systems Security Program

A key mission of the Department of Energy's (DOE) Office of Electricity Delivery and Energy Reliability (OE) is to enhance the security and reliability of the nation's energy infrastructure. Improving the security of control systems, which enable the automated control of our energy production and distribution, is critical for protecting the energy infrastructure and the integral function that it serves in our lives.

OE designed the Control Systems Security (CSS) program to assist leading utilities and energy companies in actively pursuing security solutions for control systems through integrated planning and a focused research and development effort.

CSS co-funds projects with industry partners to make advances in energy control systems that benefit the security of the government, the industry, and the public.

Critical Importance of Energy Control Systems

An efficient, secure, and reliable energy infrastructure is imperative as the energy sector confronts a convergence of physical and cyber systems.

Image provided courtesy of Kansas City Power & Light

Energy control systems are the brains that operate and monitor our energy infrastructure. Two examples of such systems are the Supervisory Control and Data Acquisition (SCADA) and the Distributed Control Systems (DCS). Most early SCADA system designs did not anticipate the security threats posed by today's reliance on common software and operating systems, public telecommunication networks, and the Internet. Control systems have become more productive and efficient, but the energy sector is faced with an unprecedented challenge in protecting systems against cyber assault.

Control Systems Security (CSS) is a unique program under the U.S. Department of Energy's (DOE) Office of Electricity Delivery and Energy Reliability (OE). Since its inception, the program has formed valuable links between the government, the energy sector, and national laboratories to conduct research and development in the area of cyber security. The aim of the program is to reduce the risk of energy disruptions due to cyber attacks, and so far the program's projects have uncovered a multitude of knowledge that has already increased the security of our energy control systems around the country.

CSS program activities fall under four project areas, guided by a risk-based approach to improving cyber security. They are:

• Next Generation Control Systems. Involving research and development that concentrates on accelerating the development and deployment of hardened control systems with built-in security.
• System Vulnerability Assessments. Through rigorous tests, exploitable systems vulnerabilities are revealed and through this we can encourage development of system fixes.
• Integrated Risk Analysis. Used to develop means for stakeholders to assess their security posture that will hasten the ability to mitigate potential risks.
• Partnership and Outreach. Through active partnerships, we can engage all stakeholders and encourage collaborative developments and dissemination of critical security information.

DOE is helping to address the critical security challenges of energy control systems through a focused R&D effort and integrated planning.

R&D: National SCADA Test Bed

Securing control systems is essential for protecting energy infrastructure. The National Research Council identified "protecting energy distribution services by improving the security of SCADA systems" as one of the 14 most important technical initiatives for making the Nation safer across all critical infrastructures. In addition, the National Strategy to Secure Cyberspace (2003) (PDF 980 KB) states that "securing DCS/SCADA is a national priority".

The National SCADA Test Bed provides testing environments to help industry and government identify and correct vulnerabilities in SCADA equipment and control systems within the energy sector.

More about the National SCADA Test Bed >

Planning: Roadmap to Secure Control Systems in the Energy Sector

Asset owners and operators, government agencies, and other stakeholders are pursuing various strategies to improve control systems security. In the absence of a unifying framework, DOE has partnered with the industry to develop a Roadmap to Secure Control Systems in the Energy Sector to help focus these diverse efforts.

The Roadmap identifies critical needs and priorities for improving the security, reliability, and functionality of control systems in the energy sector. DOE coordinated this roadmap development with DHS and relied on the energy sector to guide the process and ensure that the priorities reflect the needs of the electric, oil, and gas companies.

In a report to the president, the National Infrastructure Advisory Council (NIAC) recognized the Roadmap's success in developing and implementing cyber security solutions for control systems. The report recommended that all critical infrastructures adopt the Roadma'’s goal of securing control systems against loss of critical function from intentional cyber attack by 2015. It also recommended that the Department of Homeland Security and other sector-specific agencies collaborate with their partners to create their own sector-specific roadmaps using the energy sector's Roadmap as a model.

More about the Roadmap to Secure Control Systems in the Energy Sector >

To enhance the Roadmap's effectiveness, CSS created the interactive energy Roadmap (ieRoadmap), an online database where industry can map its R&D efforts for achieving Roadmap goals, evaluate its progress, and discover collaborative opportunities for future projects.

Highlight YOUR organization's activities to implement the Energy Sector Roadmap.