Department of Energy Releases New Supply Chain Cybersecurity Principles

Department of Energy Releases New Supply Chain Cybersecurity Principles

The U.S. Department of Energy has released a set of supply chain cybersecurity best practices, targeting both providers and end users in critical infrastructure sectors, including electricity, oil, and natural gas. As summarized in an article by Anna Ribeiro on the Industrial Cyber website, they are intended to “help secure equipment and technologies before they are exploited by cyber actors seeking to cause destruction or disruption to critical infrastructure.” 

The principles were formulated under the aegis of the DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESEER) in collaboration with Idaho Technical Laboratory, one of 17 national labs in the DOE complex. Ten of the principles are tailored specifically for suppliers, and ten are for end-users.

 Energy sector suppliers and manufacturers, including GE Vernova, Schneider Electric, Hitachi Energy, Schweitzer Engineering Laboratories, Rockwell Automation, Siemens, Siemens Energy, and Honeywell, endorsed the supply chain cybersecurity principles.

The DOE is also coordinating a new effort involving international government and industry partners to align the principles with existing requirements, develop guidance for operationalizing the principles, and identify possible gaps.        

Per the Industrial Cyber article summary, the issues addressed to suppliers are the development and maintenance of “appropriate incident response plans,” both for events within the enterprise and in support of end users responding to incidents involving the supplier’s products or services. 

Among the imperatives for end-users is incorporating “appropriate principles and practices from recognized cybersecurity frameworks into the design of the organization’s defenses of its critical functions, infrastructure, and information.” End-users should engage with suppliers “to understand the security features and controls of their offering to ensure they are adequate for the intended purpose or identify necessary compensating controls.”