Manage Risk Before It Manages You

Take Action and Educate Before It’s Too Late

Guest Post By William Bryan,  U.S. Department of Energy, Office of Electricity Delivery and Energy Reliability, Deputy Assistant Secretary for Infrastructure Security and Energy Restoration

For several years, Congress, the administration, and the media have intensified the call to improve the cybersecurity of the Nation’s critical energy infrastructure.  Often, that call to action translates into warnings about cascading outages, headlines predicting cyber destruction, and proposed legislation that regulates and fines critical infrastructure owners and operators.  The momentum continues to build to “do something” to fix the problem.  Meanwhile, stakeholders throughout the electricity sector have undertaken efforts to improve cybersecurity, but these efforts are not well known and have not received the same publicity as the hyperbole regarding cyber threats, solar storms, or other potential damage to critical infrastructure.

The administration and Congress have stated that the United States must signal to the world that it is serious about addressing this challenge with strong leadership and vision.   Cybersecurity legislation is advancing in both chambers in the 112th Congress to meet this call. According to the Congressional Research Service, there are 6 bills in the Senate and 8 in the House under current consideration.  There have been 17 Senate hearings and 37 House hearings between February 2011 and April 2012.  These bills address a range of issues, including providing tougher penalties for cybercrime, and giving the Department of Homeland Security oversight of federal  information technology and critical infrastructure security to focusing on performance standards, research and development, and information sharing.

Promote known best practices and the sharing of critical and timely threat information.

Unfortunately, industry’s activities to prevent, prepare, respond to, and recover from cyber attacks rarely generate the same number of headlines. In June 2006, NERC adopted Cyber Security Standards CIP-002 through 009 specifying the minimum requirements needed to ensure the security of the electronic exchange of information for supporting the bulk power system. The Energy Sector Control Systems Working Group (ESCSWG) released the Roadmap to Achieve Energy Delivery Systems Cybersecurity in Sept 2011, which provides a platform for pursuing innovative and practical activities that will improve the cybersecurity of our nation’s energy infrastructure.  Additionally, in January 2011, NERC established an industry-government Cyber Attack Task Force to consider the impact of a coordinated cyber attack on the reliable operation of the bulk power system, and to identify opportunities to enhance existing protection, resilience, and recovery capabilities.

The Department of Energy, in partnership with industry and other stakeholders, is working to develop and promote known best practices and the sharing of critical and timely threat information between the public and private sector. The Electricity Sector Risk Management Maturity Initiative and the Risk Management Process Guidelines are two recent efforts to provide the tools and information to help the sector assess its own vulnerabilities to cyber threats in ways that accommodate the uniqueness of their systems. We understand the complexity of the Nation’s electric power systems, as well as the need for flexible solutions, and we are working with the sector to promote this message, and to work with those who have the responsibility for protecting the public interest.

About Bill Bryan, the office of Infrastrcuture and Energy Restoration

The office of Infrastructure Security and Energy Restoration (ISER) works with the National Security Staff, other U.S. government agencies, and international partners to enhance the security and resiliency of critical energy infrastructure and facilitate the reconstruction and recovery of damaged or disrupted energy systems.  As a career Senior Executive, Mr. Bryan oversees the collection, analysis, and dissemination of vital information to all involved in energy response and restoration efforts, Mr. Bryan leads DOE’s efforts in the coordination and collaboration of energy sector-related reliability and resiliency activities between the energy industry and the federal government. He also leads the office in support of the electricity, oil, and natural gas industries in the development and implementation of infrastructure protection strategies and methodologies both at home and abroad.. Before assuming his current position, Mr. Bryan served as the Director for Critical Infrastructure Protection (CIP) in the Office of the Under Secretary of Defense for Policy at the U.S. Department of Defense (DOD). He led all CIP and Defense Industrial Base (DIB) related activities within this office, and advised key DOD leadership on the relevance of current CIP and DIB capabilities, methodologies, and technologies in support of military and civil homeland defense efforts deemed essential to national security.    Mr. Bryan holds a Master of Science in Strategic Intelligence from the Joint Military Intelligence College in Washington D.C. He also holds a Bachelor of Science in Logistics Systems Management (Summa Cum Laude) from Colorado Technical University in Colorado Springs, CO.

Tags: , , , ,


  1. The Use of Free and Open Source Software for Cybersecurity within the Energy Sector - November 12, 2012

    […] School of EECS and the Open Source Lab at Oregon State University conducted this exploratory project on behalf of EnergySec in order to map out the use of Free/Open […]

Leave a Reply