DOE offers supply chain cybersecurity guidance for energy, oil, gas industries

The principles, released June 18, “establish best practices for cybersecurity throughout the supply chain that supports energy infrastructure” throughout the world, according to a DOE press release. The principles are meant to be applied by manufacturers and end users, the DOE said.

“Energy systems around the world face continuous cyberattacks and are vulnerable to disruption. As new digital clean energy technologies are integrated, we must ensure they are cyber secure to prevent destruction or disruption in services,” National Security Adviser Jake Sullivan said in an accompanying statement. The principles build on the Biden administration’s National Cybersecurity Strategy Implementation Plan, which encouraged big businesses to help protect the nation from cyberattacks.

For suppliers, the DOE recommended that in addition to employing risk management principles to both the firm’s own network and upstream supply chain, they should maintain a proactive vulnerability management process that includes responsible handling and coordinated disclosure of vulnerabilities.

Additionally, firms should implement a proactive incident response plan and continually adapt to the threat landscape by updating systems regularly, employing patches and mitigations, and implementing lessons learned from operations, end-user experiences, and incident response.

For end-users, the DOE recommended that they engage with suppliers to understand the security features and controls they use.

This includes contractual language for terms, conditions, and testing requirements of cybersecurity systems and employing their own vulnerability management, incident response, and business/operational resiliency plans, which would be implemented in the event of a cybersecurity incident.