Author_Institution :
Pacific Northwest Lab., Richland, WA, USA
Abstract :
One purpose of the Department of Energy (DOE) Infrastructure Assurance Outreach Program (IAOP) is to assist energy infrastructure providers in assuring the continued delivery of their critical services. One means of doing this has been the conduct of a number of vulnerability assessments for energy infrastructure providers. The assessments differ from those that are provided by other organizations in process, focus, scope and access to expertise. An assessment approach leveraged from other assessment methodologies has been developed that is unique. The focus is vulnerabilities of critical control systems in the context of a broader enterprise security assessment. Additionally, both physical and cyber security are evaluated, along with an analysis of threat, impact and overall risk characterization. The assessment also includes a risk assessment element to provide a framework for prioritizing recommendations generated from the other assessment elements. The DOE objective is to enable the energy infrastructure provider to enhance its security posture, with the understanding that these organizations are stewards of infrastructures with significant national importance. The sensitivity of the information gathered necessitates special provisions to address a key concern of industry: nondisclosure to external parties and the government. This is addressed through IAOP policies and through legally binding nondisclosure agreements with the participating national laboratories involved with the assessment. These security assessments are intended to augment the highly successful efforts by energy infrastructure providers to ensure reliability of service from traditional threats such as equipment failure, severe weather, or human error. However, changes in technology (primarily information technology), changes in business models (including that driven by deregulation), and the emergence of new external threats (ranging from hackers to state agencies and international competitors) suggest that industry may need to adopt new approaches to assuring delivery of energy services. It is toward this end that the assessments have been conducted
Keywords :
electricity supply industry; government policies; management; security of data; Department of Energy; Infrastructure Assurance Outreach Program; USA; critical control systems; deregulation; electric utilities; energy infrastructure providers; external threats; information technology; national importance; nondisclosure agreements; risk assessment; security assessments; service reliability; vulnerability assessment activities; Computer security; Control systems; Government; Information security; Laboratories; National security; Power industry; Risk analysis; Risk management; US Department of Energy;
