The Department of Energy is the lead agency for combating cyber threats to the electric grid, but House appropriators are expressing concern that it is not doing enough to prevent hacking of its own operations, according to the House Appropriations’ full committee report on its fiscal 2018 Energy-Water spending bill.
The committee’s $37.6 billion draft bill would direct DOE, within 180 days of enactment, to create a cybersecurity implementation plan with the aim of strengthening DOE’s “cyber posture,” according to the report released Tuesday.
“The Committee is concerned that the Department has not been effectively addressing cyber threats to its enterprise,” the appropriators said in the report. “The Department developed a cyber strategy in December 2015, but failed to create an implementation plan to carry out its policy, which creates uncertainty throughout the enterprise on how to properly deal with cyber threats and safeguard the Department’s assets.”
With a wide-ranging portfolio including advanced nuclear energy research and development and management of the the nation’s nuclear weapon stockpile, the department’s work involves sensitive nuclear secrets that could be prime targets for cyber attacks.
On top of the implementation plan, the report would direct DOE to consolidate its cybersecurity efforts for the department under the Office of the Chief Information Officer, which would then disperse “not less than” $69 million for activities to protect against cyber attacks and secure information.
The committee’s cyber interest comes as federal agencies, including DOE, the FBI and the Department of Homeland Security, investigate the potential hack of nuclear plants and power plant system manufacturers that has raised congressional eyebrows. Media reports indicated that Russian backed hacking groups may be the lead suspect in last week's reported cyber attack.
DOE has been at the forefront of warning about the seriousness of the cyber threat to the electric grid.
In its second Quadrennial Energy Review, a sweeping analysis of the energy sector conducted under the Obama administration, DOE said that the cybersecurity of the grid remains a key vulnerability, and it should be treated with the same importance as other national security threats.
And the Appropriation Committee took notice.
“In addition to securing its own systems, the Department and our national laboratories play an important role in ensuring the resiliency of the nation’s electric grid and energy infrastructure,” the report said. “The Committee recommendation provides targeted investments that will defend the U.S. energy sector against the evolving threat of cyber and other attacks.”
Among other program areas with cyber-related activities, the Office of Electricity Delivery and Reliability, which leads the department's cyber-related research and development, would see a total funding allocation of $219 million — an increase of $99 million compared to the administration's fiscal 2018 budget request, but $12 million less than fiscal 2017.