Control systems used in the energy sector may be vulnerable to malicious cyber attacks, leading to potentially catastrophic disruptions in our critical infrastructures.  Improving the security of energy control systems is a crucial step for national infrastructure protection and requires new investment in research and development.

To provide a unified framework for control systems research efforts, DOE has partnered with industry to create a Roadmap to Secure Control Systems in the Energy Sector (PDF 2.1 MB). This vital document identifies critical challenges and priorities for improving security, reliability, and functionality of energy control systems. The Roadmap will guide technology investments by government and industry and enhance operating practices in the electric, oil, and gas sectors.

Critical Challenges to Improving Control Systems Security for the Energy Sector

Improving the security of control systems in the energy sector is a complex task that must overcome several key challenges:

• Ease of sophisticated attack. Cyber attack tools are becoming more sophisticated, while the knowledge required to use them is decreasing.
• Reliance on commercial software. Many software programs used in control systems are produced outside the U.S. and fail to address U.S. security concerns.
• Evolution toward distributed networks. Interconnected, web-enabled systems provide multiple points of entry for cyber attacks.
• Competitive energy market. Competitive pressures can deter private industry from investing in more secure control systems.
• High performance requirements. The high performance and reliability required of control systems may deter private industry from trying improved software and tools.
• Uneven, fragmented funding and operation. Resources for defining and testing control system vulnerabilities have been limited and inconsistent.

Critical Priorities for Improving Control Systems Security for the Energy Sector

Improving the security of control systems in the energy sector is a complex task. High-priority needs include:

Identifying Strategic Risks

• Articulating the business case for addressing control system vulnerabilities, threats, technologies, and needs.
• Creating an environment to promote information sharing about real-world, cross-sector attacks.
• Developing and implementing wire encryption technology to protect communication links.
• Continuing funding and use of the National SCADA Test Bed.

Legacy Systems

• Developing security solutions for legacy systems.
• Developing a long-term plan for managing a legacy system development life cycle.
• Identifying best practices for connecting legacy systems to business networks.
• Developing a security plan for incident response and recovery.

Security Tools and Practices

• Developing an automated system for managing security events.
• Agreeing on metrics/standards for measuring security.
• Identifying effective gateway security tools.

Control Systems Architecture

• Developing advanced components for intrusion detection, prevention, and alerting.
• Developing a security test harness.
• Developing a security architecture with plug-and-play compatibility.