How Energy's Cyber-Informed Engineering Strategy Fits into a Pending National Plan

Hisham Ibrahim/Getty

A key White House official highlighted the importance of education and workforce training in the government’s procurement-centric cybersecurity policy.

The Energy Department’s work pulling together stakeholders to agree on a strategy to make the sector more resilient to cyberattacks by incorporating cybersecurity features and services early in the design and marketing phases of technology can be applied more broadly across the country, according to senior administration officials.

“Looking at those sectors that ride on industrial control systems, the water sector, now, more the transportation sector, advanced manufacturing, or even when we look at new construction of facilities, building automation, the principles outlined here are very applicable to all of those areas as well,” said Joyce Corell, deputy national cyber director for technology and ecosystem.

Corell, who was just added to the growing Office of the National Cyber Director, was referring to the principles of the Energy Department’s recently released report on a cyber-informed engineering strategy. She spoke Tuesday during an event hosted by Auburn University’s Frank Cillufo. Corell and Cillufo, a former DHS official under the George W. Bush administration, served together on the congressionally mandated Cyberspace Solarium Commission. Corell also worked on supply chain security out of the Office of the Director of National Intelligence during the Trump administration and is now part of the team responsible for issuing a national plan for cybersecurity.

“There's more connectivity and more automation, so I think the time is right for us to take this particular body of work to the next level,” Corell said regarding the importance of implementing “security by design” principles across all sectors reliant on the industrial control systems. Acquiring ICS or operational technology may currently involve the risk of spotty support from manufacturers across the lifecycle of a device, or the inability to personalize access controls because of hardcoded passwords. 

The strategy DOE is working on starts with education and workforce training initiatives which fit neatly into the Office of the National Cyber Director’s prioritization of workforce development. Corell pointed to the inclusion of the secretary of labor along with other senior cabinet officials at a recent White House summit on the issue.

“What is coming out of this particular strategy, the framework outlined in the strategy, it's going to feed directly into that,” she said. “This is a good time in which to launch the strategy and see it be taken up by the energy, the energy industrial base. But, right now, as a nation, we have a number of openings in cybersecurity jobs … there are approximately 700,000 vacancies at the national level.” 

That means focusing on “the importance of educational institutions, or training and accreditation institutions, baking in many of the core principles outlined in the strategy to get to secure-by-design and resilient systems,” she said, because, “achieving resilience is a priority for the national cyber director.”