Energy Department ‘Center of Excellence’ Delves Into OT Cybersecurity

Agencies and laboratories under the Department of Energy are collaborating as part of a center of excellence concept focused on securing the operational technology that undergirds many critical systems.

Matthew Kwiatkowski, the chief information security officer for the cybersecurity team at the Fermi National Accelerator Laboratory, said the concept brings together cyber experts from across DoE to work toward solving OT security challenges.

The center of excellence is sponsored by DoE’s Office of Science and the National Nuclear Security Administration.

That work comes amid increasing concern about hackers targeting OT systems that operate sensitive equipment at DoE labs and in critical infrastructure across the country. OT is often specialized equipment that is increasingly being digitized, integrated with other technology and connected to the internet, in some cases bringing with it a host of new, less understood cybersecurity challenges.

Kwiatkowski said the DoE group has identified workforce development as one major challenge facing the OT cybersecurity community.

“If you’re going to put together a strategic plan to raise the maturity level of operational technology, or operational technology coming together with IT, you have to make sure that the workforce you have in place is ready for that,” Kwiatkowski said during a Federal News Network webinar. “So one of the focuses is to work with the operational technology workforce across the Department of Energy to make sure we’re all on the same page, we’ve all had the correct training in order to have the knowledge to make that next step.”

The center of excellence has also identified data science as a key component of a strong OT cybersecurity program. Many agencies with OT have been focused on inventorying those systems. But Kwiatkowski said beyond those “fundamental things,” organizations need to analyze that inventory and associated data to make informed cybersecurity decisions.

“You can call it data analysis. You can call it business intelligence,” he said. “There’s a couple other tagline keywords that you can give it, but you take that raw data, the inventory, and then you create business intelligence so that you can inform both the folks on the ground doing the OT work that need to do things like executive orders on zero trust and vulnerability management and network separation, and actually have that business intelligence also inform the leaders and the decision makers.”

Governmentwide OT challenges

Many agencies are grappling with similar OT cybersecurity challenges.

Michael Coleman, the chief information security officer at the Defense Commissary Agency, said DeCA is taking a hard look at the issue as it begins to replace legacy equipment.

He pointed out how a cyber incident could take down systems that are needed to operate commissaries and deliver food to military families across the world.

“Being able to disable or take away a capability here would impact that, not just logistically, but morale,” Coleman said. “So we’re keenly interested in making sure that what we do here does bring the groceries home.”

While OT and IT are increasingly converging, Coleman said keeping critical systems separate from other networked environments is still a core principle for OT security.

“One of the things that I do truly believe in is separation,” he said. “So having them on a separate network, definitely separate from what would be an operational environment, so that there is not just an air gap, but definitely true separation.”

Manuel Medrano, the director of the security operations center for the Bureau of Diplomatic Technology at the State Department, said State bureaus are collaborating to ensure the plethora of overseas facilities are secure from a cyber perspective.

“Some of the areas include to make sure that we do have the inventory of all of the items that we know of,” Medrano said. “And then making sure that we have some policies as well that have been drafted to make sure, what are the roles that each bureau or each portfolio plays when it comes down to the responsibilities for these devices as well.”

In the longer term, Medrano said the State Department is also focused on OT workforce development, as well as being able to secure OT more similar to how IT is treated today.

“The upskilling of the workforce, and then also, at least from the SOC perspective, how do I also use the same established capabilities — they may not all fit there, but at least not reinvent the wheel — so that then I can also push that into the OT scope as well,” he said.

OT security testing range

Part of the challenge is that OT environments can’t be treated like IT from a cybersecurity perspective, as critical systems are difficult or impossible to take offline for testing and updates.

And at the Energy Department, agencies and labs run a range of unique OT systems that are especially difficult to test from a cybersecurity perspective, such as specialized programmable logic controllers.

To start addressing that problem, the Pacific Northwest National Laboratory several years ago developed an “OT cyber range.” Kwiatkowski said the range isn’t able to represent every type of OT system that DoE operates, but it is a critical starting point. The DoE OT center of excellence is now leveraging the PNNL range to introduce OT cybersecurity courses to practitioners across the department.

“So it’s not just getting a workbook out and attending a class or a Zoom meeting,” he said. “You go out and you experience in a safe, controlled manner, how to effectively fix or break. A lot of it is learning what not to do in an OT environment.”