Dept. of Energy Announces Cybersecurity Pipedream

They call it a five year plan, but if there is anything that we learned from CMMC, companies got serious when they realized that they would not get any new contracts or revenue. For the five years before that, most companies did nothing. Even now, with actual CMMC requirements in new RFPs, only a thousand out of 200,000 defense contractors are certified. Some number more have done an internal assessment – likely that would turn into a failure when they have to pass the soon to be mandatory third party assessment.

So here is the DoE’s pipedream.

1. Develop (currently non-existent) advanced cybersecurity technologies tailored to energy systems. Do they have a plan to fund this R&D in the midst of the administration’s massive cost cutting? There is no evidence of that. Perhaps they would like electric utilities to raise consumer prices to pay for it.
2. Hardening infrastructure against both cyber and physical threats. So, they plan on hardening technology that was designed say 20 or 30 years ago and implemented, say, 15-20 years ago, against threats they never even dreamed of. Okay, good.
3. Improving the speed and effectiveness of incident response and recovery.

They plan to do this all without new laws or regulations.

The DoE’s Office of Cybersecurity, Energy Security and Emergency Response’s budget request for 2026 was $150 million, down from $200 million last year. How, exactly, will this plan be funded? And, since they fired between 1,000 and 2,000 employees (out of a current staff of 16,000 throughout DoE). They also have about 93,000 contractors working for the DoE OVERALL at various national labs like Oak Ridge, Idaho National Labs and Lawrence Livermore. It is certainly possible that they could redirect those scientists from things like protecting our nuclear weapons stockpile to protecting the IT infrastructure of private energy companies, but it is not clear if those companies are willing to accept government intrusion into their business or if that would even be legal. I am sure that all of them would be willing to stop their life’s research to help the DoE figure out how to protect a 30 year old electric plant from Iranian hackers.

Apparently, they were hoping that CISA would rescue them, even though CISA has lost about a third of its staff.

Of course, this office inside DoE does have 66 employees. There are about 12,000 power plants in the US. 12,000/66 = 181 per employee, assuming they do NOTHING else.

I am sure this will work out well. They do plan to use [move fast and break things] AI to solve the problem.

Do you have a generator? You might need one. Credit: Data Breach Today

by