CyTRICS partners across stakeholders to identify high priority operational technology (OT) components, perform expert testing, share information about vulnerabilities in the digital supply chain, and inform improvements in component design and manufacturing. CyTRICS leverages best-in-class test facilities and analytic capabilities at six DOE National Laboratories and strategic partnerships with key stakeholders including technology developers, manufacturers, asset owners and operators, and interagency partners.
CyTRICS Program Supports:
Prioritization Methodology
An approach to prioritizing OT components for testing that incorporates key factors including operational impact, prevalence, and national security interest. This approach provides a strategic, transparent rationale for testing components that optimizes security impact.
Standardized Testing Process
DOE has developed and refined a standardized approach to enumerating and vulnerability testing firmware and software subcomponents. Standardization ensures consistency, repeatability, and comparability of results, to scale up testing and automation across Labs and partners.
Standardized Reporting and Repository
CyTRICS captures testing results in a standard, bill of materials format that captures granular “digital ingredients” to the subcomponent level, to rapidly identify embedded high-risk components and subcomponents. The program features a central repository of testing results for comprehensive, sector-wide analysis of systemic risks and vulnerabilities.
Vendor Agreements
CyTRICS partners with top manufacturers and utilities in the sector to sign participation Agreements to frame mutual cooperation prior to conducting testing. The standard agreement establishes types of software and firmware testing to be performed, timely disclosure of vulnerabilities identified during testing, and coordinated disclosure of vulnerability information with impacted asset owners, federal agencies, and energy sector stakeholder.
CyTRICS leverages strategic partnerships that enable DOE to evaluate software and firmware in energy sector equipment. These partners work with the CyTRICS team to identify and mitigate cybersecurity vulnerabilities in the supply chain. This work is helping to ensure the integrity and reliability of critical system components nationwide.
Learm more about how DOE's CyTRICS Program is engaging in public-private partnerships to identify and mitigate cybersecurity vulnerabilities in the supply chain, helping to ensure the integrity and reliability of critical system components nationwide.
Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) addresses the emerging threats of tomorrow while protecting the reliable flow of energy to Americans today by improving energy infrastructure security and supporting the Department of Energy’s national security mission. CESER’s focus is preparedness and response activities to natural and man-made threats, while ensuring a stronger, more prosperous, and secure future for the nation.
Incorporating context for better threat detection
Testing cyber resilience of energy technologies
Elite training for energy sector front-line managers
Partnering with energy sector entities to identify and defend critical control systems
Exploring a proof of concept for the energy community
