White House and DOE Leaders Host Panel on Supply Chain Cybersecurity

WASHINGTON, D.C. – Today White House Deputy National Security Advisor Anne Neuberger and Department of Energy Office of Cybersecurity, Energy Security, and Emergency Response (CESER) Director Puesh M. Kumar discussed the importance of the Supply Chain Cybersecurity Principles with critical infrastructure equipment manufacturer executives on the margins of the International Counter Ransomware Initiative (CRI) Gathering.

The session, titled Visualizing Organizational Influence on Regional Energy Infrastructure: Addressing a Vital Gap for Cyber Supply Chain Risk Management, provided an opportunity for the United States to demonstrate leadership in developing the Supply Chain Cybersecurity Principles to the CRI participants who represent 68 countries from around the globe. These principles were released in June with support from industry partners, while inviting international participation in coordinated efforts to advance the principles throughout the global supply chain. 

The discussion included executives from industrial control systems suppliers who are committed to partnering with the U.S. government to strengthen the cybersecurity of hardware and software in critical infrastructure used in the energy sector. The manufacturers in attendance were GE Vernova, Hitachi Energy, Honeywell, Rockwell Automation, Schneider Electric, Siemens, Siemens Energy, and Westinghouse Electric Company.

“DOE is committed to strengthening the cybersecurity of energy infrastructure through robust partnerships with leading manufacturers,” said Puesh M. Kumar, Director of CESER. “The CRI gathering in Washington, D.C. gave us an opportunity to demonstrate how public-private partnerships are critical to advancing cybersecurity to over 68 countries from around the world.”

Supply Chain Cybersecurity Principles

In light of the growing cyber threats that challenge energy systems in the U.S. and around the globe, CESER is taking a major step forward to strengthen the cybersecurity of the critical operational equipment that makes up our energy systems.  

The Supply Chain Cybersecurity Principles, developed by CESER in collaboration with Idaho National Laboratory and industry partners, characterize the foundational actions and approaches needed to deliver strong cybersecurity throughout the vast global energy sector supply chains. The principles aim to create an enduring framework to drive best practices today, while informing international coordination to advance those practices into the future. 

Created for both suppliers and end users, the principles will help prioritize security and resilience within the sector and provide concise guidance that the energy industry can use to validate cybersecurity decisions. They cover primary cybersecurity concepts and objectives, including: 

• Impact-driven risk management 
• Framework-informed defenses 
• Cybersecurity fundamentals 
• Secure development and implementation 
• Transparency and trust building 
• Implementation guidance 
• Lifecycle support and maintenance 
• Proactive vulnerability management 
• Proactive incident response 
• Business and operational resilience 

If you are a critical infrastructure equipment manufacturer, end user, or an international partner interested in publicly supporting the Supply Chain Cybersecurity Principles, please contact us at [email protected].

CRI Country Members

The 68 members of the International Counter Ransomware Initiative (CRI)—Albania, Argentina, Australia, Austria, Bahrain, Belgium, Brazil, Bulgaria, Cameroon, Canada, Chad, Colombia, Costa Rica, the Council of Europe, Croatia, the Czech Republic, Denmark, the Dominican Republic, the ECOWAS Commission, Egypt, Estonia, the European Union, Finland, France, Germany, Greece, the Global Forum on Cyber Expertise, Hungary, India, INTERPOL, Ireland, Israel, Italy, Japan, Jordan, Kenya, Lithuania, Mexico, Morocco, the Netherlands, New Zealand, Nigeria, Norway, the Organization of American States, Papua New Guinea, the Philippines, Poland, Portugal, the Republic of Korea, the Republic of Moldova, Romania, Rwanda, Sierra Leone, Singapore, Slovakia, Slovenia, South Africa, Spain, Sri Lanka, Sweden, Switzerland, Ukraine, the United Arab Emirates, the United Kingdom, the United States, Uruguay, Vanuatu, and Vietnam—met in Washington, D.C. from Sept. 30 – Oct. 3, 2024 for the Fourth CRI Gathering. 

Previously participating members welcomed Argentina, Bahrain, Cameroon, Chad, the Council of Europe, Denmark, the ECOWAS Commission, Finland, the Global Forum on Cyber Expertise, Hungary, Morocco, the Organization of American States, the Philippines, the Republic of Moldova, Slovenia, Sri Lanka, Vanuatu, and Vietnam as new CRI members.