Supply Chain Cybersecurity Principles

In light of the growing cyber threats that challenge energy systems in the U.S. and around the globe, the Department of Energy’s (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER) is taking a major step forward to strengthen the cybersecurity of the critical operational equipment that makes up our energy systems.  

The Supply Chain Cybersecurity Principles, developed by CESER in collaboration with Idaho National Laboratory and industry partners, characterize the foundational actions and approaches needed to deliver strong cybersecurity throughout the vast global energy sector supply chains. The principles aim to create an enduring framework to drive best practices today, while informing international coordination to advance those practices into the future. 

Created for both suppliers and end users, the principles will help prioritize security and resilience within the sector and provide concise guidance that the energy industry can use to validate cybersecurity decisions. They cover primary cybersecurity concepts and objectives, including: 

• Impact-driven risk management 
• Framework-informed defenses 
• Cybersecurity fundamentals 
• Secure development and implementation 
• Transparency and trust building 
• Implementation guidance 
• Lifecycle support and maintenance 
• Proactive vulnerability management 
• Proactive incident response 
• Business and operational resilience 

A Collaborative Approach to Cybersecurity 

Security is a shared responsibility along complex supply chains. Energy technology vendors may source subcomponents from hundreds of different manufacturers for a single piece of equipment; that technology may in turn be purchased by another vendor and integrated into an additional system before it reaches the end user.   

The principles help to identify the roles and responsibilities of suppliers and end users in meeting shared security objectives. Without duplicating other guidance, they offer a north star for cybersecurity decisions when evaluating prospective initiatives and activities.   

Energy systems across the globe are becoming more digitized as they integrate new sources of clean energy and pathways for communications. A global approach to supply chain cybersecurity is imperative to help secure equipment and technologies before they are exploited by cyber actors seeking to destroy or disrupt critical infrastructure. Read a statement from the National Security Advisor about the global effort to support supply chain cybersecurity.  

Support the Principles 

If you are an industrial control systems (ICS) supplier or end user interested in publicly supporting the Supply Chain Cybersecurity Principles, please contact us at [email protected].

Join the energy companies that have already expressed support for the principles: