Energy, especially electricity, could be described as the most critical industry – all other critical industries are fundamentally dependent on access to energy.
It is essential for peoples’ daily lives (citizens), business operation (economy), and national security (the nation). As such, it is a primary target for criminals, hacktivists, and adversarial nation state actors.
The office of Cybersecurity, Energy Security, and Emergency Response (CESER, part of the U.S. Department of Energy) has published a three-pronged 5-year security plan for the fiscal years 2026 to 2030. The three prongs (or goals of the plan) are to develop ‘world-class’ security technologies, to harden the US energy infrastructure, and establish emergency preparedness for response and recovery from incidents.
The plan intends to conform to and implement the current White House administration’s National Energy Dominance Council established in February 2025, designed ultimately to achieve global energy dominance.
The three prongs of the plan are intended to support CESER’s guiding principle: ‘to provide timely and actionable information to the energy sector’.
The first goal is to develop ‘cutting edge’ technologies designed ‘to protect infrastructure, systems, and supply chains in real-time threat situations’. This involves three objectives: issue an RD&D roadmap with a quarterly progress review of approved projects; accelerate this to complete two new solutions for adoption by the private sector each year over the next five years; and to improve ROI on CESER technology investments through a formal requirement process.
CESER is developing AI-FORTS to support this goal. It’s designed to protect against AI-enabled attacks, leverage AI to enhance supply chain testing tools, and to ’secure AI-based systems used to operate, control, or defend US energy systems’.
The second goal is to harden the US energy infrastructure. This also has three primary objectives: to rank and harden critical energy infrastructure for national security sites within two years; to provide direction in the installation of cyber, physical and resilience upgrades also within two years; and to establish and implement an annual energy security training and exercise baseline.
CESER’s Project Armor is a five year initiative to harden the US critical energy infrastructure, including strengthening energy systems ‘to prevent and recover from wildfires and other hazards’.
The third goal involves response to and recovery from natural disasters, and physical or cyberattacks. If they occur, says the plan, “CESER intervenes to minimize disruptions and support reliable energy.” This goal has two primary objectives: to streamline preparedness and continuity of operations in alignment with EO 14239; and to standardize processes for issuing and obtaining approval of emergency orders and waivers.
This is a good, solid plan on paper that will only be judged as it is actioned in practice. Time, as it does for so much in cybersecurity, will tell. Five years is, after all, a very long time in security.
“Together, under the leadership of President Trump and US Secretary of Energy Christopher Wright, we can protect our critical energy infrastructure from security and operational threats – no matter how persistent, pernicious, or unpredictable. Please join me in pursuing the goals and objectives outlined for CESER in this plan during fiscal years 2026 to 2030,” announced Alexander Fitzsimmons, Director of CESER, introducing the plan.
Related: Defense Contractor MORSE to Pay $4.6M to Settle Cybersecurity Failure Allegations
Related: US Military Health Provider HNFS Pays $11M in Settlement Over Cybersecurity Failures
Related: Georgia Tech Sued Over Alleged False Cybersecurity Reports to Win DoD Contracts
Related: Bipartisan Bill Proposes Cybersecurity Funds for Rural Water Systems
