The Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) has released its first five-year strategic plan, following the broader national cybersecurity strategy. It’s coming at a time when the energy cybersecurity landscape is changing quickly, in some cases faster than operators can realistically keep up.
There’s been a steady increase in attention on critical infrastructure over the past year, especially as nation-state activity has become more visible. Ongoing geopolitical conflicts, including tensions in the Middle East, has only heightened concern around how cyber activity could be used as an asymmetric lever against U.S. critical infrastructure. This plan is another signal that energy security is being taken seriously at the federal level. But what matters more than what’s written in the plan is how closely it lines up with what operators are actually dealing with day to day.
Infrastructure operators are working within complex, constrained environments, even as their threat landscape is shifting rapidly due to geopolitical pressure as well as the growing use of automation and AI by attackers. In many cases, the pace of adversaries is outstripping both operational capacity and the ability of policy to keep up.
CESER sits fairly close to the operational side of this problem, which makes this plan more relevant than a typical high-level policy document. It's meant to help guide coordination and priorities across a sector where most of the infrastructure is privately owned but nationally critical.
What the CESER plan focuses on
The CESAR plan lays out three overarching priorities: developing world-class security technologies, hardening critical infrastructure, and improving coordination and response across the sector. This includes an increased focus on advanced technologies, such as automation and data-driven approaches, to improve detection and response.
These priorities align with many of the challenges already being discussed across the energy sector. At the same time, they raise a broader question: How well do these priorities translate into the day-to-day reality that operators are managing?
Impacts of a strategic plan
Plans like this are useful for aligning people, driving conversations, and broadening perspectives within busy operational settings.
They can help organizations focus attention, reinforce urgency, and prioritize investments. In a space like energy, where there are a lot of stakeholders and competing priorities, alignment is especially important.
At the same time, these plans don’t change how environments operate overnight. Their real impact depends on how well messages are articulated and received, through all layers of a complex organization.
What energy operators are up against
Energy environments don’t look like traditional enterprise IT.
They include a mix of IT and OT systems, along with a large number of devices that are difficult to manage or secure using standard approaches. Sometimes, those devices can’t support endpoint controls, which makes them attractive targets for attackers looking for initial access or persistence. That unusual characteristic becomes more significant as attackers use automation and AI to move faster.
Energy environments are challenging because they often include:
- IT and OT systems operating together
- unmanaged or hard-to-secure devices
- distributed infrastructure across regions
On top of that, these environments often feature several generations of technology side by side; equipment upgrades are expensive and infrequent. Getting a clear picture of what’s happening across the kind of network isn't straightforward, even for well-resourced teams.
This is just the reality of operating energy sector infrastructure at scale.
Where things may start to break down
There’s a noticeable gap between how cybersecurity is described at the policy level and how it’s experienced by operators.
Policy tends to focus on frameworks, alignment, and standardization. It has to. That’s the only way to make it broadly applicable.
However, operators are dealing with something very different. Alert volumes, staffing challenges, budget constraints, and the basic complexity of keeping systems running all shape how security decisions are actually made. As a former network operator in the DOE environment, I know that policy documents are not always the highest priority for a busy team in fire-fighting mode! But the situation we now find ourselves in is unprecedented. The combination of rising geopolitical tensions and attacker automation will soon put enormous pressure on teams to align strategy across their organizations and, more broadly, across defensive communities.
The pace problem in energy cybersecurity
An aspect of this shift that everyone in the SOC is likely to feel soon, especially given Mythos-class models, is a sense of great acceleration.
Teams will soon be expected to respond, investigate, patch, and make decisions faster—often without a corresponding increase in resources. And human-scale processes will be overwhelmed very quickly by machine-speed adversaries. Some organizations are already feeling that strain. Others will get there soon.
Closing that gap will require more than incremental improvements. It will require the ability to operate at machine speed, particularly in detection, triage, and response. That includes using AI comprehensively; not just to manage volume, but to maintain accuracy as decisions are made faster, with humans ‘on’ or even outside the loop.
Coordination across IT and OT environments
A lot of the conversation around cybersecurity still focuses on tools.
But in these environments, outcomes often come down to how well different teams work together. Security, networking, and OT teams all have a role to play in defense, and they don’t always operate in sync.
When those groups are aligned, responses tend to be more effective. When they're not, progress slows down, and alignment gaps often manifest as barriers.
That’s been our consistent experience in real-world incidents and in simulated environments designed to war-game complex incident response scenarios.
As response timelines shrink, the cost of misalignment will increase.
The role of data in energy cybersecurity
As you may have noticed, the security industry is placing enormous focus on AI for automation, detection, analysis, and other use cases. What receives less attention is the critical role that high-quality data plays in any AI workflow.
Our internal tests show that frontier models do a much better job at answering security questions than they did six months ago, and hallucination rates have declined significantly. However, a model's performance is fundamentally limited by the quality of source data it has access to: garbage in, garbage out.
This limit becomes even more important as organizations begin to rely on AI-driven workflows. Machine-speed response can only be effective if it is grounded in high-quality, trustworthy data. As AI takes on a larger role in decision-making, confidence in that data becomes critical. Without consistent accuracy, automation introduces risk rather than reducing it.
This isn’t a new idea, but data quality hasn't been a central part of the AI conversation. That must change as more teams start to rely on automation in their workflows.
Where this leaves energy cybersecurity
The CESER strategic plan is an important step in elevating the conversation around energy cybersecurity and driving industry-wide discussion and alignment. Although it was written before the disclosure of Mythos, its general principles—especially hardening infrastructure and improving coordination—remain sound.
Whether the plan makes a meaningful difference in practice will come down to how well its urgency is articulated to operators with a lot on their minds, and how well its goals are translated into projects and priorities that prepare energy infrastructure providers for a period of disorienting change.
The era of machine-speed offense is upon us, and energy infrastructure is a particularly challenging territory to defend. We’ll need to work together, use the best available data, and embrace AI for defensive purposes if we hope to rise to a generational challenge.
For more on how high-quality network data supports detection and response in energy environments, visit https://corelight.com/solutions/industry/energy.