DoE Publishes 5-Year Energy Security Plan

Energy, especially electricity, could be described as the most critical industry – all other critical industries are fundamentally dependent on access to energy.  It is essential for peoples’ daily lives (citizens), business operation (economy), and national security (the nation). As such, it is a primary target for criminals, hacktivists, and adversarial nation state actors. The office of Cybersecurity, Energy Security, and Emergency Response (CESER, part of the U.S. Department of Energy) has published a three-pronged 5-year security plan for the fiscal years 2026 to 2030. The three prongs (or goals of the plan) are to develop ‘world-class’ security technologies, to harden the US energy infrastructure, and establish emergency preparedness for response and recovery from incidents. The plan intends to conform to and implement the current White House administration’s National Energy Dominance Council established in February 2025, designed ultimately to achieve global energy dominance. The three prongs of the plan are intended to support CESER’s guiding principle: ‘to provide timely and actionable information to the energy sector’. The first goal is to develop ‘cutting edge’ technologies designed ‘to protect infrastructure, systems, and supply chains in real-time threat situations’. This involves three objectives: issue an RD&D roadmap with a quarterly progress review of approved projects; accelerate this to complete two new solutions for adoption by the private sector each year over the next five years; and to improve ROI on CESER technology investments through a formal requirement process. CESER is developing AI-FORTS to support this goal. It’s designed to protect against AI-enabled attacks, leverage AI to enhance supply chain testing tools, and to ’secure AI-based systems used to operate, control, or defend US energy systems’. The second goal is to harden the US energy infrastructure. This also has three primary objectives: to rank and harden critical energy infrastructure for national security sites within two years; to provide direction in the installation of cyber, physical and resilience upgrades also within two years; and to establish and implement an annual energy security training and exercise baseline. CESER’s Project Armor is a five year initiative to harden the US critical energy infrastructure, including strengthening energy systems ‘to prevent and recover from wildfires and other hazards’. The third goal involves response to and recovery from natural disasters, and physical or cyberattacks. If they occur, says the plan, “CESER intervenes to minimize disruptions and support reliable energy.” This goal has two primary objectives: to streamline preparedness and continuity of operations in alignment with EO 14239; and to standardize processes for issuing and obtaining approval of emergency orders and waivers. This is a good, solid plan on paper that will only be judged as it is actioned in practice. Time, as it does for so much in cybersecurity, will tell. Five years is, after all, a very long time in security. “Together, under the leadership of President Trump and US Secretary of Energy Christopher Wright, we can protect our critical energy infrastructure from security and operational threats – no matter how persistent, pernicious, or unpredictable. Please join me in pursuing the goals and objectives outlined for CESER in this plan during fiscal years 2026 to 2030,” announced Alexander Fitzsimmons, Director of CESER, introducing the plan. Related: Defense Contractor MORSE to Pay $4.6M to Settle Cybersecurity Failure Allegations Related: US Military Health Provider HNFS Pays $11M in Settlement Over Cybersecurity Failures Related: Georgia Tech Sued Over Alleged False Cybersecurity Reports to Win DoD Contracts Related: Bipartisan Bill Proposes Cybersecurity Funds for Rural Water Systems WRITTEN BY Kevin Townsend Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines. More from Kevin Townsend Iran Readied Cyberattack Capabilities for Response Prior to Epic Fury Hacker Conversations: Ben Harris, From Unintentional Young Hacker to Intentional Adult CEO The Collapse of Predictive Security in the Age of Machine-Speed Attacks Shadow AI Risk: How SaaS Apps Are Quietly Enabling Massive Breaches AI, APIs and DDoS Collide in New Era of Coordinated Cyberattacks CISO Conversations: Aimee Cardwell ‘BlackSanta’ Malware Activates EDR and AV Killer Before Detonating Payload Kevin Mandia’s Armadin Launches With $190 Million in Funding Latest News Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Poland Faced a Surge in Cyberattacks in 2025, Including a Major Assault on the Energy Sector RSAC 2026 Conference Announcements Summary (Day 1) Extortion Group Claims It Hacked AstraZeneca Chrome 146 Update Patches High-Severity Vulnerabilities Webinar Today: Putting CIS Controls and Benchmarks into Practice 3.1 Million Impacted by QualDerm Data Breach Iran Built a Vast Camera Network to Control Dissent. Israel Turned It Into a Targeting Tool Trending Webinar: Securing Fragile OT In An Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the Move Markwayne Mullin as DHS Secretary late Monday. 7AI has appointed Israel Barak as its first Chief Information Security Officer. Brian Harrell has been appointed Chief Security Officer at FirstEnergy. More People On The Move Expert Insights Why Agentic AI Systems Need Better Governance – Lessons From OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle With Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How To 10x Your Vulnerability Management Program In The Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose A Critical Flaw In Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat As Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) Flipboard Reddit Whatsapp Email