The DOE reaches out to utilities with cybersecurity model
There’s an old joke with an equally archaic punchline that quips about the U.S. government never getting a thing done, how every project takes forever. At least in the case of a cybersecurity model, the U.S. government has definitely proven that joke completely and utterly wrong.
The Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) hasn’t been in the works for a decade. It hasn’t been languishing in a subcommittee waiting for rescue or funding. In fact, it all started just a scant year ago when the White House knocked on the door of the Department of Energy (DOE) and asked how we (as a government body and as an industry entity and as a group of concerned consumers) start to pinpoint what utilities are doing on cybersecurity and what they should be doing, a now-and-the-future scenario.
Thus was born the ES-C2M2, a public/private partnership allowing electric utilities and grid operators to assess their cybersecurity capabilities. It also allows utilities to prioritize future actions and investments in thecybersecurity arena with a series of steps—gradual assessments in platform areas that build to a complete picture.
The collaborative effort that started in 2011 came to a head in May 2012 with the release of the first version of the model (just a few months after first initiated in January of this year).The model, according to the DOE’s Office of Electricity Delivery & Energy Reliability, “combines elements from existing cybersecurity efforts into a common tool that can be used consistently across the industry.”It also includes a cybersecurity self-evaluation survey tool, which discusses situational awareness, along with threat and vulnerability management, to allow a utility an internal option for the cybersecurity discussion.
The challenge from the White House was to develop capabilities to manage dynamic threats and understand grid cybersecurity, Matthew Light, infrastructure systems analyst at the DOE toldinsiders at the cybersecurity focus group during Grid-Interop 2012 in Irving, Texas, December 4, 2012.
The objectives for the model development included the desire to strengthen cybersecurity capabilities, along with the need to enable consistent evaluation and benchmarking, share knowledge and benefits, and help prioritize actions and investments.
Additionally, Light noted, the utilities wanted to know where they were relative to their peers, and the government needed an assessment to discuss options for federal resources.
The model has ten domains and four maturity indicator levels (MILs). The domains include logical groupings of cybersecurity practices, including: risk management; asset, change and configuration management; identity and access management; threat and vulnerability management; situational awareness;information sharing and communications;event and incident response, continuity of operations;supply chain and external dependencies management; workforce management; andcybersecurity program management.
According to documentation about the model, “the practices within each domain are organized into objectives. The objectives represent achievements that support the domain.” For example, the risk management domain has three objectives:
* Establish a cybersecurity risk management strategy,
* Manage cybersecurity risk, and
* Manage risk management activities.
Currently, over 77 utilities have downloaded the model’s assessment tool.
“That’s pretty significant across the space—cooperative, international, IOU, public power and RTOs. Overall, we’re getting some great adoption,” Light said.
To date, the ES-C2M2 has had17 pilot assessments where the DOE went onsite with industry volunteers and walked through the model. They wanted to adjust the model to meet industry needs with a primary focus on feedback. Currently, that feedback is leading to new changes to the next version of the model, including additional maturity indicator levels, performance metrics and measurement, and informative materials.
The ES-C2M2 effortis led by the DOE, in partnership with the Department of Homeland Security (DHS), Carnegie Mellon University and industry stakeholders.
The ES-C2M2, designed specifically for the electricity industry, can be downloaded from the DOE’s website or by contacting the DOE at ES-C2M2@hq.doe.gov.
“We want organizations to take the assessment tool, have the DOE come onsite or preform it on their own,” Light noted. “The key pieces are analyzing the gaps. The organization has to keep in mind a risk profile, tolerance and priorities. Each organization will achieve a different maturity level based on their risk profile.”