There’s an old joke with an equally archaic punchline
that quips about the U.S. government never getting a
thing done, how every project takes forever. At least in
the case of a cybersecurity model, the U.S. government
has definitely proven that joke completely and utterly
wrong.
The Electricity Subsector Cybersecurity Capability
Maturity Model (ES-C2M2) hasn't been in the works for a
decade. It hasn't been languishing in a subcommit¬tee
waiting for rescue or funding. In fact, it all started
just a scant year ago when the White House knocked on
the door of the Department of Energy (DOE) and asked how
we (as a government body and as an industry entity and
as a group of concerned consumers) start to pinpoint
what utilities are doing on cybersecurity and what they
should be doing, a now-and-the-future scenario.
Thus was born the ES-C2M2, a public/private partnership
allowing electric utilities and grid operators to assess
their cybersecurity capabilities. It also allows
utilities to prioritize future actions and investments
in the cybersecurity arena with a series of
steps-gradual assessments in platform areas that build
to a complete picture.
The collaborative effort that started in 2011 came to a
head in May 2012 with the release of the first version
of the model (just a few months after first initiated in
January of this year).
The model, according to the
DOE's Office of Electricity Delivery & Energy
Reliability, "combines elements from existing
cybersecurity efforts into a common tool that can be
used consistently across the industry."
It also includes a cybersecurity self-evaluation survey
tool, which discuss¬es situational awareness, along with
threat and vulnerability management, to allow a utility
an internal option for the cybersecurity discussion.
The challenge from the White House was to develop
capabilities to manage dynamic threats and under¬stand
grid cybersecurity, Matthew Light, infrastructure
systems analyst at the DOE told insiders at the
cybersecurity focus group during Grid-Interop 2012 in
Irving, Texas, December 4, 2012.
Objectives cited
The objectives for the model development included the
desire to strengthen cybersecurity capabilities, along
with the need to enable consis¬tent evaluation and
benchmarking, share knowledge and benefits, and help
prioritize actions and investments.
Additionally, Light noted, the utili¬ties wanted to know
where they were relative to their peers, and the
govern¬ment needed an assessment to discuss options for
federal resources.
The model has ten domains and four maturity indicator
levels (MILs). The domains include logical group¬ings of
cybersecurity practices, includ¬ing: risk management;
asset, change and configuration management; identity and
access management; threat and vulnerability management;
situational awareness; information sharing and
communications; event and incident response, continuity
of operations; supply chain and external dependencies
management; work¬force management; and cybersecurity
program management.
According to documentation about the model, "the
practices within each domain are organized into
objectives. The objectives represent achievements that
support the domain." For ex¬ample, the risk management
domain has three objectives:
Establish a cybersecurity risk management strategy,
Manage cybersecurity risk, and
Manage risk management activities.
Currently, over 77 utilities have downloaded the model's
assessment tool.
"That's pretty significant across the space-cooperative,
international, IOU, public power and RTOs. Overall,
we're getting some great adoption," Light said.
To date, the ES-C2M2 has had 17 pilot assessments where
the DOE went on-site with industry volunteers and walked
through the model. They wanted to adjust the model to
meet industry needs with a primary focus on feedback.
Currently, that feed¬back is leading to new changes to
the next version of the model, including additional
maturity indicator levels, performance metrics and
measure-ment, and informative materials.
The ES-C2M2 effort is led by the DOE, in partnership
with the Department of Homeland Security (DHS), Carnegie
Mellon University and industry stakeholders.
The ES-C2M2, designed specifi-cally for the electricity
industry, can be downloaded from the DOE's website or by
contacting the DOE at ES-C2M2@hq.doe.gov.
"We want organizations to take the assessment tool, have
the DOE come on-site or preform it on their own," Light
noted. "The key pieces are ana¬lyzing the gaps. The
organization has to keep in mind a risk profile,
toler¬ance and priorities. Each organization will
achieve a different maturity level based on their risk
profile."
This story appeared first in
Intelligent Utility Magazine. Enjoyed the article?
Would you like to read more from our editors, writers
and industry insiders? If so, download the Jan/Feb 2013
issue of Intelligent Utility absolutely free.
Copyright © 1996-2013 by
CyberTech,
Inc.
All rights reserved.
To subscribe or visit go to:
http://www.energycentral.com
To subscribe or visit go to:
http://www.energybiz.com
http://www.energybiz.com/article/13/03/energy-department-reaches-out-utilities-cybersecurity-model&utm_medium=eNL&utm_campaign=EB_DAILY&utm_term=Original-Member