There’s an old joke with an equally archaic punchline that quips about the U.S. government never getting a thing done, how every project takes forever. At least in the case of a cybersecurity model, the U.S. government has definitely proven that joke completely and utterly wrong.

The Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) hasn't been in the works for a decade. It hasn't been languishing in a subcommit¬tee waiting for rescue or funding. In fact, it all started just a scant year ago when the White House knocked on the door of the Department of Energy (DOE) and asked how we (as a government body and as an industry entity and as a group of concerned consumers) start to pinpoint what utilities are doing on cybersecurity and what they should be doing, a now-and-the-future scenario. 


Thus was born the ES-C2M2, a public/private partnership allowing electric utilities and grid operators to assess their cybersecurity capabilities. It also allows utilities to prioritize future actions and investments in the cybersecurity arena with a series of steps-gradual assessments in platform areas that build to a complete picture.

The collaborative effort that started in 2011 came to a head in May 2012 with the release of the first version of the model (just a few months after first initiated in January of this year). 

The model, according to the DOE's Office of Electricity Delivery & Energy Reliability, "combines elements from existing cybersecurity efforts into a common tool that can be used consistently across the industry."

It also includes a cybersecurity self-evaluation survey tool, which discuss¬es situational awareness, along with threat and vulnerability management, to allow a utility an internal option for the cybersecurity discussion. 


The challenge from the White House was to develop capabilities to manage dynamic threats and under¬stand grid cybersecurity, Matthew Light, infrastructure systems analyst at the DOE told insiders at the cybersecurity focus group during Grid-Interop 2012 in Irving, Texas, December 4, 2012.

Objectives cited

The objectives for the model development included the desire to strengthen cybersecurity capabilities, along with the need to enable consis¬tent evaluation and benchmarking, share knowledge and benefits, and help prioritize actions and investments. 


Additionally, Light noted, the utili¬ties wanted to know where they were relative to their peers, and the govern¬ment needed an assessment to discuss options for federal resources. 


The model has ten domains and four maturity indicator levels (MILs). The domains include logical group¬ings of cybersecurity practices, includ¬ing: risk management; asset, change and configuration management; identity and access management; threat and vulnerability management; situational awareness; information sharing and communications; event and incident response, continuity of operations; supply chain and external dependencies management; work¬force management; and cybersecurity program management.

According to documentation about the model, "the practices within each domain are organized into objectives. The objectives represent achievements that support the domain." For ex¬ample, the risk management domain has three objectives:

    Establish a cybersecurity risk management strategy,

    Manage cybersecurity risk, and

    Manage risk management activities.


Currently, over 77 utilities have downloaded the model's assessment tool. 

"That's pretty significant across the space-cooperative, international, IOU, public power and RTOs. Overall, we're getting some great adoption," Light said. 


To date, the ES-C2M2 has had 17 pilot assessments where the DOE went on-site with industry volunteers and walked through the model. They wanted to adjust the model to meet industry needs with a primary focus on feedback. Currently, that feed¬back is leading to new changes to the next version of the model, including additional maturity indicator levels, performance metrics and measure-ment, and informative materials.

The ES-C2M2 effort is led by the DOE, in partnership with the Department of Homeland Security (DHS), Carnegie Mellon University and industry stakeholders. 


The ES-C2M2, designed specifi-cally for the electricity industry, can be downloaded from the DOE's website or by contacting the DOE at ES-C2M2@hq.doe.gov.

"We want organizations to take the assessment tool, have the DOE come on-site or preform it on their own," Light noted. "The key pieces are ana¬lyzing the gaps. The organization has to keep in mind a risk profile, toler¬ance and priorities. Each organization will achieve a different maturity level based on their risk profile."


This story appeared first in Intelligent Utility Magazine. Enjoyed the article? Would you like to read more from our editors, writers and industry insiders? If so, download the Jan/Feb 2013 issue of Intelligent Utility absolutely free.

Copyright © 1996-2013 by CyberTech, Inc. All rights reserved.

To subscribe or visit go to:  http://www.energycentral.com

To subscribe or visit go to:  http://www.energybiz.com

 

http://www.energybiz.com/article/13/03/energy-department-reaches-out-utilities-cybersecurity-model&utm_medium=eNL&utm_campaign=EB_DAILY&utm_term=Original-Member