The Department of Energy’s Electricity Subsector Cybersecurity Capability Maturity Model will help utilities assess their own level of cybersecurity readiness. |
A first-of-its-kind self-evaluation
model and survey will provide utilities with a way to benchmark and measure
their cybersecurity readiness.
Announced by U.S. Energy Secretary
Steven Chu, the Electricity Sector Cybersecurity Capability Maturity Model, or
ES-C2M2, and evaluation survey will help utilities assess their own level of
cybersecurity.
Available online, the model
provides a common language and point of reference for utilities to understand,
describe, and share information anonymously about cybersecurity practices. The
accompanying survey asks a series of questions derived from the model; the
answers can help utilities and grid operators identify gaps and prioritize
actions and future investments to make their systems more secure. Utilities can
request the survey tool by contacting the U.S. Department of Energy (DOE). DOE
also is offering facilitated self-evaluations on request.
“Secure delivery of
electricity is vital to our nation, and utilities play a vital role in ensuring
that the power system is protected from cyber-attack,” said Carl Imhoff,
electricity infrastructure sector manager at the DOE’s Pacific Northwest
National Laboratory (PNNL). “By taking the survey, utilities of all types
can gain additional insight into their respective level of cybersecurity. They
can prioritize future investments in order to make their systems more
secure,” he said.
Spearheaded by the White House, DOE,
and a host of partners, including the Department of Homeland Security, Carnegie
Mellon University’s Software Engineering Institute, PNNL, and others, the
three-year ES-C2M2 initiative began in January 2012 with the goal of helping
utilities develop a process and common model by which they can evaluate and
understand their readiness to prepare for a host of cybersecurity issues. The
PNNL team provided an advisory and developmental role in the ES-C2M2 effort.
The initiative team asked more than
a dozen utilities involved in the pilot partnership to voluntarily test the
model and survey, and evaluate the current state of maturity of the various
pieces of their business on a maturity level indicator of zero to three, three
being most mature. The investor-owned, cooperatives and municipal utilities
rated themselves in the areas of assets (hardware and software), threats,
access control, situational awareness, information sharing abilities, emergency
response, supply chain, workforce management, and cybersecurity program
management. Based upon their findings, utilities can then prioritize next steps
and investments in their own security.
For more than a decade, PNNL’s
Electricity Infrastructure research team has been working to advance the
reliability and security of the nation’s power system. The team has developed
advanced algorithms, modeling capabilities and devices in its Electricity Infrastructure
Operations Center
that allows insight into the system in real-time, like never before. PNNL also
developed the Secure Serial Communications Protocol, referenced in today’s DOE
announcement, which was subsequently integrated by Schweitzer Engineering
Laboratories into a cryptographic card and link module. It allows asset owners
to secure communications between remote devices and control centers and ensure
that information comes from a trusted source and has not been altered in
transit.
Understanding
cybersecurity
The electricity industry increasingly relies on digital information about the
power system to reduce costs, increase efficiency, and maintain reliability
during the generation, transmission, and distribution of electricity. An
advanced power system, or smart grid, uses digital information flow, through
advanced communications infrastructure, to inform producers and consumers of
electricity how to operate more efficiently in order to meet growing demand for
power and incorporate new sources of electricity.
“That flow of information in
our power system must remain safe, private, secure, resilient and reliable—it
must be cyber-secure,” said Imhoff.