Intelligent Utility Jan-Feb 2013
Intelligent Utility Jan-Feb 2013
Intelligent Utility Jan-Feb 2013
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
I T<br />
INSIGHTS<br />
The DOE reaches<br />
out to utilities with<br />
cybersecurity model<br />
+ + ES-C2M2 is on the scene<br />
By Kathleen Wolf Davis<br />
THERE’S AN OLD JOKE WITH AN EQUALLY ARCHAIC PUNCHLINE<br />
that quips about the U.S. government never getting a thing done, how<br />
every project takes forever. At least in the case of a cybersecurity model, the U.S.<br />
government has definitely proven that joke completely and utterly wrong.<br />
The Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2)<br />
hasn’t been in the works for a decade. It hasn’t been languishing in a subcommittee<br />
waiting for rescue or funding. In fact, it all started just a scant year ago when<br />
the White House knocked on the door of the Department of Energy (DOE) and<br />
asked how we (as a government body and as an industry entity and as a group of<br />
concerned consumers) start to pinpoint what utilities are doing on cybersecurity<br />
and what they should be doing, a now-and-the-future scenario.<br />
Thus was born the ES-C2M2, a public/private partnership allowing electric<br />
utilities and grid operators to assess their cybersecurity capabilities. It also allows<br />
utilities to prioritize future actions and investments in the cybersecurity arena<br />
with a series of steps—gradual assessments in platform areas that build to a<br />
complete picture.<br />
The collaborative effort that started in 2011 came to a head in May 2012<br />
with the release of the first version of the model (just a few months after first<br />
initiated in <strong>Jan</strong>uary of this year).<br />
The model, according to the DOE’s<br />
Office of Electricity Delivery & Energy<br />
Reliability, “combines elements from<br />
existing cybersecurity efforts into<br />
a common tool that can be used<br />
consistently across the industry.” It<br />
also includes a cybersecurity self-<br />
evaluation survey tool, which discusses<br />
situational awareness, along with<br />
threat and vulnerability management,<br />
to allow a utility an internal option<br />
for the cybersecurity discussion.<br />
The challenge from the White<br />
House was to develop capabilities to<br />
manage dynamic threats and understand<br />
grid cybersecurity, Matthew<br />
Light, infrastructure systems analyst<br />
at the DOE told insiders at the<br />
cybersecurity focus group during<br />
Grid-Interop 2012 in Irving, Texas,<br />
December 4, 2012.<br />
The objectives for the model<br />
development included the desire to<br />
strengthen cybersecurity capabilities,<br />
along with the need to enable consistent<br />
evaluation and benchmarking,<br />
share knowledge and benefits, and help<br />
prioritize actions and investments.<br />
Additionally, Light noted, the utilities<br />
wanted to know where they were<br />
relative to their peers, and the government<br />
needed an assessment to discuss<br />
options for federal resources.<br />
The model has ten domains and<br />
four maturity indicator levels (MILs).<br />
The domains include logical groupings<br />
of cybersecurity practices, including:<br />
risk management; asset, change<br />
and configuration management;<br />
identity and access management;<br />
threat and vulnerability management;<br />
situational awareness; information<br />
sharing and communications; event<br />
and incident response, continuity of<br />
operations; supply chain and external<br />
dependencies management; workforce<br />
management; and cybersecurity<br />
program management.<br />
According to documentation about<br />
the model, “the practices within each<br />
WWW.INTELLIGENTUTILITY.COM 27