« More News Stories
July 17, 2012—As technology advances, cyber threats to the nation's electrical grid are becoming increasingly sophisticated and dynamic. With this in mind, the Department of Energy (DoE), Department of Homeland Security (DHS), other government agencies, and industry have been working together to reduce the risk of energy disruptions and improve the electric power grid's ability to withstand and respond to cyber incidents.
The Software Engineering Institute (SEI) CERT® Program has been supporting these efforts to advance the energy efficiency, reliability, and security of the electric power grid for several years. The SEI's most recent work in this area produced the Electricity Sector Cybersecurity Capability Maturity Model (ES-C2M2), a self-evaluation tool that allows utilities and grid operators to assess their cybersecurity capabilities and prioritize their actions and investments to improve cybersecurity. The model, recently released by the DoE, combines elements from existing cybersecurity efforts into a common tool that can be used consistently across the industry to understand, describe, benchmark, and share information about cybersecurity practices.
ES-C2M2 was developed as part of a White House initiative to enhance the security and reliability of the nation's electrical grid. The initiative was led by the DOE, in partnership with the DHS, and in collaboration with industry, private-sector, and public-sector experts.
An industry advisory group developed the model through a series of working sessions and revised it based on feedback from industry experts and pilot evaluations. The advisory group for the initiative included representatives from industry associations, utilities, and government. Additionally, more than 40 subject matter experts from industry helped develop the model. David White, technical manager of the Cyber Resilience Center in the CERT Program served as model architect for the project, supported by a team of technologists from the SEI.
"The SEI worked in close collaboration with the DOE to lead various aspects of the ES-C2M2 development," said White. "Our team served key roles on the core model development team and provided subject matter expertise to develop the structure and content for the model and an evaluation methodology that would enable utilities to easily assess their own level of cybersecurity readiness." Members of the SEI technical staff also served on the pilot team, which facilitated self-evaluations of volunteer utilities to validate the model content and evaluation approach.
The model development team used several existing processes, models, and documents as foundational references in the creation of the ES-C2M2, including the CERT® Resilience Management Model (CERT®-RMM). The CERT-RMM, a maturity model for operational resilience, is the foundation for a process improvement approach to security, business continuity, and IT operations. It guides organizations working to establish, manage, and mature essential capabilities to ensure it can continue to meet its mission, even in the face of disruptions and risk.
"ES-C2M2 focuses on specific capabilities for managing cybersecurity at an electric power utility, whereas RMM focuses more generally on managing operational risk—including cybersecurity risk—at any organization. Our work in building and using the RMM provided a critical knowledge and experience base that supported the development of ES-C2M2," said White, coauthor of the CERT-RMM.
"Because CERT-RMM provides broader and more general guidance on managing operational risk," White added, "it can serve as a helpful resource document for utilities that implement improvements based on their use of the ES-C2M2."
The SEI has been supporting efforts to modernize the electric power grid since 2007. In 2009, it became the steward of the Smart Grid Maturity Model (SGMM), which was created by a consortium of leading utilities. The SGMM is a management tool that has since been used by more than 120 electric power utilities around the world to plan their smart grid implementation, prioritize options, and measure progress.
The Electricity Subsector Cybersecurity Capability Maturity Model can be downloaded on the Department of Energy website at http://energy.gov/oe/downloads/electricity-subsector-cybersecurity-capability-maturity-model-may-2012.