search menu icon-carat-right cmu-wordmark
2022 Year in Review

Updated Energy Sector Cybersecurity Maturity Model Helps Keep the Lights On

Advances in technology, such as distributed energy resources, are increasing the amount of communication between devices that enable safe, reliable delivery of energy to consumers. At the same time, adversaries of the United States are increasingly targeting cyber attacks on critical infrastructure.

A 2011 White House initiative tasked the Department of Energy (DOE) to create a more comprehensive, consistent approach to measuring the security posture of the energy sector. The DOE formed a working group of research organizations, including the SEI, and energy sector stakeholders. In just five months, the working group produced the Cybersecurity Capability Maturity Model (C2M2), which received a major update in 2022.

The 2012 model gathered more than 350 cybersecurity practices, grouped into objectives across 10 domains—logical groupings of cybersecurity practices. The practices are organized by three progressive maturity levels referred to as the Maturity Indicator Levels (MILs). Voluntary C2M2 self-evaluations give utilities, from small municipals to large investor-owned enterprises, a snapshot of their cybersecurity posture they can use to evaluate their capabilities, identify gaps, prioritize improvements, and track progress over time.

“A consensus cybersecurity measurement had to come from the energy industry, but we needed a carefully architected maturity model,” said Fowad Muneer, acting deputy director of Risk Management Tools and Technologies within the DOE Office of Cybersecurity, Energy Security, and Emergency Response (CESER). The SEI had decades of experience in developing maturity models, such as the foundational CERT Resilience Management Model (CERT-RMM), which became the starting point for the C2M2.

Since 2012, cyber attacks on energy resources, such as the 2021 ransomware attack on Colonial Pipeline, have become more sophisticated. Other changes in the cybersecurity landscape, including zero trust principles and artificial intelligence, as well as multiple new executive orders on cybersecurity and critical infrastructure, spurred the DOE to update the C2M2.

The DOE assembled a project team, which included the SEI, that collaborated with 145 cybersecurity experts from 77 energy sector and cybersecurity organizations on C2M2 revisions over three years.

We scrubbed the model end to end, looking for blind spots. That gives us confidence that this is a robust model for today’s threats and technology landscape.

Fowad Muneer
Acting Deputy Director, Risk Management Tools and Technologies Division, CESER, Department of Energy

After addressing public comments, reviewing the model for technological currency, and piloting it with energy companies, the DOE published C2M2 version 2.1 in June 2022. “We scrubbed the model end to end, looking for blind spots,” said CESER’s Muneer. “That gives us confidence that this is a robust model for today’s threats and technology landscape.”

The update revised two-thirds of the practices and merged the previously separate models for the electricity subsector and oil and natural gas subsector. A Cybersecurity Architecture domain was added, and the Third-Party Risk Management domain was refreshed to reflect increasing supply chain cybersecurity risks. The update also more closely aligns the model’s practices with the NIST Cybersecurity Framework (CSF).

In each of the seven months following the release of C2M2 version 2.1, an average of more than 2,500 unique users accessed the HTML-based C2M2 tools. This interest builds on the popularity of the HTML and PDF formats of the earlier C2M2 versions, which had been requested thousands of times since 2012.

“The updates and improvements to the C2M2 model represent significant collaborative efforts between industry and our government partners to address the challenges of an evolving threat landscape,” said Kaitlin Brennan, director of cyber and infrastructure security at Edison Electric Institute, an industry group involved in the C2M2. “They further strengthen our collective cybersecurity programs and operational resilience.”

Photo: U.S. Department of Energy

More Enterprise Risk and Resilience Management from the 2022 Year in Review