DOE offers guidance for cybersecurity maturity, risk assessment
Perhaps the most comprehensive cybersecurity guidance to come out of the Energy Department thus far is the Electricity Subsector Cybersecurity Capability Maturity Model (.pdf) the DOE published May 31.
The 92-page document streamlines other cybersecurity guidance for the energy sector into a common guide spanning 10 domains including risk management, identity and access management, situational awareness, and information sharing and communications.
For each domain the model applies four maturity indicator levels, or MILs. To earn an MIL in a given domain, an organization must fulfill all objectives in a level and the preceding level, says the document.
"For example, an organization must perform all of the domain practices in MIL1 and MIL2 to achieve MIL2 in the domain. Similarly, the organization would have to perform all practices in MIL1, MIL2, and MIL3 to achieve MIL3," explains the document.
Carl Imhoff, electricity infrastructure sector manager at the DOE's Pacific Northwest National Laboratory told R&D Mag, that utilities should use the model as a self-evaluation survey to assess their cybersecurity readiness.
"By taking the survey, utilities of all types can gain additional insight into their respective level of cybersecurity. They can prioritize future investments in order to make their systems more secure," Imhoff told the publication.
The draft model was piloted at 17 utilities to determine whether or not the model provides a basis for evaluation and to collect feedback for improvement, according to the DOE document. And in a May 25 blog post, White House Cybersecurity Coordinator Howard Schmidt said other utilities were eagerly waiting to join the pilots.
The pilots are already informing further model planning, as the document outlines new features that should be added to future versions of the model. The next version of the document will include more MILs, more guidance on developing cybersecurity performance metrics and measurement, and additional guidance on how organizations can implement domain practices.
The model was 5 months in the making. Schmidt, Deputy Secretary of Energy Dan Poneman, senior Homeland Security Department officials and more than two dozen electric-sector executives began work on the maturity model in early 2012. The group held the first of several meetings and workshops on Jan. 5 and didn't expect to deliver the final model until late summer 2012--exceeding expectations with the model's May 31 release.
One of the foundational references used by the model development team was another DOE document, which it released in March. The draft of the Electricity Subsector Cybersecurity Risk Management Process (.pdf) focuses specifically on cybersecurity risk management and draws heavily from National Institute of Standards and Technology's Special Publication 800-39. The NIST publication is the foundation for Federal Information Security Management Act implementation; however, neither document specifies a set of security controls.
Rather the draft uses NIST's risk pyramid which classifies risk levels, and describes a method electricity subsector organization of any size should use when framing, assessing, responding to and monitoring cyber risk.
Authors of the draft report note that the risk management processes "is not executed in a vacuum." The North American Electric Reliability Corporation, the Nuclear Regulatory Commission and states all have requirements that seek to manage risk.
Implementing the DOE's risk management process however, will help utilities better responding to new regulations or changes to existing regulatory requirements, says the report. The process promises to allow organizations "to quickly identify the impact of new requirements and adjust their cybersecurity posture accordingly," says the document.
DOE seeks comprehensive cybersecurity model for electric grid
DOE comes closer to launching electricity sector cybersecurity maturity pilot
DOE publishes electric grid cybersecurity model