(Allowing for gross, bordering on reckless, misappropriation) as Shakespeare once said, if you don't take time to measure, you might end up making some big mistakes, like marrying the wrong person, or verily, killing the wrong enemy, and worse.
If you must, see previous SGSB posts on Measurement and Metrics HERE and HERE and HERE and HERE and HERE and HERE and HERE and HERE ... you starting to get the picture?
Now introducing: four significant tools in four months designed to help utilities and those who help them develop a better understanding of their cybersecurity posture and preparedness:
- NIST’s NISTIR 7628 Assessment Guide (Aug 2012) - Utilities and their partners can now begin to gauge alignment with this uber-guide to Smart Grid security & privacy. Bonus: Plus, if you order now, you'll also get: Companion Spreadsheet tool!
- DOE's Electricity Subsector Cybersecurity Maturity Model (June 2012) - Metrics for utilities to use to baseline and gauge effectiveness of their cybersecurity program and controls
- NARUC's Cybersecurity for State Regulators (June 2012) - Questions utilities will be asked by their state public utility commissions, who will be all the smarter for having read this doc
- DOE’s Electricity Subsector Risk Management Process (May 2012) - Helps translate cybersecurity into risk management framework
What brought on this sudden push to figure out how we're doing and where we need more work? I don't really know, but I sure am glad it happened.
Something I do know: when you hear a member of the US Congress (or any other government entity) declare that its critical infrastructure providers need to do better on cyber security, imagine asking said official: "Sir/M'am (to indicate proper respect for position) what, exactly, would electric utilities need to do to convince you they were doing enough?"
Even for the very intelligent, absent metrics, this is an impossible question to answer.
Think: Deer in Headlights.
And note: it's nearly as impossible for Utility executives and boards of directors to answer as it is for government leaders, despite the fact that rigorously evaluating risk and acting accordingly is one of their primary jobs. We need to give them the structure and tools they need to do it well.
Think: Mom, Apple Pie
Thanks to DOE, NIST and NARUC ... we're getting there. Finally, we're getting there.