By far the most important development this year was that it began with only a few specific guidance documents from NIST and NRECA) and is now ending with a comparative landslide of guidance, including some directly aimed at helping utilities assess their current security posture and plot future courses for improvement.
I documented most of these in an October post but for those who missed, forgot or avoided it, here are the new ones for North America published in 2012:
- DOE's Electricity Subsector Cybersecurity Maturity Model (Jun 2012)
- DOE’s Electricity Subsector Risk Management Process (May 2012)
- NARUC's Cybersecurity for State Regulators (Jun 2012)
- NIST’s NISTIR 7628 Assessment Guide (Aug 2012)
- California's Cybersecurity and the Evolving Role of State Regulation (Sep 2012)
And similar guidance development activities are motion elsewhere. The European Network and Information Security Agency (ENISA) has produced its Smart Grid Security Recommendations and a number of other helpful documents. And I've also heard of early but promising work happening now in India and Japan; perhaps we can look forward to guidance from those geographies in 2013.
I'm not going to talk about 2012 cyber security breaches although there some big ones. You can find plenty of pixelated coverage on those elsewhere. However, looking at this giant infographic (thanks to colleague Steve O for the link) of a survey of hundreds of electric sector personnel by critical infrastructure consultancy Zpryme indicates that most folks see both more spending on security and more attention paid to better securing the operational technology (OT) side of the utility house. That syncs well with my own notes from the field this year.
So in 2013 I'll be watching (and hopefully, getting hands-on with) utilities putting themselves through the some of the measurement and metrics programs listed above. Will also continue my clarion call, along with an increasing number of partners in Federal and State agencies, for utilities to take a fresh look at their own Security Governance models as I/we believe there are many substantial gains awaiting those who do.
Image credit: Da Vinci's "Vitruvian Man" is in the public domain