DOE's C2M2 is Growing Up Fast

There's been a ton of work accomplished since DOE handed the C2M2 flame to former FERCer Jason Christopher.  This program has now been leveraged at hundreds of enterprises and now gives you three flavors of Cybersecurity Capability Maturity Model (C2M2) to choose from now.

You can download any/all of the models right this minute if you are so inclined:

• ES - Electricity Subsector (version 1.1)
• O&G - Oil & Gas (version 1.1)
• Sector Neutral

In addition, there are a number of new supporting resources for organizations at some stage of the C2M2 consideration or implementation process:

• C2M2 FAQ - helps answer whether or not a C2M2 self-assessment is right for your organization (ab: sounds a little too much like a Cialis commercial to me)
• C2M2 Facilitator Guide - provides step-by-step guidance for organizations that want to perform their own internal self-assessments (with or without a 3rd party)
• C2M2 toolkit for all three models (electricity, oil & natural gas, and sector-neutral) based on MS Excel and Word, so it can be used by any organization. (Toolkits are provided by request only—email C2M2@doe.gov for more information.)

Lastly, this just-released bulletin tells you how DOE, NIST and DHS see the C2M2 and the Critical Infrastructure Security Framework (CSF) playing complementary roles.

So much good stuff.  Between all of the above and the Olympics, this should keep you off the streets and out of trouble until Spring finally shows up.

DHS' CSET: a Remedy for Electric Sector Security Measurement and Reporting Complexity Pains?

Sorry about that ridiculously long title, but felt it couldn't be helped this time. Thanks to Dr. Les Cardwell of Central Lincoln PUD, a publicly owned utility serving communities on the coast of Oregon.

Les wrote in and shared some of what he recommended to NIST and DOE regarding the recent RFI on the "Framework for Reducing Cyber Risks to Critical Infrastructure."

I'm not going to reprint the entirety of his submission, but will share with you two things here. First, Les' articulation of the need for a way to keep complexity in check as we go about this search for a new/better security framework for our community:

DOE Seeks Your Ideas for Better Grid and Smart Grid Security

Thanks for to my colleagues JSK and SG for initially sending this my way and given the news lately, how timely it is!

A new Department of Energy (DOE) funded project seeks:

... applications to conduct research, development and demonstrations leading to next generation tools and technologies that will become widely adopted to enhance and accelerate deployment of cybersecurity capabilities for the U.S energy infrastructure, including cyber secure integration of smart grid technologies.

2 Control Systems Metrics Movers/Shakers: Jim Brenton and Joe Weiss

The more metrics the merrier, I say. After yesterday's post on IDC's take on energy sector cybersecurity metrics, let's pivot to control systems, where the three most important things are:

1. reliability
2. reliability, and
3. reliability

... and where what passes for cybersecurity in IT realms just doesn't cut the mustard.

First see this NEW POST from Joe Weiss on how to begin wrapping your head around what control systems metrics could look like.

Then I'd recommend Jim Brenton's PRESENTATION at GridSec earlier this year on a new group that's formed to look at developing security (or should I say reliability and resiliency) metrics for the Bulk Electric System (BES).

OK, that's it, this is a short one. You can go back to what you should have been doing all along.

DOE's Prescription for Electric Sector Cybersecurity Uncertainties

I've had a link to this document in the blog's "Relevant Docs" section since it appeared, but with today's press release, I think it's time to shine a spotlight DOE's latest and greatest electric sector cybersecurity resource.

The campaign for measurement has just been given a big shot in the arm. By definition, in a weird permutation of Newton's Third Law, the minute a metric or measurement is proposed it creates its own opposition. Often vocal opposition, I might add.

Nevertheless, neither Newton nor opposition should cause us to accept stasis and the uncertainties that attend the status quo. "What uncertainties?" you might well ask.

And my answer is that the majority of C-Suiters and BoDs at medium-to-large electric utilities likely do not have a decent understanding of the cyber-related reliability and safety risks confronting their IT and OT operations. Nor do they understand well how sound (or unsound) are the defensive measures (people, policy, processes) their cybersecurity folks have deployed.

If I were to now transition to a tirade about the crying need for business-oriented security metrics and measurement, while linking to previous tirades, few would be surprised. But in a moment uncommon self restraint, I won't do that.

Instead, I invite you to consume a few tapas-sized sound bites from DOE's press release earlier today announcing its new, unpronounceable acronymed tool, the ES-C2M2.

Dig in:

• Energy Department Develops Tool with Industry to Help Utilities Strengthen Their Cybersecurity Capabilities
• New Tool Available to Enable Electric Utilities to Better Assess their Cybersecurity Needs and Assets 
• Maturity models, which rely on best practices to identify an organization’s strengths and weaknesses, are widely used by other sectors to improve performance, efficiency and quality. 
• More than a dozen utilities nationwide participated in pilot evaluations to help refine the model
• The Cybersecurity Self-Evaluation Tool itself helps electric utilities and grid operators identify opportunities to further develop their own cybersecurity capabilities by posing a series of questions that focus on areas including situational awareness and threat and vulnerability management
• Utilities that choose to provide their anonymous self-assessment results to the Energy Department will receive reports with anonymous benchmarking results of all utilities participating in the “opt-in” program.

Here's a LINK to the model. Utilities can request the Cybersecurity Self Evaluation Survey Tool by contacting the Energy Department at ES-C2M2@hq.doe.gov. Note: The Energy Department is also offering facilitated self-evaluations on request.

Please keep in mind that this is a 1.0 version developed at break-neck speed. The more feedback DOE gets from its earliest users, the more we can expect from future versions. And they do seek your feedback.

I think what's been started here is good, very good in fact. Now let's seek to use it, make it great, and substantially improve the industry's understanding of itself along the way.

Image credit: DiaVoLo Group on Flickr.com

DOE doing Little to Demonstrate or Inspire Cyber Security Confidence in the Sector it Regulates

I don't want to sound harsh or ungenerous, but the timing of this audit report, paired with its sad contents, is not great.

Long story short: known vulnerabilities in DOE systems are up; successful attacks endured by DOE systems are up, and DOE spokespersons are trying to cover it up / play it down:

We are concerned that a casual reader of this report might not fully understand that the findings, while important, do not represent demonstrated risks.

This from the agency's associate administrator for management and budget, in a letter to the DOE Inspector General.

As I said in a recent post, I'm now beating the bushes in search of energy sector exemplar organizations and am starting to find some ... two large Investor Owned Utilities (IOUs) so far. Would like to find similarly forward leaning examples of other types, including muni's, co-ops and Federal. 

IMHO DOE should be the model Federal organization when it comes to implementing and managing cyber security policy and controls and leading by example. That it's apparently another basement dweller, according to multiple recent audit results, only invites more scrutiny and more attacks.

Would love to see an energetic turnaround expert / change agent get in there, work on the culture and get them far better results next time. Sure you would too.

Here's the article in Reuters.

Do it for Mom: Knocking out Smart Grid Vulnerabilities Early this Holiday Season

Unless you're in Texas where until recently roofs where melting and tires exploding, you've noticed the new autumnal smells in the air, right? So right about now who wouldn't want Smart Grid security, motherhood and/or apple pie? That's what this new Oak Ridge National Labs (ORNL) project promises:

Rather than wait for signs of a security problem to crop up in smart-grid technologies, wouldn’t it be better to automatically analyze software and hardware to uncover vulnerabilities, whether accidental or malicious?

I think this must be a trick question; the answer seems so obvious:

Add one part DOE lab, another part respected energy sector security service provider Enernex, and a generous dollop of AMI vendor Sensus, and it appears you've got a formula for something that's been missing in Smart Grid supply chain security ... until now.

Let's see how this goes.

Click HERE to read more on this.

Photo credit: cotaroba at Flickr.com

DOE, NIST, and NERC Announce a Long Overdue Collaboration on Smart Grid Security

So happy to see this come to fruition. From Tuesday's press release:

Traditional cyber security approaches for electric utilities are segmented, with different approaches for control systems and information systems. This has resulted in cyber security requirements that are overly restrictive in some cases, and not restrictive enough in others. At best, requirements are overlapping, but more often result in gaps in cyber security coverage. A common approach is needed to address the unique cyber security risks that a nation-wide smart grid will pose.

Began as a conversation late last year among two friends trying to figure out how to break through some logjams, one named Dave Dalva, online and then over coffee one morning in DC.

Click HERE for full statement, and recommend you stay tuned on this.

Found a Nugget at NETL!

As we have investigated the nature and definition of security within the Smart Grid context, we have had few definitive descriptions or declarations about what Smart Grid Security really means. This lack of concrete and common understanding is one of the reasons that Andy and I started writing, and now continue writing, the Smart Grid Security blog. Our goal is always to suggest the questions that should be asked, and the issues that will need to be addressed. We do not try to prescribe or promote a definition, it is our thought that the entire space is just too young.

While doing my usual late-night dive around the net, I found an excellent document that I would like to point our readers to, from the National Energy Technology Laboratory, developed for the U.S. Department of Energy. Published in January of 2007, it is an appendix to a much larger piece, which is entitled, A Systems View of the Modern Grid, which was initiated to describe (prior to the pervasive popularization of the term "Smart Grid"), a more informed view of the evolution of the existing grid into something more modern, efficient, reliable, and secure.

I encourage you who are interested in securing the Smart Grid to take a look at Appendix A3: Resists Attack, wherein the authors do a very respectable job of describing many of the likely risks, and the types of regulations/requirements that will be needed to manage/avoid them. As an example, here is a snapshot of a graphic and a fact that I have not seen broadly discussed regarding utility cyber attacks:


And given that these systems and networks have only become more open and accessible since 2003, I would expect that the trend has continued upwards since then.

Aside from good factual data throughout, there are also some concrete recommendations that I wish had been heeded as we jumped headlong into the Smart Grid Investment Grant Program, pilots, etc. Here is an example:

SYSTEM REQUIREMENTS
The systems approach to electric power security would identify key vulnerabilities, assess the likelihood of threats and determine consequences of an attack. The designers of the modern grid can draw on extensive experience developed by the Department of Defense in assessing threats and system vulnerabilities.

And there is much more. Please give it a read. This is a major Smart Grid Security Blog KUDOS to NETL and the authors for a prescient piece of work, that is still an excellent resource three years after publication. Note: Appendix 3 "Resists Attack" has been added to the SGS Blog library in the "Relevant Docs" section.