DOE's C2M2 is Growing Up Fast

There's been a ton of work accomplished since DOE handed the C2M2 flame to former FERCer Jason Christopher.  This program has now been leveraged at hundreds of enterprises and now gives you three flavors of Cybersecurity Capability Maturity Model (C2M2) to choose from now.

You can download any/all of the models right this minute if you are so inclined:

• ES - Electricity Subsector (version 1.1)
• O&G - Oil & Gas (version 1.1)
• Sector Neutral

In addition, there are a number of new supporting resources for organizations at some stage of the C2M2 consideration or implementation process:

• C2M2 FAQ - helps answer whether or not a C2M2 self-assessment is right for your organization (ab: sounds a little too much like a Cialis commercial to me)
• C2M2 Facilitator Guide - provides step-by-step guidance for organizations that want to perform their own internal self-assessments (with or without a 3rd party)
• C2M2 toolkit for all three models (electricity, oil & natural gas, and sector-neutral) based on MS Excel and Word, so it can be used by any organization. (Toolkits are provided by request only—email C2M2@doe.gov for more information.)

Lastly, this just-released bulletin tells you how DOE, NIST and DHS see the C2M2 and the Critical Infrastructure Security Framework (CSF) playing complementary roles.

So much good stuff.  Between all of the above and the Olympics, this should keep you off the streets and out of trouble until Spring finally shows up.

One Step Closer: Announcing NARUC's Cybersecurity Guide for State Regulators 2.0

My last post on NARUC*, from June of 2012, was on the first version of their cybersecurity guide for state regulators, and the somewhat sprawling piece ended thusly:

I would like to end by saying that this was a document that could never fully please everyone, and if we remember it's a 1.0 version, then in that context it's an ambitious and excellent start. Let's start providing feedback now so that 2.0 can be even better.

Well guess what readers? Some of you and maybe some others provided feedback, so well and fully in fact that we find ourselves fewer than 9 months later with a new and improved 2.0 version, just released by NARUC after announcing it at its Winter Meetings (note sublime, almost hypnotic snowflake animation on landing page).

EEI on Electric Sector Cybersecurity, late 2012

David Batz (rhymes with yachts, not cats) is in a good position to know what he's talking about when he says:

Utilities are taking actions to mitigate and manage cybersecurity threats.

As Cybersecurity Director for the Edison Electric Institute (EEI), a DC-based industry advocacy firm that represents the interests of the vast majority of investor owned utilities in the US, Batz is emminently credible as he spends just about every waking hour working with utilities, various Federal and state regulators, and the companies that serve the sector.

At a recent conference in Arlington, VA Batz shared some observations on the state of electric sector cybersecurity preparedness that I liked.  Here's one:

In today’s world, cyber attacks and cyber hacking have become monetized and different ventures are using cyber attacks as a ways to generate income .... This poses a problem for law-abiding citizenry and creates a problem for the electric sector.

DOE's Prescription for Electric Sector Cybersecurity Uncertainties

I've had a link to this document in the blog's "Relevant Docs" section since it appeared, but with today's press release, I think it's time to shine a spotlight DOE's latest and greatest electric sector cybersecurity resource.

The campaign for measurement has just been given a big shot in the arm. By definition, in a weird permutation of Newton's Third Law, the minute a metric or measurement is proposed it creates its own opposition. Often vocal opposition, I might add.

Nevertheless, neither Newton nor opposition should cause us to accept stasis and the uncertainties that attend the status quo. "What uncertainties?" you might well ask.

And my answer is that the majority of C-Suiters and BoDs at medium-to-large electric utilities likely do not have a decent understanding of the cyber-related reliability and safety risks confronting their IT and OT operations. Nor do they understand well how sound (or unsound) are the defensive measures (people, policy, processes) their cybersecurity folks have deployed.

If I were to now transition to a tirade about the crying need for business-oriented security metrics and measurement, while linking to previous tirades, few would be surprised. But in a moment uncommon self restraint, I won't do that.

Instead, I invite you to consume a few tapas-sized sound bites from DOE's press release earlier today announcing its new, unpronounceable acronymed tool, the ES-C2M2.

Dig in:

• Energy Department Develops Tool with Industry to Help Utilities Strengthen Their Cybersecurity Capabilities
• New Tool Available to Enable Electric Utilities to Better Assess their Cybersecurity Needs and Assets 
• Maturity models, which rely on best practices to identify an organization’s strengths and weaknesses, are widely used by other sectors to improve performance, efficiency and quality. 
• More than a dozen utilities nationwide participated in pilot evaluations to help refine the model
• The Cybersecurity Self-Evaluation Tool itself helps electric utilities and grid operators identify opportunities to further develop their own cybersecurity capabilities by posing a series of questions that focus on areas including situational awareness and threat and vulnerability management
• Utilities that choose to provide their anonymous self-assessment results to the Energy Department will receive reports with anonymous benchmarking results of all utilities participating in the “opt-in” program.

Here's a LINK to the model. Utilities can request the Cybersecurity Self Evaluation Survey Tool by contacting the Energy Department at ES-C2M2@hq.doe.gov. Note: The Energy Department is also offering facilitated self-evaluations on request.

Please keep in mind that this is a 1.0 version developed at break-neck speed. The more feedback DOE gets from its earliest users, the more we can expect from future versions. And they do seek your feedback.

I think what's been started here is good, very good in fact. Now let's seek to use it, make it great, and substantially improve the industry's understanding of itself along the way.

Image credit: DiaVoLo Group on Flickr.com

Measuring Security? In the Electric Sector? Are you Serious? Someone Is.

Tried making the case most recently with Time for Electric Sector to Measure Up on Security and Smart Grid Security Truth: You Can't Do What You Don't Measure but couldn't detect a measurable response.

Without a lingua franca for security, how will anyone ever know which organizations are doing a comparatively better or worse job? Whether one's own organization is kicking butt or having its butt kicked?

Chances are the only folks with this information today are hackers who spread their attacks across dozens of them. They can see which utilities offer them an easier path in than others. But I don't imagine they're sharing this information too freely.

I'm tired of this ambiguity. Perhaps you are too. And so, it seems, is the State of California.