Thursday, June 28, 2012

DOE's Prescription for Electric Sector Cybersecurity Uncertainties

I've had a link to this document in the blog's "Relevant Docs" section since it appeared, but with today's press release, I think it's time to shine a spotlight DOE's latest and greatest electric sector cybersecurity resource.

The campaign for measurement has just been given a big shot in the arm. By definition, in a weird permutation of Newton's Third Law, the minute a metric or measurement is proposed it creates its own opposition. Often vocal opposition, I might add.

Nevertheless, neither Newton nor opposition should cause us to accept stasis and the uncertainties that attend the status quo. "What uncertainties?" you might well ask.

And my answer is that the majority of C-Suiters and BoDs at medium-to-large electric utilities likely do not have a decent understanding of the cyber-related reliability and safety risks confronting their IT and OT operations. Nor do they understand well how sound (or unsound) are the defensive measures (people, policy, processes) their cybersecurity folks have deployed.

If I were to now transition to a tirade about the crying need for business-oriented security metrics and measurement, while linking to previous tirades, few would be surprised. But in a moment uncommon self restraint, I won't do that.

Instead, I invite you to consume a few tapas-sized sound bites from DOE's press release earlier today announcing its new, unpronounceable acronymed tool, the ES-C2M2.

Dig in:
  • Energy Department Develops Tool with Industry to Help Utilities Strengthen Their Cybersecurity Capabilities
  • New Tool Available to Enable Electric Utilities to Better Assess their Cybersecurity Needs and Assets 
  • Maturity models, which rely on best practices to identify an organization’s strengths and weaknesses, are widely used by other sectors to improve performance, efficiency and quality. 
  • More than a dozen utilities nationwide participated in pilot evaluations to help refine the model
  • The Cybersecurity Self-Evaluation Tool itself helps electric utilities and grid operators identify opportunities to further develop their own cybersecurity capabilities by posing a series of questions that focus on areas including situational awareness and threat and vulnerability management
  • Utilities that choose to provide their anonymous self-assessment results to the Energy Department will receive reports with anonymous benchmarking results of all utilities participating in the “opt-in” program.
Here's a LINK to the model. Utilities can request the Cybersecurity Self Evaluation Survey Tool by contacting the Energy Department at ES-C2M2@hq.doe.govNote: The Energy Department is also offering facilitated self-evaluations on request.

Please keep in mind that this is a 1.0 version developed at break-neck speed. The more feedback DOE gets from its earliest users, the more we can expect from future versions. And they do seek your feedback.

I think what's been started here is good, very good in fact. Now let's seek to use it, make it great, and substantially improve the industry's understanding of itself along the way.

Image credit: DiaVoLo Group on