Wednesday, October 17, 2012

Electric Sector Security Metrics Mother Load

Not all are technical metrics, nor are they all technically, metrics.

But in the space of just a few months this summer, North American electric utility executives and their security leadership have seen a spate of new guidance documents published that intend to help them manage, monitor, and measure the effectiveness of their cyber risk mitigation strategies and controls.

Where once there was just the cross-sector ISO 27000 series to steer your security course by (or for Federal folks, FISMA), there are suddenly a near handful of freshly minted how-to manuals at their disposal:
DOE's Electricity Subsector Cybersecurity Maturity Model (June 2012)
Metrics for utilities to use to baseline and gauge effectiveness
DOE’s Electricity Subsector Risk Management Process (May 2012)
Helpful translating cybersecurity into risk management framework 
NARUC's Cybersecurity for State Regulators (June 2012)
Questions utilities will be asked by their state public utility commissions
NIST’s NISTIR 7628 Assessment Guide (Aug 2012)
And if you live in or keep an eye on California, then there’s the metrics work and data privacy rules of the California Public Utilities Commission (CPUC) to consider. It’s working collaboratively with the three big investor owned utilities (IOUs) to bring Smart Grid metrics to fruition, and despite some initial skirmishing, seems resolute in adding security metrics to the mix.

So now maybe the guidance utilities need most is: with limited resources already maxed out on NERC CIP related activities, how to select and implement the best and most helpful pieces from the list above.

Ironic, is it not, to hear the SGSB describe a flood of security metrics in our industry?