Utilities lead the way to grid security
Benchmarking utilities' cybersecurity readiness provides window into reliability and stability of grid
The Department of Energy's Electricity Subsector Cybersecurity Capability Maturity Model will help utilities assess their own level of cybersecurity readiness.
A first-of-its-kind self-evaluation model and survey will provide utilities with a way to benchmark and measure their cybersecurity readiness. The Electricity Sector Cybersecurity Capability Maturity Model, or ES-C2M2, and evaluation survey was announced by U.S. Energy Secretary Steven Chu in June. Spearheaded by the White House, DOE and a host of partners, including Pacific Northwest National Laboratory, the three-year ES-C2M2 initiative began in January 2012. PNNL provided an advisory and developmental role in the ES-C2M2 effort.
Why it matters:
The electricity industry increasingly relies on digital information about the power system to reduce costs, increase efficiency, and maintain reliability during energy generation and delivery. "Secure delivery of electricity is vital to our nation, and utilities play a vital role in ensuring that the power system is protected from cyber-attack," said Carl Imhoff, who manages PNNL's electricity infrastructure work. "By taking the survey, utilities of all types can gain additional insight into their respective level of cybersecurity. They can prioritize future investments in order to make their systems more secure."
Available online, the model provides a common language and point of reference for utilities to understand, describe and share information anonymously about cybersecurity practices. The accompanying survey asks a series of questions derived from the model; the answers can help utilities and grid operators identify gaps and prioritize actions and future investments to make their systems more secure. Utilities can request the survey tool by contacting DOE.
The initiative team asked more than a dozen utilities involved in the pilot partnership to voluntarily test the model and survey, and evaluate the current state of maturity of the various pieces of their business on a maturity level indicator of zero to three, three being most mature. The investor-owned, cooperatives and municipal utilities rated themselves in the areas of assets (hardware and software), threats, access control, situational awareness, information sharing abilities, emergency response, supply chain, workforce management and cybersecurity program management. Based upon their findings, utilities can then prioritize next steps and investments in their own security.
For more than a decade, PNNL's Electricity Infrastructure research team has been working to advance the reliability and security of the nation's power system. The team has developed advanced algorithms, modeling capabilities and devices in its Electricity Infrastructure Operations Center. The EIOC allows insight into the system in real-time, like never before. PNNL also developed the Secure Serial Communications Protocol, referenced in June's DOE announcement, which was subsequently integrated by Schweitzer Engineering Laboratories into a cryptographic card and link module. It allows asset owners to secure communications between remote devices and control centers and ensure that information comes from a trusted source and has not been altered in transit.
The Cybersecurity Capability Maturity Model and the Self Evaluation Survey Tool were designed to align with the Roadmap to Achieve Energy Delivery Systems Cybersecurity, which was developed by industry and facilitated by DOE. The Roadmap provides a strategic framework for achieving the vision that, over the next decade, energy delivery systems will be designed, installed, operated, and maintained to survive a cyber incident while sustaining critical functions. Utilities can request the survey tool by contacting DOE. DOE also is offering facilitated self-evaluations on request.
The Maturity Model was developed as part of a White House initiative led by the Department of Energy in partnership with the Department of Homeland Security (DHS) and involved close collaboration with industry, other federal agencies, and other stakeholders, including Carnegie Mellon University's Software Engineering Institute. For more information see the PNNL news release.
July 3, 2012