DOE publishes electric grid cybersecurity model

Editor’s Note:  The DOE/DHS publication, Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2), is attached below.

From: FierceGovernmentIT

By Molly Bernhart Walker

After five months of development, the Energy Department published May 31 the  Electricity Subsector Cybersecurity Capability Maturity  Model (.pdf).

The model serves as a “tool to evaluate and strengthen cybersecurity  capabilities and enable utilities to prioritize their actions and their  cybersecurity investments,” said  White House Cybersecurity Coordinator Howard Schmidt in a White House blog post  May 25.

The maturity model combines elements from existing cybersecurity efforts into  a common guide that spans 10 categories of capabilities, or domains. Each of  these 10 domains has objectives that an organization can fulfill in order to  establish a mature capability in the domain.

The 10 domains are:

  • Risk management;
  • Asset, change and configuration management;
  • Identity and access management;
  • Threat and vulnerability management;
  • Situational awareness;
  • Information sharing and commuications;
  • Event and incident response, continuity of operations;
  • Supply chain and external dependencies management;
  • Workforce management; and
  • Cybersecurity program management.

The model also employs four maturity indicator levels, which apply  independently to each domain. To earn an MIL in a given domain, an organization  must fulfill all obejctives in a level and the preceeding level, says the  document.

“For example, an organization must perform all of the domain practices in  MIL1 and MIL2 to achieve MIL2 in the domain. Similarly, the organization would  have to perform all practices in MIL1, MIL2, and MIL3 to achieve MIL3,” explains  the model.

According to the document, the draft model was piloted at 17 utilities to  determine whether or not the model provides a basis for evaluation and to  collect feedback for improvement.

“With a waitlist of utilities eager to employ the model beyond the pilot  participants, this model promises to significantly enhance our understanding of  cybersecurity capabilities across the sector,” said Schmidt in the blog  post.

The pilots are already informing further model planning, as the document  outlines new features that should be added to future versions of the model. The  next version of the document will include more MILs, more guidance on developing  cybersecurity performance metrics and measurement, and additional guidance on  how organizations can implement domain practices.

For more: – download  the Electricity Subsector Cybersecurity Capability Maturity Model (.pdf) – see  the White House blog post

Electricity Subsector Cybersecurity Capabilities Maturity Model (ES-C2M2) – May 2012

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published.

Please Answer: *