Cybersecurity evaluation model and survey available to benchmark power utilities



The Department of Energy's Electricity Subsector Cybersecurity Capability Maturity Model will help utilities assess their own level of cybersecurity readiness.

A first-of-its-kind self-evaluation model and survey can provide utilities with an efficient way to benchmark and measure their cybersecurity. The Electricity Sector Cybersecurity Capability Maturity Model, or ES-C2M2 and evaluation survey can help utilities assess their own level of cybersecurity. The model provides a common language and point of reference for utilities to understand, describe, and share information anonymously about cybersecurity practices. The accompanying survey asks a series of questions derived from that model; the answers can help utilities and grid operators identify gaps and prioritize actions and future investments to make their systems more secure. Utilities can request the survey tool by contacting the DoE (US Department of Energy), which is offering facilitated self-evaluations on request. "Secure delivery of electricity is vital to our nation, and utilities play a vital role in ensuring that the power system is protected from cyber attack," said Carl Imhoff, electricity infrastructure sector manager at the DoE's PNNL (Pacific Northwest National Laboratory). "By taking the survey, utilities of all types can gain additional insight into their respective level of cyber security. They can prioritize future investments in order to make their systems more secure," he said. Spearheaded by the White House, DoE and a host of partners, including the Department of Homeland Security, Carnegie Mellon University's Software Engineering Institute, PNNL and others, the three-year ES-C2M2 initiative began this year with the goal of helping utilities develop a process and common model by which they can evaluate and understand their readiness to prepare for a host of cybersecurity issues. The PNNL team provided an advisory and developmental role in the ES-C2M2 effort. The initiative team asked more than a dozen utilities involved in the pilot partnership to voluntarily test the model and survey, and evaluate the current state of maturity of the various pieces of their business on a maturity level indicator of zero to three, three being most mature. Investor-owned cooperatives and municipal utilities rated themselves in the areas of assets (hardware and software), threats, access control, situational awareness, information sharing abilities, emergency response, supply chain, workforce management, and cybersecurity program management. Based upon their findings, utilities can then prioritize next steps and investments in their own security. For more than a decade, PNNL's Electricity Infrastructure research team has been working to advance the reliability and security of the nation's power system. The team has developed advanced algorithms, modeling capabilities and devices in its Electricity Infrastructure Operations Center that allows insight into the system in real-time, like never before. PNNL also developed the Secure Serial Communications Protocol, subsequently integrated by Schweitzer Engineering Laboratories into a cryptographic card and link module. It allows asset owners to secure communications between remote devices and control centers and ensures that information comes from a trusted source and has not been altered in transit. Pacific Northwest National Laboratory ES-C2M2 deeplink