Government teams with the electric industry to short-circuit cyber attacks.
A significant modernization effort underway across the national electric grid is seeking a balance between strong cybersecurity capabilities and affordable protections across the sector. To help the private industries that generate and transmit electrical power with their efforts to develop safeguards that correspond with new technologies, the U.S. departments of Energy and Homeland Security have issued a model of voluntary measures.
The Electricity Subsector Cybersecurity Capability Maturity Model was developed by Carnegie Mellon University’s Software Engineering Institute CERT Program in conjunction with the federal agencies and industry experts based on a series of working groups. Preliminary testing took place during pilot evaluation periods, and the recommendations were issued in May. Industry officials currently are reviewing the recommendations.
The model has four objectives: strengthen cybersecurity capabilities in the electricity subsector; enable utilities to evaluate and benchmark cybersecurity capabilities effectively and consistently; share knowledge, best practices and relevant references within the subsector to improve cybersecurity capabilities; and enable utilities to prioritize actions and investments to improve cybersecurity.
The recommendation model is broken down into 10 descriptive domains representing groups of different, but related, cybersecurity categories: risk, asset, access, threat, situation, sharing, response, dependencies, work force and cyber.
“Those domains are geared around those key capabilities needed to manage the dynamic cyberthreat to the grid,” says Samara Moore of the Department of Energy’s (DOE’s) Office of Electricity Delivery and Energy Reliability. Moore served as the agency’s lead manager in drafting the initiative and coordinating with Carnegie Mellon and industry.
Within each domain are checklist items that fall under one of four maturity indicator levels (MILs). These levels signify their relative importance in managing cybersecurity based on input from industry experts.
MIL 1 represents the basic cybersecurity practices that an organization should have in place, such as taking steps to identify and deal with cybersecurity threats. MIL 2 and MIL 3 reflect an increase in progression and, depending on the organization’s objectives, the impact on critical infrastructure and risk tolerance. In these areas, an organization may choose to have stronger capabilities, Moore explains.
The MILs as drafted are designed to be flexible, recognizing that some utilities may not need the “gold-plated security,” she suggests.
The development of the cybersecurity model takes advantage of relationships Moore says her agency has established with the owners and operators of electric transmission grids. It also builds upon work reflected in an earlier DOE-industry white paper titled “Roadmap to Achieve Energy Delivery Systems Cybersecurity.”
“We were able to identify any concerns and specific areas of focus from industry early on,” Moore relates, “and at the same time, we were able to express the things from a federal government perspective” concerning cybersecurity protection.
Industry’s top concern in the development of the cybersecurity model, according to Moore, was that the recommendations would be consistent with existing cybersecurity requirements and that they did not conflict with or duplicate standards already in place. For example, bulk-power electrical systems already are subject to cybersecurity standards set by the North American Electric Reliability Corporation (NERC), a non-governmental regulatory organization with legal authority to enforce electric reliability standards in the United States through the Federal Energy Regulatory Commission and two Canadian provinces under Canadian government authority.
Another industry concern was whether the effort would be mandatory or voluntary. “Our intent from the beginning is that this be a voluntary program,” Moore explains. For now, no immediate plans exist to draft DOE cybersecurity regulations.
From the government perspective, Moore says, it was important to determine the status quo and figure out how to gauge future improvements. “We wanted to develop a common model so that we can benchmark cybersecurity capabilities and how they are strengthened over time,” she asserts.
Toward the end of the drafting process for the cybersecurity model, Moore explains, “We actually revised our objectives to confirm that it represented jointly both the federal government objectives as well as industry objectives.” The goal was to obtain buy-in on both sides of the objectives that currently are listed for the cybersecurity model.
Prior to its release in late June, the model was subjected to a pilot demonstration program that involved 17 different utility companies representing the different business models for electricity utility companies, Moore explains. These included privately owned electricity companies, municipally owned electrical utilities and cooperative utilities that varied in relative size and also in a variety of electrical transmission distribution systems.
“That was a way of validating whether the model can be applied across the sector and how well we addressed the concerns expressed by industry,” Moore says. She adds that the pilot demonstrations were very helpful in refining the version of the model now in the hands of the utility companies.
While industry groups study the recommendations, Moore says that the next step for the working group is to distribute a survey tool, which will allow utilities to perform the initial self-evaluation of their systems based on the cybersecurity model.
“They can complete the document, and it will generate a report that identifies opportunities for improvement based on their responses and practices defined in the model,” she notes.
Moore adds that her agency is assisting utilities with their self-assessments as needed. The DOE also is conducting webinars to provide a forum for an ongoing discussion about best practices and the success reported by utilities in implementing the concepts embodied in the cybersecurity model. The DOE and the working group will be participating in industry events as a means of gathering feedback on how utilities are doing with the self-assessment process.
Some utilities have expressed concern about sharing proprietary information in their self assessments. However, Moore responds that proprietary information would be saved as critically protected infrastructure, which affords it some protection. “What we want to collect is the non-attributable responses to the self-assessment” to gain as detailed a snapshot as possible of the current state of cybersecurity in the electrical industry, she elaborates.
The goal is to review industry progress in its self-assessment periodically and to update the model as needed to reflect new threats, improvements in technology and newly learned best practices among industry stakeholders, Moore says. The DOE cybersecurity model carries as a subheading the designation of Version 1.0.
The DOE recommendations are a direct result of the White House Electricity Subsector Cybersecurity Risk Management Maturity Initiative started in 2010 by the DOE and the Department of Homeland Security (DHS), which is tied with the National Infrastructure Protection Plan administered by the DHS. The model recognizes the importance of having affordable protections and having the right balance of resilience, restoration and cybersecurity protection, Moore explains. The recommendations also are tied in with the administration’s smart-grid policies, announced a year ago by the National Institute of Standards and Technology (SIGNAL Magazine, August 2011, page 67).
The model represents a way to have concrete actions to secure critical infrastructure, as well as provide a means for industry to share best practices and strengthen its capabilities, Moore emphasizes. The key to that goal, she says, is the emphasis on risk management and initiatives to implement the technology for ongoing monitoring of electrical grid management systems.