CERT PODCAST SERIES: SECURITY FOR BUSINESS LEADERS: SHOW NOTES

The Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2)

Key Message: ES-C2M2 helps improve the operational resilience of the U.S. power grid.

Executive Summary

"The Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) program is a public-private partnership effort that was established as a result of the U.S. administration’s efforts to improve electricity subsector cybersecurity capabilities, and to understand the cybersecurity posture of the grid. The ES-C2M2 program comprises a maturity model, an evaluation tool, and U.S. Department of Energy (DOE) facilitated self-evaluations." [1]

"The ES-C2M2 maturity model provides a mechanism to evaluate, prioritize, and improve cybersecurity capabilities. The model is a common set of industry vetted cybersecurity practices, grouped into 10 domains and arranged according to maturity level. The ES-C2M2 evaluation tool enables organizations to evaluate their cybersecurity practices against ES-C2M2 cybersecurity practices. Based on this comparison, a score is assigned for each domain. Scores can then be compared to a desired score – determined by the organization’s risk tolerance for each domain." [1]

In this podcast, Jason Christopher, Technical Lead for Cybersecurity Capabilities and Risk Management with the U.S. Department of Energy and Nader Mehravari, a member of CERT's Cyber Risk Management team, discuss ES-C2M2 and how it is helping electric utilities and grid operators improve the operational resilience and security of the U.S. power grid.

PART 1: PUBLIC PRIVATE PARTNERSHIP ESSENTIAL TO DEVELOP ES-C2M2 IN FIVE MONTHS

History

The U.S. Department of Energy (DOE) has been addressing cybersecurity for the energy sector since 2006, starting with a roadmap of controls.

There are four ES-C2M2 goals:

1. Strengthen cybersecurity capabilities within the electricity subsector.
2. Enable utilities to effectively and consistently evaluate and benchmark cybersecurity capabilities. Be able to answer the question "How am I doing compared to my peers?"
3. Share knowledge, best practices, and relevant references within the subsector.
4. Enable utilities to prioritize their actions and investments to improve cybersecurity.

Improving cybersecurity has always been a national priority, even more so since the blackout in the northeastern U.S. in 2003. As a result of this blackout, mandatory cybersecurity standards were enacted and are managed by the Federal Regulatory Commission.

Development of ES-C2M2

The directive for this model came from the White House and was co-sponsored by the U.S. Department of Homeland Security. Development commenced in January 2012. The first version of ES-C2M2 was published in May 2012.

The development team was comprised of representatives from Federal agencies, utility asset owners and operators, and trade associations – a public/private partnership.

ES-C2M2 is intended for all electric utilities regardless of their ownership structure, size, business services, and reliability requirements.

During this accelerated five month development timeframe, ES-C2M2 was pilot tested by 17 different utilities to vet and validate the model. This piloting process was essential for achieving consensus among this diverse set of organizations.

Developing and piloting this model in five months was a phenomenal accomplishment.

PART 2: ES-C2M2 STRUCTURE AND SELF-EVALUATION METHOD

Model Domains and Maturity Indicator Levels

ES-C2M2 comprises 10 domains – an overarching collection of good things that an organization should do in order to manage and improve their cybersecurity posture. These are:

• risk management (RISK)
• asset, change, and configuration management (ASSET)
• identity and access management (ACCESS)
• threat and vulnerability management (THREAT)
• situational awareness (SITUATION)
• information sharing and communications (SHARING)
• event and incident response, continuity of operations (RESPONSE)
• supply chain and external dependencies management (DEPENDENCIES)
• workforce management (WORKFORCE)
• cybersecurity program management (CYBER)

Maturity indicator levels, or MILs, can be used by organizations to measure their progress in implementing practices in each of the 10 domains. The four MILs are incomplete, initiated, performed, and managed.

The practices in each domain are organized into objectives. For example, in the Event and Incident Response, Continuity of Operations (RESPONSE) domain, the objectives are:

• Detect Cybersecurity Events
• Escalate Cybersecurity Events
• Respond to Escalated Cybersecurity Events
• Plan for Continuity

In each domain, there is a final objective that contains the practices necessary to manage that domain. This "common" objective provides a mechanism for organizations to determine how well they have institutionalized the practices in the domain, i.e., the extent to which the practices are part of the organization’s way of doing business or DNA.

ES-C2M2 is a dual progression model. This means that there is a progression of common practices within each domain objective and there is a progression of practices necessary to make domain-specific practices part of the normal course of business – as defined by the MIL scale.

The purpose of self-evaluation is to identify gaps and determine where best to invest scarce resources. ES-C2M2 self-evaluation resources include:

The DOE-led evaluation has the following characteristics:

• One day long
• All individuals with day-to-day operational responsibility are present.
• Software tools are used by the facilitator.
• Questions for all domains are asked, discussed, and answered.
• Practices are determined to be fully implemented, largely implemented, partially implemented, not implemented, or not applicable.
• Answers are recorded in a toolkit that processes them in real time and generates a summary dashboard, showing the organization’s performance against all of the practices in ES-C2M2.

PART 3: FIELD EXPERIENCES AND FUTURE PLANS

Observations from Facilitated Self-Evaluations

One of the key benefits is the dialogue that takes place among those participating. At least one person needs to have the operational expertise necessary to address their organization’s performance in each domain. For example, people operating industrial control systems are interacting with people from Human Resources and people in charge of the cybersecurity program.

Some will say, "We absolutely do that practice," while others will say, "I don’t think we do." Different approaches are often used by different parts of the organization.

Other comments include, "We’ve never thought about this," or "We’ve never observed this." Participants gain immediate and direct benefit from the one-day evaluation process.

This dialogue tends to help with kick starting the improvement and institutionalization that the model recommends.

Future Plans

The primary objective in the near term is to keep the current version of ES-C2M2 stable so it can be used by a growing number of utilities.

Another version of the model has been developed for the oil and natural gas sector. With this model, the entire energy sector now has a single tool that they can use.

The DOE ES-C2M2 team is closely tracking the NIST Cybersecurity Framework program, developed in response to Executive Order 13636. A future objective is to demonstrate how ES-C2M2 meets the objectives of the NIST Framework.

DOE is developing a facilitator’s guide for use by the more than 1300 utilities in the U.S. Using this approach, only the facilitator needs to know about and understand the model, not all who participate in the self-evaluation, one-day meeting.

All evaluation results are confidential. For utilities that wish to make their results public, DOE will be working with them to see how they have improved as a result of using ES-C2M2.

Resources

[1] ES-C2M2 program website

ES-C2M2 model website

Moore, Samara. ES-C2M2 Program Overview, November 2012.

Office of the President. Executive Order 13636—Improving Critical Infrastructure Cybersecurity, February 2013.