PNNL contributed to tool's development

WASHINGTON – A first-of-its-kind self-evaluation model and survey will provide utilities with a way to benchmark and measure their cybersecurity readiness.

Announced today (June 28) by U.S. Energy Secretary Steven Chu, the Electricity Sector Cybersecurity Capability Maturity Model, or ES-C2M2, and evaluation survey will help utilities assess their own level of cybersecurity.

Available online, the model provides a common language and point of reference for utilities to understand, describe and share information anonymously about cybersecurity practices. The accompanying survey asks a series of questions derived from the model; the answers can help utilities and grid operators identify gaps and prioritize actions and future investments to make their systems more secure. Utilities can request the survey tool by contacting DOE. DOE also is offering facilitated self-evaluations on request.

The Department of Energy’s Electricity Subsector Cybersecurity Capability Maturity Model will help utilities assess their own level of cybersecurity readiness. Pacific Northwest National Laboratory

"Secure delivery of electricity is vital to our nation, and utilities play a vital role in ensuring that the power system is protected from cyber-attack," said Carl Imhoff, electricity infrastructure sector manager at the Department of Energy's Pacific Northwest National Laboratory. "By taking the survey, utilities of all types can gain additional insight into their respective level of cybersecurity. They can prioritize future investments in order to make their systems more secure," he said.

Spearheaded by the White House, DOE and a host of partners, including the Department of Homeland Security, Carnegie Mellon University's Software Engineering Institute, PNNL and others, the three-year ES-C2M2 initiative began in January 2012 with the goal of helping utilities develop a process and common model by which they can evaluate and understand their readiness to prepare for a host of cybersecurity issues. The PNNL team provided an advisory and developmental role in the ES-C2M2 effort.

The initiative team asked more than a dozen utilities involved in the pilot partnership to voluntarily test the model and survey, and evaluate the current state of maturity of the various pieces of their business on a maturity level indicator of zero to three, three being most mature. The investor-owned, cooperatives and municipal utilities rated themselves in the areas of assets (hardware and software), threats, access control, situational awareness, information sharing abilities, emergency response, supply chain, workforce management and cybersecurity program management. Based upon their findings, utilities can then prioritize next steps and investments in their own security.

For more than a decade, PNNL's Electricity Infrastructure research team has been working to advance the reliability and security of the nation's power system. The team has developed advanced algorithms, modeling capabilities and devices in its Electricity Infrastructure Operations Center that allows insight into the system in real-time, like never before. PNNL also developed the Secure Serial Communications Protocol, referenced in today's DOE announcement, which was subsequently integrated by Schweitzer Engineering Laboratories into a cryptographic card and link module. It allows asset owners to secure communications between remote devices and control centers and ensure that information comes from a trusted source and has not been altered in transit.

Understanding cybersecurity

The electricity industry increasingly relies on digital information about the power system to reduce costs, increase efficiency, and maintain reliability during the generation, transmission and distribution of electricity. An advanced power system, or smart grid, uses digital information flow, via advanced communications infrastructure, to inform producers and consumers of electricity how to operate more efficiently in order to meet growing demand for power and incorporate new sources of electricity.

"That flow of information in our power system must remain safe, private, secure, resilient and reliable — it must be cyber-secure," said Imhoff.

Click here to read the DOE announcement.