New DoE Guidance Sets Out Goals for Cyber Defense

There is a new guidance in town. It is called the Electricity Subsector Cybersecurity Capability Maturity Model, and it was written by representatives of the electric industry, as well as the government. A White House initiative, the overall goal of the model is to encourage the electrical subsector, a vital part of our national infrastructure, to make cybersecurity a top priority. Any data, such as network vulnerabilities and attacks that have occurred, will be given anonymously. This will be done in the hope that electrical utilities will be more forthcoming with such sensitive information.

The new Department of Energy (DoE) guidance, the Electricity Subsector Cybersecurity Capability Maturity Model, was written to support the ongoing development, as well as provide a measure, of the capabilities of the electricity subsector when it comes to cybersecurity. This is accomplished through four objectives, according to a report by http://energy.gov.

  • Objective 1: The most important objective is to strengthen the cybersecurity abilities within the electricity subsector.
  • Objective 2: It is also crucial to allow for the benchmarking and consistent evaluation of cybersecurity capabilities.
  • Objective 3: Likewise, the sharing of any knowledge gathered to develop best practices industrywide and as a reference point with which to improve overall cybersecurity is of prime importance.
  • Objective 4: Finally, to allow for the prioritization of investments and actions to improve cybersecurity. In this way electrical utilities are given leeway in how they develop their cybersecurity plan to fit their own circumstances.

Furthermore, the guidance also supports the implementation of a cybersecurity governance board that would oversee the cybersecurity efforts of the electrical utilities. Each company taking part would elect an executive for the position of senior executive for cybersecurity, which would report to the company’s board. This, in turn, would put a member of senior management in the know when it comes to cybersecurity, an area that is often misunderstood by many top executives.

Over 90 pages long, the DoE guidance states the hope of the eventual adoption of a vice president of cybersecurity for each individual utility. This executive will develop and oversee a sound cybersecurity strategy. Once approved through the top executives at a company, this information will be shared between the various electrical utilities taking part, leading to better cybersecurity for all. This initiative is a White House response to a lack by legislatures to enact any type of comprehensive bill that deals directly with the cybersecurity of our nation’s vital infrastructure.

For more information about Electricity Subsector Cybersecurity Capability Maturity Model, visit: http://energy.gov/sites/prod/files/Electricity%20Subsector%20Cybersecurity%20Capabilities%20Maturity%20Model%20%28ES-C2M2%29%20-%20May%202012.pdf
and
http://computerworld.co.nz/news.nsf/security/dept-of-energy-wants-electric-utilities-to-create-cybersecurity-governance-board