WASHINGTON -- As part of the Obama Administration’s commitment to protecting America’s critical energy infrastructure, U.S. Energy Secretary Steven Chu today announced the release of a new Cybersecurity Self-Evaluation Survey Tool for utilities that will strengthen protection of the nation’s electric grid from cybersecurity threats. Today’s announcement is part of a broader White House initiative to develop a Cybersecurity Capability Maturity Model for the electricity sector, which aims to support the private sector and utilities nationwide in determining their current cybersecurity resources and identifying additional steps to help strengthen their defenses.
“Strengthening cybersecurity of the nation’s electric grid is a shared responsibility that requires constant vigilance, commitment, and cooperation among the public and private sectors,” said Secretary Chu. “The new Cybersecurity Self-Evaluation Survey Tool for utilities is vitally important in today’s environment where new cyber threats continue to emerge. Adoption by the electric sector will further protect critical infrastructure and, at the same time, provide an invaluable view of the industry’s cybersecurity capabilities.”
The Cybersecurity Self-Evaluation Tool utilizes best practices that were developed for the Electricity Subsector Cybersecurity Capability Maturity Model Initiative, which involved a series of workshops with the private sector to draft a maturity model that can be used throughout the electric sector to better protect the grid. Maturity models, which rely on best practices to identify an organization’s strengths and weaknesses, are widely used by other sectors to improve performance, efficiency and quality.
The development of the Cybersecurity Capability Maturity Model was led by the Energy Department in partnership with the Department of Homeland Security (DHS) and in close collaboration with industry, other Federal agencies, Carnegie Mellon University’s Software Engineering Institute, and other stakeholders. More than a dozen utilities nationwide participated in pilot evaluations to help refine the model.
The Cybersecurity Self-Evaluation Tool itself helps electric utilities and grid operators identify opportunities to further develop their own cybersecurity capabilities by posing a series of questions that focus on areas including situational awareness and threat and vulnerability management. A report is then generated that can be used to identify potential gaps and score the organization’s cybersecurity capabilities.
It is recommended that utilities then develop a prioritized plan of action for addressing gaps, conduct evaluations periodically to track their progress with improving their cybersecurity capabilities, and consider additional evaluations when major changes occur in the business, technology or threat environments. Utilities that choose to provide their anonymous self-assessment results to the Energy Department will receive reports with anonymous benchmarking results of all utilities participating in the “opt-in” program.
The Maturity Model is available online. Utilities can request the Cybersecurity Self Evaluation Survey Tool by contacting the Energy Department at ES-C2M2@hq.doe.gov. The Energy Department is also offering facilitated self-evaluations on request.
The Energy Department has a long history of working closely with Federal partners, including DHS, on cybersecurity of the North American electric grid. The Cybersecurity Maturity Model and Self Evaluation Survey Tool align with the Roadmap to Achieve Energy Delivery Systems Cybersecurity which was developed by industry, facilitated by the Energy Department, and released in September 2011. The Roadmap provides a strategic framework to achieve the vision that, over the next decade, resilient energy delivery systems are designed, installed, operated, and maintained to survive a cyber incident while sustaining critical functions.