Electricity Subsector Cybersecurity Capability Maturity Model Case Study


Published on

The Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2), which allows electric utilities and grid operators to assess their cybersecurity capabilities and prioritize their actions and investments to improve cybersecurity, combines elements from existing cybersecurity efforts into a common tool that can be used consistently across the industry. The ES-C2M2 was developed as part of a White House initiative led by the Department of Energy in partnership with the Department of Homeland Security (DHS) and involved close collaboration with industry, other Federal agencies, and other stakeholders. This presentation covers a real world “case study” of how this ES-C2M2 work can easily be adapted to improve cyber security at your organization.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • We can’t regulate our way out of this.
  • Domains serve as large groupings of practices by knowledge area (Example: Situational Awareness)Objectives are groupings of practices similar in the type of activity they describe (Example: practices having to do with Monitoring)Maturity Indicator Levels are groupings of practices similar in the level of sophistication or maturity. MILs got their name because they do not describe cybersecurity exactly, but instead provide an indication of the level of maturity of an organizations cybersecurity activitiesPractices are the activities performed in support of an organizations cybersecurity objectives
  • You may notice the last objective has the words “common objective” next to it in parentheses. This is something you will see in each domain. The last objective describes the actions taken to manage activities within the domain. Describes how much the domain has become a part of the organization.This is referred to in the model as “institutionalization”.The more ingrained into the organization the more likely it is that it will be continued over time, when talented people leave or in times of stress. The other three objectives provide a snapshot of the maturity of practices at any single point in time.
  • 11 practices all having to do with monitoring
  • Each ring has a total score. Each section of the ring includes a numerical rating per color. An example would be Risk MIL 1 has a rating of 2 with a total “green” score of 1+1=2, i.e., fully implemented. Cyber MIL 3 has a rating of 31 with a “green” score of 26 and a “red score” of 5, indicating largely implemented with areas needing improvement. The ratings for each ring are weighted scores, based on the model.
  • Electricity Subsector Cybersecurity Capability Maturity Model Case Study

    1. 1. Electricity  Subsector  Cybersecurity     Capability  Maturity  Model  (ES-­‐C2M2)  Case  Study:   Benjamin  Beberness        Snohomish  County  PUD      Snohomish  County  PUD      Ini?al  Facilitated  Assessment   John  Fry      August  2012      ICF  Interna?onal  
    2. 2. ES-­‐C2M2  Background  &  Overview  •  Challenge:  Develop  capabili?es  to   ES-­‐C2M2  ObjecCves   manage  dynamic  threats  and   understand  cybersecurity  posture   •  Strengthen  cybersecurity   of  the  grid   capabiliCes   •  Enable  consistent  •  Approach:  Develop  a  maturity   evalua?on  and   model  and  self-­‐evalua?on  survey  to   benchmarking  of     develop  and  measure  cybersecurity   cybersecurity  capabili?es   capabili?es   •  Share  knowledge  and   best  prac?ces  •  Results:  A  scalable,  sector-­‐specific   •  Enable  prioriCzed  ac?ons   model  created  in  partnership  with   and  cybersecurity   industry   investments   2  ES-­‐C2M2  Case  Study  
    3. 3. Why  Create  a  Maturity  Model?  If you want to build a ship, don’t herd people togetherto collect wood and don’t assign tasks and work, butrather, teach them to long for the endless immensity ofthe sea. –  Antoine de Saint-Exupery 3  ES-­‐C2M2  Case  Study  
    4. 4. Why  Create  a  Maturity  Model?  •   Tool  for  u?li?es  (opposed  to  regula?on  from  Government)  •   Helps  answer  ques?ons   –  Where are we? –  Where do we go? –  How do we get there? 4  ES-­‐C2M2  Case  Study  
    5. 5. ES-­‐C2M2  Domains   Asset, Change, Identity and Threat and ACCESS THREAT ASSET Risk andRISK Access Vulnerability Management Configuration Management Management Management DEPENDENCIES Event and Supply Chain RESPONSESITUATION SHARING Information Incident Situational and External Sharing and Response, Awareness Dependencies Communications Continuity of Management Operations •  Domains  are  logical  groupings  of  WORKFORCE Cybersecurity cybersecurity  pracCces   CYBER Workforce Program Management •  Each  domain  has  a  short  name  for  easy   Management reference   5   ES-­‐C2M2  Case  Study  
    6. 6. Model  Architecture   Domain   Domain   ObjecCve   ObjecCve   ObjecCve   1   2   Maturity   MIL   MIL   Indicator  Level   1   2   (MIL)   PracCce   PracCce  1   PracCce  2   6  ES-­‐C2M2  Case  Study  
    7. 7. Example:  Objec?ves  SituaConal  Awareness:  4  ObjecCves   1. Perform  Logging   –  MIL1, MIL2, MIL3 2. Monitor  the  FuncCon   –  MIL1, MIL2, MIL3 3. Establish  and  Maintain  a  Common  OperaCng  Picture   –  MIL1, MIL2, MIL3 4. Manage  SITUATION  AcCviCes  (common  objecCve)   –  MIL1, MIL2, MIL3     7  ES-­‐C2M2  Case  Study  
    8. 8. Example:  Prac?ce  Maturity   Progression   8  ES-­‐C2M2  Case  Study  
    9. 9. Example:  Prac?ce  Maturity   Progression   9  ES-­‐C2M2  Case  Study  
    10. 10. Example:  Prac?ce  Maturity   Progression  SituaConal  Awareness  “Monitor  the  FuncCon”    •  MIL1  –  Cybersecurity  monitoring  ac?vi?es  are  performed   (e.g.,  periodic  reviews  of  log  data)  •  MIL2  –  Alarms  and  alerts  are  configured  to  aid  the   iden?fica?on  of  cybersecurity  events•  MIL3  –  Con?nuous  monitoring  is  performed  across  the   opera?onal  environment  to  iden?fy  anomalous  ac?vity     10  ES-­‐C2M2  Case  Study  
    11. 11. The  Model  at  a  Glance   X  Reserved   1  Maturity  Indicator  Level  that  is  reserved  for  future  use  Maturity  Indicator  Levels   3  Managed   2  Performed   4  Maturity  Indicator  Levels:  Defined  progressions  of  prac?ces   Each  cell  contains  the  defining  prac?ces  for   1  Ini?ated   the  domain  at  that  maturity  indicator  level   0  Not  Performed   DEPENDENCIES WORKFORCE RESPONSE SITUATION SHARING ACCESS THREAT CYBER ASSET RISK 10  Model  Domains:  Logical  groupings  of  cybersecurity  prac?ces   11   ES-­‐C2M2  Case  Study  
    12. 12. Using  the  Evalua?on  Results     12  ES-­‐C2M2  Case  Study  
    13. 13. Using  the  Evalua?on  Results     13  
    14. 14. Assessed  Domains  •  Enterprise  versus  func?onal  area  •  Assessed  Domains   –  Risk Management (RISK) –  Asset, Change, and Configuration Management (ASSET) –  Identity and Access Management (ACCESS) –  Threat and Vulnerability Management (THREAT) –  Situational Awareness (SITUATION) –  Information Sharing and Communications (SHARING) –  Event and Incident Response, Continuity of Operations (RESPONSE) –  Supply Chain and External Dependencies Management (DEPENDENCIES) –  Workforce Management (WORKFORCE) –  Cybersecurity Program Management (CYBER) 14  
    15. 15. SNOPUD  Rela?ve  Scoring   1 3 3 3 5 6 5 2 5 7 2 5 5 8 5 6 13 9 3MIL3 9 5 13 13 24 26 7 25 33 31 22 52 15 13 30 38 31 10 10 7 7 13 12 12 12 13 15 11 19 1 1 2 2 1 3 2 1 2 1 2 3 4 5 7 7 8 11MIL2 13 5 7 15 7 4 16 19 8 16 11 28 19 8 19 11 21 8 10 5 8 4 8 2 6 9 4 1 1 3 1 2MIL1 1 2 1 6 6 3 6 3 2 12 2 4 2 6 4 5 1 5 9 3 3 2 6 Situation Dependencies Sharing Asset Response Cyber Risk Access Threat Workforce Fully  implemented Partially  implemented Largely  implemented Not  implementedMaturity  Indicator  Level  (MIL)  1  through  3  indicate  the  stage  of  implementa?on  of  the  domain  with  1  indica?ng  there  is  room  for  improvement  and  3  indica?ng  it  is  fully  implemented  with  very  lidle  room  for  improvement.  Not  all  domains  for  every  organiza?on  need  to  be  at  MIL  3.  Many  organiza?ons,  based  on  the  risk  profile,  may  have  an  adequate  program  at  MIL  1.   15  
    16. 16. Assessment  Results  •  No  surprises  –  areas  needing  improvement  were  known  •  Facilitators  were  very  objec?ve  •  Areas  for  improvement  include  risk  management  and  log  management,   and  areas  of  asset  management  •  Areas  where  program  elements  are  in  place  include  areas  of  asset   management,  access  control  (policy),  threat/vulnerability  management,   sharing  and  managing  informa?on,  threat  response,  dependencies,   workforce  management,  and  cyber  program  management  •  The  assessment  provided  quan?ta?ve  guidance  for  program  improvement   –  Review individual function areas (Generation, Water, T&D) –  Determine the individual as well as the functional domain target maturity goals –  Prioritize objectives in overall cyber security program 16  ES-­‐C2M2  Case  Study  
    17. 17. No?onal  Sample  Report   Actual  vs.  Desired  Score   17  ES-­‐C2M2  Case  Study  
    18. 18. ES-­‐C2M2  -­‐  Next  Steps  •  Share   Best  PracCces  within  the  sector  •  Identify approaches for Capability Development•  Discussion Opportunities created•  Develop  anonymous  aggregated   Benchmarking  Data  •    R&D  Investment  needs  iden?fied  by  result  data  •  Access  to  Online   Training  Tools     18  ES-­‐C2M2  Case  Study  
    19. 19. Next  Steps  •  Data  collec?on   –  ES-C2M2 compartment within US-CERT Portal –  PCII protections –  Projected timeline•  Data  Analy?cs  •  Benchmark  Data   19  ES-­‐C2M2  Case  Study  
    20. 20. No?onal  Sample  Comparison  Report   20  ES-­‐C2M2  Case  Study  
    21. 21. Links   ES-C2M2 Model http://energy.gov/oe/downloads/electricity-subsector- cybersecurity-capability-maturity-model-may-2012 ES-C2M2 Self-Evaluation Tool Requests, Questions, or Requests for Facilitation ES-C2M2@doe.gov 21  ES-­‐C2M2  Case  Study  
    22. 22. For  ques?ons  or  feedback  please  contact  ES-­‐C2M2@HQ.DOE.GOV   THANK  YOU   22  ES-­‐C2M2  Case  Study  
    23. 23. Background  Slides  
    24. 24. ES-­‐C2M2  Domain  Descrip?ons  Domain   DescripCon  Risk  Management   Establish,  operate,  and  maintain  an  enterprise  cybersecurity  risk  (RISK)   management  program  to  iden?fy,  analyze,  and  mi?gate  cybersecurity   risk  to  the  organiza?on,  including  its  business  units,  subsidiaries,  related   interconnected  infrastructure,  and  stakeholders.  RISK  comprises  three   objec?ves:   1.  Establish  Cybersecurity  Risk  Management  Strategy   2.  Manage  Cybersecurity  Risk   3.  Manage  RISK  Ac?vi?es  Asset,  Change,  and   Manage  the  organiza?on’s  opera?ons  technology  (OT)  and  informa?on  ConfiguraCon   technology  (IT)  assets,  including  both  hardware  and  somware,  Management   commensurate  with  the  risk  to  cri?cal  infrastructure  and  organiza?onal  (ASSET)   objec?ves.  ASSET  comprises  four  objec?ves:   1.  Manage  Asset  Inventory     2.  Manage  Asset  Configura?on     3.  Manage  Changes  to  Assets     4.  Manage  ASSET  Ac?vi?es    ES-­‐C2M2  Case  Study  
    25. 25. ES-­‐C2M2  Domain  Descrip?ons  Domain   DescripCon  IdenCty  and  Access   Create  and  manage  iden??es  for  en??es  that  may  be  granted  logical  or  Management   physical  access  to  the  organiza?on’s  assets.  Control  access  to  the  (ACCESS)   organiza?on’s  assets,  commensurate  with  the  risk  to  cri?cal     infrastructure  and  organiza?onal  objec?ves.  ACCESS  comprises  three   objec?ves:   1.  Establish  and  Maintain  Iden??es   2.  Control  Access   3.  Manage  ACCESS  Ac?vi?es    Threat  and   Establish  and  maintain  plans,  procedures,  and  technologies  to  detect,  Vulnerability   iden?fy,  analyze,  manage,  and  respond  to  cybersecurity  threats  and  Management   vulnerabili?es,  commensurate  with  the  risk  to  the  organiza?on’s  (THREAT)   infrastructure  (e.g.,  cri?cal,  IT,  opera?onal)  and  organiza?onal  objec?ves.   THREAT  comprises  three  objec?ves:   1.  Iden?fy  and  Respond  to  Threats   2.  Reduce  Cybersecurity  Vulnerabili?es   3.  Manage  THREAT  Ac?vi?es  ES-­‐C2M2  Case  Study  
    26. 26. ES-­‐C2M2  Domain  Descrip?ons  Domain   DescripCon  SituaConal   Establish  and  maintain  ac?vi?es  and  technologies  to  collect,  analyze,  Awareness   alarm,  present,  and  use  power  system  and  cybersecurity  informa?on,  (SITUATION)   including  status  and  summary  informa?on  from  the  other  model     domains,  to  form  a  common  opera?ng  picture  (COP),  commensurate   with  the  risk  to  cri?cal  infrastructure  and  organiza?onal  objec?ves.   SITUATION  comprises  four  objec?ves:   1.  Perform  Logging   2.  Monitor  the  Func?on   3.  Establish  and  Maintain  a  Common  Opera?ng  Picture     4.  Manage  SITUATION  Ac?vi?es    InformaCon  Sharing   Establish  and  maintain  rela?onships  with  internal  and  external  en??es  to  and  CommunicaCons   collect  and  provide  cybersecurity  informa?on,  including  threats  and  (SHARING)   vulnerabili?es,  to  reduce  risks  and  to  increase  opera?onal  resilience,     commensurate  with  the  risk  to  cri?cal  infrastructure  and  organiza?onal   objec?ves.  SHARING  comprises  two  objec?ves:   1.  Share  Cybersecurity  Informa?on   2.  Manage  SHARING  Ac?vi?es  ES-­‐C2M2  Case  Study  
    27. 27. ES-­‐C2M2  Domain  Descrip?ons  Domain   DescripCon  Event  and  Incident   Establish  and  maintain  plans,  procedures,  and  technologies  to  detect,  Response,  ConCnuity   analyze,  and  respond  to  cybersecurity  events  and  to  sustain  opera?ons  of  OperaCons   throughout  a  cybersecurity  event,  commensurate  with  the  risk  to  cri?cal  (RESPONSE)   infrastructure  and  organiza?onal  objec?ves.  RESPONSE  comprises  five     objec?ves:   1.  Detect  Cybersecurity  Events   2.  Escalate  Cybersecurity  Events   3.  Respond  to  Escalated  Cybersecurity  Events   4.  Plan  for  Con?nuity   5.  Manage  RESPONSE  Ac?vi?es    Supply  Chain  and   Establish  and  maintain  controls  to  manage  the  cybersecurity  risks  External   associated  with  services  and  assets  that  are  dependent  on  external  Dependencies   en??es,  commensurate  with  the  risk  to  cri?cal  infrastructure  and  Management   organiza?onal  objec?ves.  DEPENDENCIES  comprises  three  objec?ves:  (DEPENDENCIES)   1.  Iden?fy  Dependencies     2.  Manage  Dependency  Risk   3.  Manage  DEPENDENCIES  Ac?vi?es    ES-­‐C2M2  Case  Study  
    28. 28. ES-­‐C2M2  Domain  Descrip?ons  Domain   DescripCon    Workforce   Establish  and  maintain  plans,  procedures,  technologies,  and  controls  to  create  Management   a  culture  of  cybersecurity  and  to  ensure  the  ongoing  suitability  and  (WORKFORCE)   competence  of  personnel,  commensurate  with  the  risk  to  cri?cal  infrastructure   and  organiza?onal  objec?ves.  WORKFORCE  comprises  five  objec?ves:   1.  Assign  Cybersecurity  Responsibili?es   2.  Control  the  Workforce  Lifecycle   3.  Develop  Cybersecurity  Workforce   4.  Increase  Cybersecurity  Awareness   5.  Manage  WORKFORCE  Ac?vi?es  Cybersecurity   Establish  and  maintain  an  enterprise  cybersecurity  program  that  provides  Program   governance,  strategic  planning,  and  sponsorship  for  the  organiza?on’s  Management   cybersecurity  ac?vi?es  in  a  manner  that  aligns  cybersecurity  objec?ves  with  (CYBER)   the  organiza?on’s  strategic  objec?ves  and  the  risk  to  cri?cal  infrastructure.     CYBER  comprises  five  objec?ves:   1.  Establish  Cybersecurity  Program  Strategy   2.  Sponsor  Cybersecurity  Program   3.  Establish  and  Maintain  Cybersecurity  Architecture   4.  Perform  Secure  Somware  Development  ES-­‐C2M2  Case  Study   5.  Manage  CYBER  Ac?vi?es