The document provides an overview of security metrics for the energy sector, emphasizing the importance of measuring security to manage risks effectively. It outlines key metrics categories for organizations, applications, infrastructure, and data to enhance cybersecurity resilience and situational awareness. The document highlights the rising demand for security metrics and governance in utilities, supported by frameworks and guidelines from various organizations.

1. © 2013 IBM Corporation
Energy Sector Security Metrics overview
June 2013

2. © 2012 IBM Corporation
You can't manage what you can't measure, right?
So what can we work on here:

Security metrics

3. © 2012 IBM Corporation
Security metrics in the news
“Governance with Metrics
is Risk Management”

4. © 2012 IBM Corporation
IBM Security Systems
4
Risks utilities manage today
 Very well indeed:
–Economic
–Supply chain
–Theft
–Commodities price
–Storms and weather
–Regulatory
–Arboreal
 Less well
–Cybersecurity

5. © 2012 IBM Corporation
IBM Security Systems
5
Security Metrics start
 For starters: business alignment
– Security Measurement Prerequisites/Preliminary Steps
• Identify your key / most critical business processes
• Understand the threat scenarios to those processes
• Identify the key controls for the threats to those processes
• Once you have that these things, then you can establish what you to measure
– Initial Security Metrics Categories
• Organization and People
• Data
• Applications
• Infrastructure
• Security Intelligence/Situational Awareness
• Resilience
3 Characteristics of
Good Metrics:
1.Easy to Get
2.Easy to Understand
3.Easy to Share

6. © 2012 IBM Corporation
IBM Security Systems
6
Metrics start (cont).
People and Organization
Is there a security governance board?
What is highest ranking person in company with security in their title and ...
Do they have authority to set and enforce security policy enterprise-wide
% completing refresher training course
# or % phishing events (how many employees clicked on dangerous links)
% of key employees using social media and/or portable media BYOD
devices
Help Desk stats/measures - Security related tickets called in such as:
-- # of locked/forgotten password/malware infection
-- # of tickets resolved
-- # of tickets still open and under investigation
Applications
Does the company have a current inventory of all the applications (built and
bought) it depends on
Access controls:
-- # of applications using multi-factor authentication
 -- # applications using web security (HTTPS, TLS-SSL)
% applications in portfolio scanned for security vulnerabilities in year
of apps scanned, avg # of high severity vulnerabilities per million lines of
code
time between application vulnerability awareness and patching
Infrastructure
IT/OT downtime for planned security updates
IT/OT downtime for unplanned security tasks
# of infected PCs, phones, meters, etc. detected and cleansed
time between system vulnerability notice and patching or mitigation
Data
 % critical databases protected
 % total databases protected
 Data loss related incidents:
 -- # of lost/stolen devices (e.g., unencrypted laptops, smart phones, USB drives)
 -- # of unauthorized data disclosures
 -- # of data loss near misses
 % of system administrators with access to root or PII information without audit
capabilities
Security Situational Awareness
 % of critical IT/OT systems instrumented ... logs being continuously analyzed
 % of network segments protected by firewalls and IDS/IPS
 % up-time and availability of network against DDoS and other network attacks
 # of ICS/CERT alerts relevant to client
Resilience
 # of security and / or privacy breach exercises per year
 Performance of teams re: incident response, rapid recovery, forensics, etc.
 Maturity capability rating of people, processes and technologies performing
the key controls for both of the above
 # of critical servers/databases with root password and key escrow and without
Submitted to NIST March 2013:
http://csrc.nist.gov/cyberframework/rfi_comments/ibm_security_systems_031913.pdf

7. © 2012 IBM Corporation
2012 CISO Study

8. © 2012 IBM Corporation
IBM Security Systems
8
– DOE's Electricity Subsector Cybersecurity Maturity Model (June 2012)
• Metrics for utilities to use to baseline and gauge effectiveness
– DOE’s Electricity Subsector Risk Management Process (May 2012)
• Help translating cybersecurity into risk management framework
– NARUC's Cybersecurity for State Regulators (June 2012, Feb 2013 update)
• Questions utilities will be asked by their state public utility commissions
– NIST’s NISTIR 7628 Assessment Guide (Aug 2012)
– NRECA's Guide to Developing a Cybersecurity and Risk Mitigation Plan (June 2011)
A measurement movement is forming

9. © 2012 IBM Corporation
IBM Security Systems
9
Demand for metrics rising
US
Presidential EO and NIST Crit Infra Cybersecurity Framework
working group
DOE's Electricity Subsector Cybersecurity Capability Maturity
Model (ES-C2M2)
California PUC
Rest of World
Europe
Asia
Australia

10. © 2012 IBM Corporation
Security Governance guidance for utilities
1. Security as risk management
2. A fully integrated security
enterprise
3. Security by design
4. Business-oriented security
metrics and measurement
5. Change that begins at the top
6. IBM’s 10 essential security
actions
10

11. © 2012 IBM Corporation
Andy Bochman
bochman@us.ibm.com
+1 781 962 6845
E&U/Crit Infra Security Metrics Team
Steve Dougherty
sdougherty@us.ibm.com
+1 916 467 7052
SWG/Security E&U Services
and Cross-brand
GBS E&U CoC

12. © 2012 IBM Corporation
ibm.com/energy
ibm.com/security
© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.