The US Department of Energy today announced what it calls an "Electric Sector Cybersecurity Risk Management Maturity" project that will let utility companies and grid operators measure their current capabilities and analyze gaps in their cyber defenses. Maturity models, the DOE stated, rely on best practices to identify an organization's strengths and weaknesses, are widely used by other sectors to improve performance, efficiency and quality.
More on power: 15 cool energy projects of 2011
The initiative, which will involve officials from the Energy Department, the White House, the Department of Homeland Security and key utility companies will over the next several months draft a maturity model that can be used throughout the electric sector.
More than a dozen electric utilities and grid operators are expected to participate in the pilot program to test the model, assess its effectiveness and validate results. This program will help develop a risk management maturity model that is expected to be made available to the electric sector later this summer, the DOE stated.
"Establishing a comprehensive cybersecurity approach will give utility companies and grid operators another important tool to improve the grid's ability to respond to cybersecurity risks." said U.S. Energy Secretary Steven Chu in a statement.
The move builds on other tactics the DOE and other government entities are developing to try to better protect the nation's vulnerable grid.
For example the DOE in September issued a roadmap that defined key challenges to building a secure energy infrastructure. In that report the DOE noted that Over the next five years, energy companies will face a critical shortage of engineers and skilled craft workers. For example, about 45% of engineers-7,000 in electric utilities alone-are predicted to retire or leave for other reasons. Compounding that, two to three times more power engineers may be needed to satisfy the needs of the entire economy and future operations will require broader skill sets than those prevalent today," the report states.
Keeping key people is just one of the many challenges to building what the DOE calls a culture of security. From the report:
- § Limited knowledge, training, understanding, and appreciation of energy delivery systems security risks inhibits security actions within the energy sector. There is also an incomplete understanding of the cost of decisions and system resilience in terms of failure modes and vulnerabilities. Current risk assessment capabilities fall short of determining the effects of each cost decision on system resilience in terms of failure modes and vulnerabilities.
- § While standards have helped to raise security to a baseline level across the energy sector, some standards remain unclear or too broad, or may have prompted utilities to use less advanced security measures to meet requirements. In addition, a rapidly changing risk environment means standards compliance today may not be sufficient tomorrow.
- § Improving security comes at a cost, and demonstrating direct line benefits to an energy organization is difficult. Without the occurrence of a catastrophic cyber incident or a strong business case, public and private partners will continue to have limited time and/or resources to invest in partnership efforts.
- § The increasing sophistication of cyber intrusion tools and complexity of energy delivery systems makes it difficult for asset owners and operators to recognize an incident once it is under way. The use of automated intrusion detection systems and applications have the potential to introduce serious operational issues.
- § Executives, the public, and even organizations within the utility still lack a full understanding of energy delivery system vulnerabilities and the potential consequences of an incident. The limited exchange of threat and incident information prevents the sector from compiling the evidence it needs to build a compelling business case to increase private investment in energy delivery systems security. Credible, actionable, and timely information is also essential to ensuring that the energy sector can adequately mitigate energy delivery system vulnerabilities before adversaries can exploit them.
- § Belief that security standard compliance is sufficient for cybersecurity of energy delivery systems inhibits adoption of additional security measures
- § Secure coding practices are not uniformly enforced
- § Patching/fixing vulnerabilities in energy delivery systems can create new cyber risks
In December my colleague Ellen Messmer noted that since the year 2000, the Department of Homeland Security (DHS) has encouraged states and cities to establish so-called "Fusion Centers" to operate under local control and collect information from the likes of power companies and water utilities about incidents that might have national-security implications. There are now 72 of these Fusion Centers in the U.S., which vary in their practices, according to DHS.
Those observations were from a Network World story that told of the controversy surrounding a reported cyber attack on an Illinois water plant. When one of those centers, the Illinois Statewide Terrorism and Intelligence Center (STIC), issued a brief report on Nov. 10 titled "Public Water District Cyber Intrusion," it led to a firestorm of controversy, putting what has been a secretive reporting system in the harsh glare of the public spotlight, and highlighting the intrinsic weakness in the way the U.S. critical-infrastructure incident reporting system works today.
It is these types of challenges facing the DOE and others involved with protecting critical infrastructures.
Follow Michael Cooney on Twitter: nwwlayer8 and on Facebook
Layer 8 Extra
Check out these other hot stories:
NASA on 2012: It's really NOT the end of the world as we know it
The weirdest, wackiest and coolest sci/tech stories of 2011
Murder, IT security and other mysteries: The stories of Layer 8 in 2011
Picture this: Steve Jobs gets bronzed
11 cool robots you may not have heard of
From Anonymous to Hackerazzi: The year in security mischief-making