In February 2014, with input from the energy industry, the National Institute of Technology and Standards (NIST) released the “Framework for Improving Critical Infrastructure Cybersecurity” (CSF) . CSF provides industry with a risk-based approach for developing and improving cybersecurity programs.
It is a voluntary framework that provides a structure that energy and other organizations, regulators and customers can use to create, guide, assess or improve comprehensive cybersecurity programs. The framework leverages and integrates industry-leading cybersecurity practices that have been developed by organizations such as NIST and the International Standardization Organization (ISO) .
The NIST CSF comprises a risk-based compilation of guidelines that can help organizations identify, implement, and improve cybersecurity practices, and creates a common language for internal and external communication of cybersecurity issues. It provides an assessment mechanism that enables organizations to determine their current cybersecurity capabilities, set individual goals for a target state, and establish a plan for improving and maintaining cybersecurity programs.
On May 31, 2012, the Electric Subsector Cybersecurity Capability Maturity Model (ES-C2M2) was released by the Department of Energy (DOE) in conjunction with the Department of Homeland Security (DHS) as a White House supported initiative. The DOE C2M2 is a voluntary evaluation process utilizing industry-accepted cybersecurity practices that can be used to measure and help improve the maturity of an organization's cybersecurity capabilities. The C2M2 is designed to measure both the sophistication and sustainment of a cybersecurity program, providing a roadmap for organizations to adequately assess and address any cybersecurity shortcomings. C2M2 also allows organizations to evaluate and plan for projects to achieve cybersecurity while gaining the efficiencies received through automation .
The model was identified, organized, and documented by energy sector subject matter experts from both public and private organizations.
In January 2015, DOE released the Energy Sector’s Cybersecurity Framework Implementation Guidance to help the energy sector establish or align existing cybersecurity risk management programs to meet the objectives of the CSF. C2M2 is DOE’s recommended implementation tool.
The two models allow organizations - regardless of size, degree of cyber risk or cybersecurity sophistication - to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure.
Organizations can use these models to determine their current level of cybersecurity, set goals for cybersecurity that are in sync with their business environment, and establish a plan for improving or maintaining their cybersecurity. The models also offer a methodology to protect privacy and civil liberties to help organizations incorporate those protections into a comprehensive cybersecurity program. This paper, written by SGIP with contributions from its members, will discuss best practices, lessons learned and actionable innovations in implementing the NIST Cybersecurity Framework (CSF) and the Department of Energy Electric Sector Cybersecurity Capability Maturity Model (ES-C2M2).
2015 Energy Industry Cybersecurity Report
Strategic Cybersecurity: A Toolkit for Prioritizing, Coordinating, and Transforming Your Cybersecurity Program