Use Electricity ‘Maturity’ Model for Cybersecurity Solutions, Officials Say
Cybersecurity solutions that rely on collaboration between the federal government and the private sector should look to the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2), officials said on a Tuesday panel on public-private cybersecurity solutions. The ES-C2M2, released earlier this year (http://xrl.us/bn3rmo), is a collaborative effort from the White House, the departments of Energy and Homeland Security and private companies to identify cybersecurity weaknesses, strengths and priorities and provide best practices for electric grid operators and utility companies. The ES-C2M2 allows the federal government and private companies “to understand what capabilities are really required to be able to manage the dynamic threats to the grid,” said Samara Moore, White House cybersecurity director for critical infrastructure within the National Security Staff.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
The program succeeded because it “wasn’t government in a vacuum,” Moore said. By working together, she said, the federal agencies and private companies were able to utilize solutions and processes that already existed. “We were able to come up with a product that worked because we weren’t starting from scratch,” she said, calling national cybersecurity “one of the administration’s enduring priorities.” Moore credited part of the program’s success to its involvement of top-level employees at participating companies. “By starting this at the senior executive level, we really have raised ... awareness throughout the enterprise,” she said. Because of collaborative efforts like these, she said, cybersecurity is “beginning to be viewed as one of the critical risks” for organizations.
The ES-C2M2 “was really designed to align with the organization’s mission and business objectives,” Moore said. Evaluating and enhancing cybersecurity benefits the government and the companies, agreed Matthew Light, ES-C2M2 and risk management plan program manager within the Office of Electricity Delivery and Energy Reliability at the Department of Energy. Much like the electricity companies, “we want to deliver electric power. That’s what important,” he said, “And cybersecurity is an important piece to ensuring and enabling that activity to occur."
This kind of collaborative approach replaces the typical back-and-forth dialogue between federal government and industry members, Light said. Typically “the government, quite honestly, comes to the table and says, ‘you need to do a better job,'” he said, while companies need specific guidance on what to do. Companies “needed to get our concerns up front,” said Mark Engels, enterprise technology security and compliance director at Dominion, an ES-C2M2 participating power company. “Now we've moved to a more collaborative environment” because of the ES-C2M2, he said.
Engaging with state governments is “a challenge,” said Light. “We have to be very cautious about not overstepping our bounds” in navigating federal, state and local government cybersecurity goals and plans, he said. “It’s a challenging process, in a country as large as ours,” to engage all the stakeholders, Light said. Moore said state governments were involved “early on” in the process and are getting more involved now. State involvement “was one of the key recommendations that we got from the leadership” in companies, she said. States are “one of the stakeholder groups that we would try to bring into that conversation,” said Thad Odderstol, program director of the Critical Infrastructure Protection Cyber Security Program within the Department of Homeland Security.
The ES-C2M2 “really provides a common framework to have a discussion about cybersecurity,” Light said. Moore said the administration is working with DHS and industry partners to look at how the framework established in the ES-C2M2 can be applied to other sectors.