Tool to help utilities strengthen their cybersecurity capabilities released in U.S.


Steven Chu,
U.S. Energy
Washington, DC, U.S.A. — (METERING.COM) — June 29, 2012 – A new Cybersecurity Self-Evaluation Survey Tool for utilities to assist them in determining their cybersecurity status has been released by the U.S. Department of Energy.

The tool is part of a broader White House initiative to develop a Cybersecurity Capability Maturity Model for the electricity sector (ES-C2M2), which aims to support the private sector and utilities in determining their cybersecurity resources and identifying additional steps to help strengthen their defenses.

“Strengthening cybersecurity of the nation’s electric grid is a shared responsibility that requires constant vigilance, commitment, and cooperation among the public and private sectors,” said Energy Secretary Steven Chu. “The new Cybersecurity Self-Evaluation Survey Tool is vitally important in today’s environment where new cyber threats continue to emerge.”
The development of the Cybersecurity Capability Maturity Model was led by the DOE in partnership with the Department of Homeland Security (DHS) and in close collaboration with the industry and other organizations including Carnegie Mellon University’s Software Engineering Institute. More than a dozen utilities nationwide participated in pilot evaluations to help refine the model.
The Cybersecurity Self-Evaluation Tool poses a series of questions that focus on areas including situational awareness and threat and vulnerability management. A report is then generated that can be used to identify potential gaps and score the organization’s cybersecurity capabilities.

Utilities are then recommended to develop a prioritized plan of action for addressing gaps, to conduct evaluations periodically to track their progress with improving their cybersecurity capabilities, and to consider additional evaluations when major changes occur in the business, technology or threat environments. Utilities may provide their anonymous self-assessment results to the Energy Department and will receive reports with anonymous benchmarking results of all participating utilities.

The tool is available on request to the DOE, which is also offering facilitated self-evaluations on request. Its release follows the earlier release of a cybersecurity risk management guideline and the availability online of the ES-C2M2.

It also follows just a day after security advisors SecureState announced the forthcoming public release in mid-July of its Termineter open source smart meter hacking framework. The tool, which is based on the ANSI C12.18 and ANSI C12.19 standards and excludes any vendor specific information, allows users to test smart meters for vulnerabilities such as energy consumption fraud, network hijacking, and more. The goal of the release, the company said, is to promote security awareness for smart meters and provide a tool that brings basic testing capabilities to the community and meter manufactures so that security can be improved. Power companies can use the framework to identify and validate internal flaws that leave them susceptible to fraud and significant vulnerabilities.