A White House effort to improve the cybersecurity of the nation’s commercial power grid could soon be expanded to other critical sectors, such as transportation and water.
The Energy and Homeland Security departments kicked off the initiative, known as the Electricity Sector Cybersecurity Capability Maturity Model, this year as an effort to assess and improve the security of thousands of utility companies.
A key component of the initiative is a self-evaluation survey of more than 300 questions that helps utilities evaluate their cybersecurity, identify gaps and plan how to mitigate risks and implement necessary changes.
Among the questions asked, for example, are whether:
Cybersecurity requirements are considered when establishing relationships with suppliers and other third parties.
Personnel vetting, such as background checks and drug tests, is performed at hire for positions that have access to electrical delivery assets.
Training programs are aligned to support cybersecurity workforce management objectives.
The model “provides a common framework to have a discussion about [cybersecurity],” Matthew Light, an Energy Department program manager working on the initiative, said at a Washington event last week.
In public-private partnerships such as this one, Light said the government often comes to the table and tells industry it needs to improve cybersecurity, but doesn’t fully understand the security that companies already have in place or what they must improve.
“The survey provides a set of practices that we can all point to and understand,” Light said.
In April, 17 companies piloted the tool, including Dominion, one of the country’s largest power companies. In the summer, the survey tool was released to all electric companies.
The White House and DHS now want to expand the model to other critical sectors, said Samara Moore, the White House’s cybersecurity director for critical infrastructure. Moore was Energy’s lead manager for the initiative before moving to the White House.
Mark Engels, director of enterprise technology security and compliance at Dominion, said the survey tool can be effective if companies are honest with themselves about their cybersecurity capabilities.
He said the survey results helped Dominion better prioritize funding for cybersecurity.
Engels said the model goes beyond the basic cyber practices required in regulations.
The goal, he said, is not to make the survey serve as another form of regulation, but to improve cybersecurity programs.
The challenge is figuring out how to share company survey results with the government, to ultimately determine the security of the electric grid. Companies want to ensure their data are not misinterpreted, Engels said.
There are also concerns about how, where and for how long data would be stored and how it would be protected.
For now, participating companies share that information with industry associations, such as the Edison Electric Institute, and the survey results are sanitized to show overall trends without identifying company names, said David Batz, director of cyber and infrastructure security at Edison.
The organization tries to facilitate information sharing and best practices among its members.