The Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2), which allows electric utilities and grid operators to assess their cybersecurity capabilities and prioritize their actions and investments to improve cybersecurity, combines elements from existing cybersecurity efforts into a common tool that can be used consistently across the industry. The ES-C2M2 was developed as part of a White House initiative led by the Department of Energy in partnership with the Department of Homeland Security (DHS) and involved close collaboration with industry, other Federal agencies, and other stakeholders. This presentation covers a real world “case study” of how this ES-C2M2 work can easily be adapted to improve cyber security at your organization.
Breaking the Kubernetes Kill Chain: Host Path Mount
Electricity Subsector Cybersecurity Capability Maturity Model Case Study
1. Electricity
Subsector
Cybersecurity
Capability
Maturity
Model
(ES-‐C2M2)
Case
Study:
Benjamin
Beberness
Snohomish
County
PUD
Snohomish
County
PUD
Ini?al
Facilitated
Assessment
John
Fry
August
2012
ICF
Interna?onal
2. ES-‐C2M2
Background
&
Overview
• Challenge:
Develop
capabili?es
to
ES-‐C2M2
ObjecCves
manage
dynamic
threats
and
understand
cybersecurity
posture
• Strengthen
cybersecurity
of
the
grid
capabiliCes
• Enable
consistent
• Approach:
Develop
a
maturity
evalua?on
and
model
and
self-‐evalua?on
survey
to
benchmarking
of
develop
and
measure
cybersecurity
cybersecurity
capabili?es
capabili?es
• Share
knowledge
and
best
prac?ces
• Results:
A
scalable,
sector-‐specific
• Enable
prioriCzed
ac?ons
model
created
in
partnership
with
and
cybersecurity
industry
investments
2
ES-‐C2M2
Case
Study
3. Why
Create
a
Maturity
Model?
If you want to build a ship, don’t herd people together
to collect wood and don’t assign tasks and work, but
rather, teach them to long for the endless immensity of
the sea.
– Antoine de Saint-Exupery
3
ES-‐C2M2
Case
Study
4. Why
Create
a
Maturity
Model?
•
Tool
for
u?li?es
(opposed
to
regula?on
from
Government)
•
Helps
answer
ques?ons
– Where are we?
– Where do we go?
– How do we get there?
4
ES-‐C2M2
Case
Study
5. ES-‐C2M2
Domains
Asset, Change,
Identity and Threat and
ACCESS
THREAT
ASSET
Risk and
RISK
Access Vulnerability
Management Configuration
Management Management
Management
DEPENDENCIES
Event and
Supply Chain
RESPONSE
SITUATION
SHARING
Information Incident
Situational and External
Sharing and Response,
Awareness Dependencies
Communications Continuity of
Management
Operations
• Domains
are
logical
groupings
of
WORKFORCE
Cybersecurity cybersecurity
pracCces
CYBER
Workforce
Program
Management • Each
domain
has
a
short
name
for
easy
Management
reference
5
ES-‐C2M2
Case
Study
6. Model
Architecture
Domain
Domain
ObjecCve
ObjecCve
ObjecCve
1
2
Maturity
MIL
MIL
Indicator
Level
1
2
(MIL)
PracCce
PracCce
1
PracCce
2
6
ES-‐C2M2
Case
Study
7. Example:
Objec?ves
SituaConal
Awareness:
4
ObjecCves
1. Perform
Logging
– MIL1, MIL2, MIL3
2. Monitor
the
FuncCon
– MIL1, MIL2, MIL3
3. Establish
and
Maintain
a
Common
OperaCng
Picture
– MIL1, MIL2, MIL3
4. Manage
SITUATION
AcCviCes
(common
objecCve)
– MIL1, MIL2, MIL3
7
ES-‐C2M2
Case
Study
10. Example:
Prac?ce
Maturity
Progression
SituaConal
Awareness
“Monitor
the
FuncCon”
• MIL1
–
Cybersecurity
monitoring
ac?vi?es
are
performed
(e.g.,
periodic
reviews
of
log
data)
• MIL2
–
Alarms
and
alerts
are
configured
to
aid
the
iden?fica?on
of
cybersecurity
events
• MIL3
–
Con?nuous
monitoring
is
performed
across
the
opera?onal
environment
to
iden?fy
anomalous
ac?vity
10
ES-‐C2M2
Case
Study
11. The
Model
at
a
Glance
X
Reserved
1
Maturity
Indicator
Level
that
is
reserved
for
future
use
Maturity
Indicator
Levels
3
Managed
2
Performed
4
Maturity
Indicator
Levels:
Defined
progressions
of
prac?ces
Each
cell
contains
the
defining
prac?ces
for
1
Ini?ated
the
domain
at
that
maturity
indicator
level
0
Not
Performed
DEPENDENCIES
WORKFORCE
RESPONSE
SITUATION
SHARING
ACCESS
THREAT
CYBER
ASSET
RISK
10
Model
Domains:
Logical
groupings
of
cybersecurity
prac?ces
11
ES-‐C2M2
Case
Study
14. Assessed
Domains
• Enterprise
versus
func?onal
area
• Assessed
Domains
– Risk Management (RISK)
– Asset, Change, and Configuration Management (ASSET)
– Identity and Access Management (ACCESS)
– Threat and Vulnerability Management (THREAT)
– Situational Awareness (SITUATION)
– Information Sharing and Communications (SHARING)
– Event and Incident Response, Continuity of Operations (RESPONSE)
– Supply Chain and External Dependencies Management
(DEPENDENCIES)
– Workforce Management (WORKFORCE)
– Cybersecurity Program Management (CYBER)
14
15. SNOPUD
Rela?ve
Scoring
1 3 3 3 5 6 5 2 5 7 2
5 5 8 5 6 13 9 3
MIL3 9 5 13 13
24 26 7 25 33 31 22 52 15
13 30 38 31
10 10
7 7 13 12 12 12 13
15 11 19
1 1 2 2 1 3 2 1 2 1 2
3 4
5 7 7
8 11
MIL2 13 5
7
15 7 4 16 19 8 16 11 28 19 8 19 11 21 8
10 5 8 4
8
2 6 9 4
1 1 3 1
2
MIL1 1 2 1 6 6 3 6 3 2 12 2 4 2 6 4
5 1 5 9 3
3 2 6
Situation
Dependencies
Sharing
Asset
Response
Cyber
Risk
Access
Threat
Workforce
Fully
implemented Partially
implemented
Largely
implemented Not
implemented
Maturity
Indicator
Level
(MIL)
1
through
3
indicate
the
stage
of
implementa?on
of
the
domain
with
1
indica?ng
there
is
room
for
improvement
and
3
indica?ng
it
is
fully
implemented
with
very
lidle
room
for
improvement.
Not
all
domains
for
every
organiza?on
need
to
be
at
MIL
3.
Many
organiza?ons,
based
on
the
risk
profile,
may
have
an
adequate
program
at
MIL
1.
15
16. Assessment
Results
• No
surprises
–
areas
needing
improvement
were
known
• Facilitators
were
very
objec?ve
• Areas
for
improvement
include
risk
management
and
log
management,
and
areas
of
asset
management
• Areas
where
program
elements
are
in
place
include
areas
of
asset
management,
access
control
(policy),
threat/vulnerability
management,
sharing
and
managing
informa?on,
threat
response,
dependencies,
workforce
management,
and
cyber
program
management
• The
assessment
provided
quan?ta?ve
guidance
for
program
improvement
– Review individual function areas (Generation, Water, T&D)
– Determine the individual as well as the functional domain target maturity
goals
– Prioritize objectives in overall cyber security program
16
ES-‐C2M2
Case
Study
18. ES-‐C2M2
-‐
Next
Steps
• Share
Best
PracCces
within
the
sector
• Identify approaches for Capability Development
• Discussion Opportunities created
• Develop
anonymous
aggregated
Benchmarking
Data
•
R&D
Investment
needs
iden?fied
by
result
data
• Access
to
Online
Training
Tools
18
ES-‐C2M2
Case
Study
19. Next
Steps
• Data
collec?on
– ES-C2M2 compartment within US-CERT Portal
– PCII protections
– Projected timeline
• Data
Analy?cs
• Benchmark
Data
19
ES-‐C2M2
Case
Study
21. Links
ES-C2M2 Model
http://energy.gov/oe/downloads/electricity-subsector-
cybersecurity-capability-maturity-model-may-2012
ES-C2M2 Self-Evaluation Tool Requests, Questions,
or Requests for Facilitation
ES-C2M2@doe.gov
21
ES-‐C2M2
Case
Study
22. For
ques?ons
or
feedback
please
contact
ES-‐C2M2@HQ.DOE.GOV
THANK
YOU
22
ES-‐C2M2
Case
Study
24. ES-‐C2M2
Domain
Descrip?ons
Domain
DescripCon
Risk
Management
Establish,
operate,
and
maintain
an
enterprise
cybersecurity
risk
(RISK)
management
program
to
iden?fy,
analyze,
and
mi?gate
cybersecurity
risk
to
the
organiza?on,
including
its
business
units,
subsidiaries,
related
interconnected
infrastructure,
and
stakeholders.
RISK
comprises
three
objec?ves:
1.
Establish
Cybersecurity
Risk
Management
Strategy
2.
Manage
Cybersecurity
Risk
3.
Manage
RISK
Ac?vi?es
Asset,
Change,
and
Manage
the
organiza?on’s
opera?ons
technology
(OT)
and
informa?on
ConfiguraCon
technology
(IT)
assets,
including
both
hardware
and
somware,
Management
commensurate
with
the
risk
to
cri?cal
infrastructure
and
organiza?onal
(ASSET)
objec?ves.
ASSET
comprises
four
objec?ves:
1.
Manage
Asset
Inventory
2.
Manage
Asset
Configura?on
3.
Manage
Changes
to
Assets
4.
Manage
ASSET
Ac?vi?es
ES-‐C2M2
Case
Study
25. ES-‐C2M2
Domain
Descrip?ons
Domain
DescripCon
IdenCty
and
Access
Create
and
manage
iden??es
for
en??es
that
may
be
granted
logical
or
Management
physical
access
to
the
organiza?on’s
assets.
Control
access
to
the
(ACCESS)
organiza?on’s
assets,
commensurate
with
the
risk
to
cri?cal
infrastructure
and
organiza?onal
objec?ves.
ACCESS
comprises
three
objec?ves:
1.
Establish
and
Maintain
Iden??es
2.
Control
Access
3.
Manage
ACCESS
Ac?vi?es
Threat
and
Establish
and
maintain
plans,
procedures,
and
technologies
to
detect,
Vulnerability
iden?fy,
analyze,
manage,
and
respond
to
cybersecurity
threats
and
Management
vulnerabili?es,
commensurate
with
the
risk
to
the
organiza?on’s
(THREAT)
infrastructure
(e.g.,
cri?cal,
IT,
opera?onal)
and
organiza?onal
objec?ves.
THREAT
comprises
three
objec?ves:
1.
Iden?fy
and
Respond
to
Threats
2.
Reduce
Cybersecurity
Vulnerabili?es
3.
Manage
THREAT
Ac?vi?es
ES-‐C2M2
Case
Study
26. ES-‐C2M2
Domain
Descrip?ons
Domain
DescripCon
SituaConal
Establish
and
maintain
ac?vi?es
and
technologies
to
collect,
analyze,
Awareness
alarm,
present,
and
use
power
system
and
cybersecurity
informa?on,
(SITUATION)
including
status
and
summary
informa?on
from
the
other
model
domains,
to
form
a
common
opera?ng
picture
(COP),
commensurate
with
the
risk
to
cri?cal
infrastructure
and
organiza?onal
objec?ves.
SITUATION
comprises
four
objec?ves:
1.
Perform
Logging
2.
Monitor
the
Func?on
3.
Establish
and
Maintain
a
Common
Opera?ng
Picture
4.
Manage
SITUATION
Ac?vi?es
InformaCon
Sharing
Establish
and
maintain
rela?onships
with
internal
and
external
en??es
to
and
CommunicaCons
collect
and
provide
cybersecurity
informa?on,
including
threats
and
(SHARING)
vulnerabili?es,
to
reduce
risks
and
to
increase
opera?onal
resilience,
commensurate
with
the
risk
to
cri?cal
infrastructure
and
organiza?onal
objec?ves.
SHARING
comprises
two
objec?ves:
1.
Share
Cybersecurity
Informa?on
2.
Manage
SHARING
Ac?vi?es
ES-‐C2M2
Case
Study
27. ES-‐C2M2
Domain
Descrip?ons
Domain
DescripCon
Event
and
Incident
Establish
and
maintain
plans,
procedures,
and
technologies
to
detect,
Response,
ConCnuity
analyze,
and
respond
to
cybersecurity
events
and
to
sustain
opera?ons
of
OperaCons
throughout
a
cybersecurity
event,
commensurate
with
the
risk
to
cri?cal
(RESPONSE)
infrastructure
and
organiza?onal
objec?ves.
RESPONSE
comprises
five
objec?ves:
1.
Detect
Cybersecurity
Events
2.
Escalate
Cybersecurity
Events
3.
Respond
to
Escalated
Cybersecurity
Events
4.
Plan
for
Con?nuity
5.
Manage
RESPONSE
Ac?vi?es
Supply
Chain
and
Establish
and
maintain
controls
to
manage
the
cybersecurity
risks
External
associated
with
services
and
assets
that
are
dependent
on
external
Dependencies
en??es,
commensurate
with
the
risk
to
cri?cal
infrastructure
and
Management
organiza?onal
objec?ves.
DEPENDENCIES
comprises
three
objec?ves:
(DEPENDENCIES)
1.
Iden?fy
Dependencies
2.
Manage
Dependency
Risk
3.
Manage
DEPENDENCIES
Ac?vi?es
ES-‐C2M2
Case
Study
28. ES-‐C2M2
Domain
Descrip?ons
Domain
DescripCon
Workforce
Establish
and
maintain
plans,
procedures,
technologies,
and
controls
to
create
Management
a
culture
of
cybersecurity
and
to
ensure
the
ongoing
suitability
and
(WORKFORCE)
competence
of
personnel,
commensurate
with
the
risk
to
cri?cal
infrastructure
and
organiza?onal
objec?ves.
WORKFORCE
comprises
five
objec?ves:
1.
Assign
Cybersecurity
Responsibili?es
2.
Control
the
Workforce
Lifecycle
3.
Develop
Cybersecurity
Workforce
4.
Increase
Cybersecurity
Awareness
5.
Manage
WORKFORCE
Ac?vi?es
Cybersecurity
Establish
and
maintain
an
enterprise
cybersecurity
program
that
provides
Program
governance,
strategic
planning,
and
sponsorship
for
the
organiza?on’s
Management
cybersecurity
ac?vi?es
in
a
manner
that
aligns
cybersecurity
objec?ves
with
(CYBER)
the
organiza?on’s
strategic
objec?ves
and
the
risk
to
cri?cal
infrastructure.
CYBER
comprises
five
objec?ves:
1.
Establish
Cybersecurity
Program
Strategy
2.
Sponsor
Cybersecurity
Program
3.
Establish
and
Maintain
Cybersecurity
Architecture
4.
Perform
Secure
Somware
Development
ES-‐C2M2
Case
Study
5.
Manage
CYBER
Ac?vi?es
Notas del editor
We can’t regulate our way out of this.
Domains serve as large groupings of practices by knowledge area (Example: Situational Awareness)Objectives are groupings of practices similar in the type of activity they describe (Example: practices having to do with Monitoring)Maturity Indicator Levels are groupings of practices similar in the level of sophistication or maturity. MILs got their name because they do not describe cybersecurity exactly, but instead provide an indication of the level of maturity of an organizations cybersecurity activitiesPractices are the activities performed in support of an organizations cybersecurity objectives
You may notice the last objective has the words “common objective” next to it in parentheses. This is something you will see in each domain. The last objective describes the actions taken to manage activities within the domain. Describes how much the domain has become a part of the organization.This is referred to in the model as “institutionalization”.The more ingrained into the organization the more likely it is that it will be continued over time, when talented people leave or in times of stress. The other three objectives provide a snapshot of the maturity of practices at any single point in time.
11 practices all having to do with monitoring
Each ring has a total score. Each section of the ring includes a numerical rating per color. An example would be Risk MIL 1 has a rating of 2 with a total “green” score of 1+1=2, i.e., fully implemented. Cyber MIL 3 has a rating of 31 with a “green” score of 26 and a “red score” of 5, indicating largely implemented with areas needing improvement. The ratings for each ring are weighted scores, based on the model.