Evaluating and improving cybersecurity capabilities of the energy critical infrastructure

This paper describes the Cyber Security Capability Maturity Model (C2M2) and two tailored versions of the model for the energy sector the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) and the Oil & Natural Gas Cybersecurity Capability Maturity Model (ONG-C2M2). These are proven tools which allow owners and operators of components of electricity and oil & natural gas critical infrastructure to assess their cybersecurity capabilities and informs the prioritization of their actions and investments to improve cybersecurity. The models combine elements from existing cybersecurity efforts into a common tool that can be used consistently across the industry. The goal of these models and associated tools are to support ongoing development and measurement of cybersecurity capabilities within the electricity and oil and natural gas subsectors. The model can be used to: (1) Strengthen cybersecurity capabilities in the subsector, (2) Enable subsector entities to effectively and consistently evaluate and benchmark cybersecurity capabilities, (3) Share knowledge, best practices, and relevant references within the subsector, as a means to improve cybersecurity capabilities, and (4) Enable subsector entities to prioritize actions and investments to improve cybersecurity. In this paper we will provide background on the C2M2, including the model architecture, an overview of the domains, and the model practices. We will explain the Cybersecurity Self Evaluation Survey Tool, which helps electric utilities and grid operators use the model to identify opportunities to further develop their own cybersecurity capabilities. Finally, we will share information about how these models have successfully been utilized by an ever increasing number of entities and plans for their continued stewardship, evolution, and applications to other types of organizations.