Measuring Cyber Security Success in the Electricity Subsector

Posted to EPRI in the Utility Management Group
Christine Hertzog's picture
Principal Technical Leader, Cyber Security Strategic Initiative, Electric Power Research Institute

Christine Hertzog is a Principal Technical Leader focused on OT Cyber Security research at EPRI.  She conducts research on new technologies suitable for OT environments and informs industry...

  • Member since 2010
  • 286 items added with 155,206 views
  • Feb 24, 2021

We all want a more reliable, resilient, flexible, and secure electric grid.  It’s foundational to our economic, social, and national security. But paraphrasing Lord Kelvin, if the grid is to be managed, it needs to be measured.  And it is in many aspects.  There are some gaps in our knowledge, though.  Our mission-critical infrastructure needs objective, trusted data to quantitatively describe internal performance and inform decision-making about investments in solutions that strengthen utility cyber security posture.  Being able to compare standardized utility cyber security scores in a confidential way would deliver even more contextual information to shape and support strategic cyber investments.

Until recently, generally accepted cyber security metrics did not exist for the utility sector in the operational technology (OT) environment.  EPRI’s cyber security R&D team created rigorously-developed, data-driven calculations that quantitatively and visually describe performance trends.  These calculations produce metrics that map to the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) core.  The Framework Core consists of five concurrent and continuous Functions - Identify, Protect, Detect, Respond, Recover. These Functions provide a high-level view of the cyber security risk lifecycle.  The initial OT metrics map to the protect, detect, and respond functions.   Utilities are piloting the current metrics to test automated data collection and validate calculations. 

This is only the first phase of an industry-wide effort that involves all stakeholders.  EPRI is hosting a new OT cyber security metrics working group called CyberNabu that is open to industry stakeholders to create a Research Roadmap.  Nabu was the name of an ancient Babylonian god of wisdom.  We need the collective wisdom of utilities, vendors, regulators, standards development organizations, and governmental entities to create a consensus-based OT cyber security metrics research roadmap for the electricity subsector.

  • Expand the metrics into a broader range of measures, including resiliency
  • Define standardized, normalized data outputs that enable easy data exchanges for analytics applications like metrics

Like the generally accepted accounting principles or GAAP, objective and quantitative OT cyber security metrics can help deliver smarter and more proactive decisions to secure mission-critical operations.  The CyberNabu Working Group offers a forum to build global recognition and adoption of OT cyber security metrics and help improve the overall cyber security postures for electric utilities through the development and publication of a research roadmap.  Our inaugural meeting is March 2 at 10AM pacific time.  All interested stakeholders are encouraged to register here.

Founded in 1972, EPRI is the world's preeminent independent, non-profit energy research and development organization, with offices around the world.
Richard Brooks's picture
Richard Brooks on Mar 5, 2021

Christine, you may also be interested in an Energy industry proof of concept for Software Bill of Materials being planned by the Department of Commerce NTIA:

My company is participating in the NTIA Energy Proof of Concept to demonstrate software supply chain risk assessment capabilities using SBOM's with the Software Assurance Guardian Point Man™ (SAG-PM™) application

Hope to see you in the POC.

Christine Hertzog's picture
Thank Christine for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »