Measuring Cyber Security Success in the Electricity Subsector

We all want a more reliable, resilient, flexible, and secure electric grid.  It’s foundational to our economic, social, and national security. But paraphrasing Lord Kelvin, if the grid is to be managed, it needs to be measured.  And it is in many aspects.  There are some gaps in our knowledge, though.  Our mission-critical infrastructure needs objective, trusted data to quantitatively describe internal performance and inform decision-making about investments in solutions that strengthen utility cyber security posture.  Being able to compare standardized utility cyber security scores in a confidential way would deliver even more contextual information to shape and support strategic cyber investments.

Until recently, generally accepted cyber security metrics did not exist for the utility sector in the operational technology (OT) environment.  EPRI’s cyber security R&D team created rigorously-developed, data-driven calculations that quantitatively and visually describe performance trends.  These calculations produce metrics that map to the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) core.  The Framework Core consists of five concurrent and continuous Functions - Identify, Protect, Detect, Respond, Recover. These Functions provide a high-level view of the cyber security risk lifecycle.  The initial OT metrics map to the protect, detect, and respond functions.   Utilities are piloting the current metrics to test automated data collection and validate calculations. 

This is only the first phase of an industry-wide effort that involves all stakeholders.  EPRI is hosting a new OT cyber security metrics working group called CyberNabu that is open to industry stakeholders to create a Research Roadmap.  Nabu was the name of an ancient Babylonian god of wisdom.  We need the collective wisdom of utilities, vendors, regulators, standards development organizations, and governmental entities to create a consensus-based OT cyber security metrics research roadmap for the electricity subsector.

• Expand the metrics into a broader range of measures, including resiliency
• Define standardized, normalized data outputs that enable easy data exchanges for analytics applications like metrics

Like the generally accepted accounting principles or GAAP, objective and quantitative OT cyber security metrics can help deliver smarter and more proactive decisions to secure mission-critical operations.  The CyberNabu Working Group offers a forum to build global recognition and adoption of OT cyber security metrics and help improve the overall cyber security postures for electric utilities through the development and publication of a research roadmap.  Our inaugural meeting is March 2 at 10AM pacific time.  All interested stakeholders are encouraged to register here.