Cybersecurity and Physical Security

A practical approach to understanding cybersecurity needs

When utilities begin to consider cybersecurity, their first impulse is often to hire a professional services firm to conduct a vulnerability assessment—and they’re happy to sell it to you. They deliver a big report with a laundry list of things to do, some of which the utility might not understand. And then they say, “You can pay us to do it for you.”

Utilities need a practical approach to cybersecurity that’s designed for our industry. That’s why the Department of Energy endorsed the Cybersecurity Capability Maturity Model, or C2M2, a self-assessment that evaluates the sophistication of an electric utility’s cybersecurity risk management. Unfortunately, the C2M2 is not intended for smaller utilities. The full C2M2 is an extensive, multi-day process that cuts across many different components. It’s a challenge to get the right people in the room to answer the questions. While it is intended to help power companies of all sizes improve their security posture, the extensive C2M2 self-evaluation can overwhelm smaller organizations.

The extensive questions also lead to detailed and thorough results. This means that organizations that complete the C2M2 often just let the resulting report collect dust instead of taking action.

That’s why when I learned that the American Public Power Association was working with Axio to simplify the C2M2, I was happy to provide insight about how to improve the C2M2 process. The result is the Public Power Cybersecurity Scorecard. The scorecard takes the 51 questions that comprise the C2M2’s Maturity Indicator Level 1 and boils them down to 14 multiple-choice questions that even a generalist can answer.

It’s not only easier to get through the survey, it also takes the guesswork out of what utilities should strive to achieve. Utilities gain insight into where their security posture is today, where they should be, and how they compare to others in the industry.

For now, the scorecard serves as a practical first step for small public power utilities that want to manage cybersecurity but don’t know where to start. The 14 questions save time and effort, and give action plans for what to do next. This first measure is a helpful stepping stone that can then make completing the full C2M2 less onerous. It allows utilities to become familiar with the terms and concepts of a vulnerability assessment and prioritize improvements.

When threats loom large, it is helpful to have such a tool to see a clear picture of where we stand.