Rapid development and deployment of new technologies in the energy delivery systems marketplace make the power grid a hotbed for innovation—and an attractive target for cybercriminals.
Cybersecurity researchers at Pacific Northwest National Laboratory (PNNL) are working to change that by building next-generation tools for hardening the power grid—and other critical infrastructure—against attack.
The U.S. Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) funded PNNL to develop a cybersecurity maturity model and companion assessment method that helps manufacturers building hardware, software, and firmware products to implement consistent cybersecurity best practices throughout the development lifecycle. The Secure Design and Development Maturity Model, or SD2M2, is being used to evaluate the cybersecurity practices of suppliers developing and building products specifically for the power grid. Think sensors, large control systems, and everything in between.
SD2M2 is based on the Cybersecurity Capability Maturity Model (C2M2) framework. A cybersecurity maturity model enables organizations of all sizes to evaluate, prioritize, and improve their cybersecurity practices.
“The cybersecurity maturity model brings consistency and a common frame of reference for manufacturers to ensure their hardware and software products meet minimum cybersecurity standards,” said Scott Mix, project manager and grid cybersecurity specialist for PNNL. “The smart grid ecosystem of products continues to expand, and we want to help the industry build inherently secure products.”
Cybersecurity maturity model companion web tools improve cybersecurity
In 2017, the PNNL team built a user-friendly, web-based interface as a companion to the cybersecurity maturity model. This tool enables technology vendors and manufacturers to complete the assessment more easily.
“The web tool automates the entire assessment, making the whole process more streamlined,” added Mix. “Using the methodology and web application, vendors can now save and view reports that show their improvement over time.”
As part of a pilot program, PNNL conducted assessments with two vendors: the software development arm of a large energy management system organization, and the Remote Terminal Unit division of a large control system hardware and software manufacturer. Last year, thanks to the U.S. Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response funding, the team was able to incorporate user feedback from a pilot program to make significant improvements to the web tool. Another round of updates was implemented this year.
The key objective for SD2M2 is to socialize and provide a best-practices approach to cybersecurity in the power grid technology supply chain, although it can be used to evaluate the security of products in other domains, as well.
"The goal was to create a repeatable and scalable assessment method to determine the cybersecurity maturity and posture for energy delivery system components," said Sri Nikhil Gupta Gourisetti, principal investigator and energy cybersecurity researcher at PNNL.
Cybersecurity maturity models improve communication between managers and development teams
SD2M2 consists of three components: management priorities, core assessment, and a comparative evaluation.
For the management priorities phase, leadership establishes goals across seven major phases spanning the entire system development lifecycle. These domains include background and foundation, design, build, test, integrate, deploy, and end-of-life.
The core assessment portion prompts product designers, developers, and testers to self-assess by responding to 800 practice statements that evaluate their product against a set of industry-recognized best practices for cybersecurity. For each of the practice statements, the assessors would need to choose from one of the four options: not implemented, informally implemented, documented, or formally implemented.
The SD2M2 web-based tool delivers a customized assessment experience based on the product or organization type. For example, a software developer only needs to respond to a smaller subset of the over 800 practice statements, bypassing those that are not related to hardware system security. The comparative evaluation phase delivers a user-friendly report comparing the self-assessment results against management priorities to identify opportunities for improving a product’s cybersecurity posture.
Depending on the size of the organization, the entire assessment can take one to three days to complete for roughly four to six hours a day. The SD2M2 research team emphasized that the tool does not collect or share the end-user assessment data, and everything is retained inside the organization.
Published: February 1, 2021