WASHINGTON – As part of the Obama Administration’s commitment to protecting America’s critical infrastructure, U.S. Energy Secretary Ernest Moniz today announced the release of new tools to strengthen protection of the nation’s oil and natural gas infrastructure and the electric grid from cyber attack. The new versions of the Cybersecurity Capability Maturity Model, which help organizations assess their own cybersecurity capabilities and identify steps to help strengthen their defenses, include a version that can be used by industries outside of the energy sector.
“As the cyber threat landscape evolves, continuing to strengthen and refine the ways in which the energy sector and others can protect critical infrastructure is vital to the nation’s security and prosperity,” said Secretary Moniz. “These new tools are another important step in helping industry create and sustain resilient systems that can survive a cyber incident while sustaining critical functions. We remain committed to working closely with our private and public partners on this vitally important issue.”
The new Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONG-C2M2) leverages the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) which was launched in 2012 as part of a White House initiative to support the private sector and utilities in assessment and enhancement of their own efforts. Maturity models identify an organization’s strengths and weaknesses, using best practices to improve performance, efficiency and quality. Development of the ONG-C2M2 involved a series of workshops with the private sector to draft a maturity model that can be used to better protect the oil and natural gas infrastructure. A voluntary ONG-C2M2 program, similar to the current ES-C2M2 program, will provide stakeholders with free guidance, an evaluation toolkit, and facilitated self-evaluations.
In addition to the ONG-C2M2 and an updated version of the ES-C2M2, the Energy Department is releasing a sector-neutral version of the model that can be used by any business or organization, regardless of size, function, or ownership structure. Organizations can modify the model according to their own sectors’ needs. All three models are available now for downloading.
In addition, The Energy Department worked closely with the Department of Homeland Security, National Institute of Standards and Technology (NIST), other government agencies, and industry on the recently released Cybersecurity Framework, based on existing standards, guidelines, and best practices. As the Energy Sector-Specific Agency, the Department has worked closely with Federal and private sector partners to ensure alignment between the C2M2 and NIST Framework. The Energy Department anticipates working with industry to provide sector-wide implementation guidance on the NIST Framework that further leverages the advancements in the new versions of the C2M2.
The Energy Department has a long history of working closely with Federal partners, including the Department of Homeland Security, and private partners on cybersecurity of critical energy infrastructure. All versions of the Cybersecurity Maturity Model align with the Roadmap to Achieve Energy Delivery Systems Cybersecurity, which was developed by industry, facilitated by the Energy Department, and released in September of 2011.