Implementing Cybersecurity Frameworks: Utility Lessons Learned

Utility experiences in implementing NIST and DOE cybersecurity frameworks

The Department of Energy (DOE) released the Energy Sector Cybersecurity Framework Implementation Guidance in 2015 to help the energy sector establish or align existing cybersecurity risk management programs. Using DOE’s Electricity Subsector Cybersecurity Capability Maturity Model (C2M2), these programs can meet the objectives of the cybersecurity framework (CSF) developed by the National Institute of Standards and Technology (NIST).

The CSF and C2M2 frameworks allow organizations to apply the principles and best practices of cyber risk management to improve the security and resilience of critical infrastructure. Asset owners gained a huge amount of practical knowledge and experiences during implementation of these frameworks.

This paper presents the best practices, lessons learned, and actionable innovations by utilities in implementing CSF and C2M2 to manage their cybersecurity programs. These lessons can be helpful to key stakeholders involved in scoping their cybersecurity plans, assessing their current state of cybersecurity, determining their target state using risk-based approaches, prioritizing their gaps, and advising their senior management.

What’s in the report

• Challenges in implementing cybersecurity frameworks
• High-level lessons learned
• Guidance on implementation, development of organizational objectives, identifying key organizational threats, identifying target profiles, and identifying organizational weaknesses and gaps
• Helpful tools and resources