Oil and gas and electric sector cybersecurity risk management maturity is essential to protecting the nation’s critical infrastructure. The recent ransomware attack on an east coast pipeline serves as a reminder to energy sector companies, whether private or public, that these are very real threats and carry serious consequences. In response to the recent cyber attack, the Department of Homeland Security (DHS) Transportation Security Administration (TSA) is conducting a security directive to develop new mandates for critical companies operating in the industry.
A good place for energy sector companies to start evaluating vulnerabilities and fortifying cybersecurity practices is to reference the existing Cybersecurity Capability Maturity Model (C2M2). The Department of Energy (DOE) published the maturity model in 2014 and is currently reviewing version 1.1 to create the 2.0 update. The C2M2 is a descriptive guide, developed by subject matter experts in the industry to assist with the voluntary audit of infrastructures vulnerable to cybersecurity intrusions.
About the C2M2
The objective of the C2M2 assessment is to arm companies with the resources needed to evaluate cyber health and identify gaps in security, benchmark capabilities, share best practices with others in the industry, and prioritize cybersecurity improvement initiatives. The model architecture establishes Maturity Indicator Levels (MIL) to map cybersecurity risks and management practices. Once a C2M2 evaluation has been completed, a scoring report is generated to help identify potential gaps in cybersecurity as compared with the model. Upon evaluation of the gap analysis, companies can begin to prioritize and plan for implementation of cybersecurity enhancements and continual maintenance.
C2M2 compliance is not required, monitored, or recorded by the DOE or any other government agency, yet is encouraged as a preferred method to evaluate, maintain, and achieve cybersecurity maturity. Vulnerabilities lead to the risk of breach with consequences such as extended downtime, threats to personal and environmental safety, and potential fines for non-compliance with industry-specific standards such as the North American Electric Reliability Corporation (NERC) for electric utilities. The benefits of conducting a C2M2 assessment include transparency in evaluating risk management maturity with a resulting scorecard that can be used to develop a cybersecurity roadmap.
Conducting a cybersecurity audit requires valuable time and technical expertise, providing a challenge for many companies to devote the necessary resources to the task. If utilizing internal personnel to conduct a C2M2 assessment, they must first learn about the model and subsequently apply the benchmark to evaluate operational competence. It is also helpful if the designated personnel have experience working in an Operational Technology (OT) environment and have access to collaborate with Information Technology (IT) experts. OT industrial control networks and IT enterprise systems must be managed for their differing infrastructure, which should be delegated to qualified personnel.
OT systems typically contain many functioning parts including Programmable Logic Controllers (PLC), various software platforms for Supervisory Control and Data Acquisition (SCADA), and communication protocols like Modbus, PROFINET, DataHighway (DH), etc. Sometimes the OT systems may include legacy or obsolete versions of hardware, firmware, and software that can lead to additional gaps in cybersecurity. An OT professional can efficiently evaluate networking and communication protocols through checking hardware inventory, locating and securing endpoints, and administering patch management.
Bringing in a third-party facilitator to conduct cyber threat and vulnerability analysis is an effective alternative to placing the burden on limited internal resources. The C2M2 provides the checklist for cyber resilience and an established systems integrator like EN Automation can facilitate the process. An automation engineer can reduce the burden of cybersecurity assessment on management and operations by providing a competent approach that comes from experience working with a broad range of control system hardware and software platforms in the energy sector.
The process begins with conducting a C2M2 assessment to assign a MIL rating to measure maturity across ten critical domains, evaluating the scorecard and communicating results, then developing a cybersecurity resilience program that includes a roadmap with investment priorities. EN Automation engineers accomplish tasks skillfully with effective communication and invaluable experience that comes from collaborating with personnel at every level, through every phase of the process. In addition to remaining available for implementation of remediation and continued cybersecurity maintenance, annual C2M2 checkups become more streamlined with familiarity gained from facilitators working with particular systems over time. Partner with EN Automation, a trusted name in midstream systems integration, to navigate the journey to cybersecurity maturity.
EN Automation is a leading national systems integrator, trusted partner, and provider of innovative and reliable solutions to customers in the electric utility, pipeline, food & beverage, manufacturing, transportation, and refining & chemical industries. EN Automation leads the industry in best practices, with accessible resources located in regional offices across the nation. As a division of EN Engineering, our automation team is part of a dynamic group providing the flexibility and scalability to simultaneously meet the demands of multiple projects, including C2M2 and cybersecurity vulnerability assessments.