Maturity in Cybersecurity - Should We Shoot for the Stars?

 

Study Committee D2 is going through an interesting era where the energy transition towards a low-carbon energy supply chain demands all players in the energy market to innovate and find new efficient solutions in information systems, strengthen their cybersecurity posture, and maintain and develop agile telecommunications infrastructure to exchange the ever-increasing amount of data between all parties.

 

I thought of providing an overview to those who may not be familiar with what our Study Committee does, by showing you our role in the above three focus areas in the context of the electricity supply chain (Figure 1).

 

Figure 1 – CIGRE Study Committee D2 Focus Areas in the context of energy transition in the electricity supply chain

 

In this article, I would like to share some thoughts on one of our important focus areas, which is cybersecurity for power utilities.

 

In the area of cybersecurity, we have intense efforts underway to strengthen the cybersecurity posture of the electricity industry using a standards-based approach. Reference standards are being used and adopted to improve the cybersecurity posture of organisations in our industry, including the ISA/IEC 62443, ISO/IEC 27001, National Institute of Standards and Technology (NIST) Publications, regional and national standards such as the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC-CIP), Australian Energy Sector Cyber Security Framework (AESCSF), European Union Agency for Cybersecurity (ENISA) guidelines and many others that apply within specific jurisdictions.

 

The central theme of these standards, regulations and best practices, is that securing critical infrastructure is a multi-layered approach which involves all aspects in an organisation – from the areas such as strategy, risk management, workforce management, and asset management, to operational areas such as vulnerability management, cybersecurity design, and implementation of systems.

 

Given the extensive breadth and depth with which cybersecurity permeates all aspects of an organisation, many find undertaking these improvement efforts challenging.

 

In my view, cybersecurity never has a true endpoint; it is an ongoing process. Organisations journey through it, learning from deficiencies and mistakes, continuously improving, and becoming more adept at achieving a stronger cybersecurity posture over time.

 

This is where the notion of capability maturity model (CMM) is relevant, which views cybersecurity as a journey of improvement rather than an end goal. The CMM was originally developed in 1986, to enable better assessment of maturity in the area of software engineering. This concept has since been used to improve other areas, including cybersecurity.

 

In cybersecurity, we have an equivalent maturity model called the Cybersecurity Capability Maturity Model Framework (C2M2) developed by the US Department of Energy and Homeland Security. Indeed, many cybersecurity standards and best practices are informed by the notion of capability maturity as a continuous process for improving cybersecurity.

 

Capability maturity models outline different levels of maturity that organisations can achieve. These levels range from basic, such as maintaining good documentation, to the most advanced, which involves having optimised plans and measurable metrics for cybersecurity objectives. Essentially, these models are collections of practices designed to enhance an organisation's cybersecurity stance. The practices are ranked based on their rigour - the more rigorous the practice, the lower the risk of breaches or compromises. However, advancing through these levels becomes increasingly challenging. It's crucial to understand that the process of continuous improvement doesn't end, even when reaching the highest maturity level.

 

I view the cybersecurity maturity model as similar to the concept of quality in manufacturing and engineering, where higher quality means a product closely matches its specified standards. Similarly, in cybersecurity, a higher maturity level indicates that an organisation's processes closely align with cybersecurity best practices, making them more robust and well-defined. As maturity increases, errors, mistakes, and deviations from these practices decrease.

Figure 2 and Figure 3 illustrate this analogy with normal distribution curves. As a simplistic description of the analogy, around the centre of the curve, are clusters of best practices, and the left and right tails of the curve are extremes and can be viewed as practices that deviate from the best practices, i.e. bad or questionable practices. In this analogy, deviations from the mean are deviations from optimal cybersecurity practices.

 

A low-maturity organisation, represented by a wider curve, may have a wider tolerance in implementing these practices and may let more questionable and bad practices slip through (Figure 2) – there is more deviation from the best practices. For instance, a bad practice— also known as an 'anti-pattern'  [1] — includes not changing default passwords on protection relays. A questionable practice involves either forcing users to change passwords too frequently [2], such as every 30 days, or allowing the same password to be used indefinitely, even when there are signs of a security breach.

 

On the other hand, a high-maturity organisation adopts best practices more rigorously (Figure 3), resulting in less deviation from the best practices. A best practice example is requiring Multi-Factor Authentication (MFA) for high-risk situations, such as remote access.

 

Just as a narrower distribution (lower standard deviation) in manufacturing signifies higher consistency and quality, a high-maturity organisation in cybersecurity shows a 'tighter' adherence to best practices (narrower spread), reflecting stronger, more consistent cybersecurity measures.

 

 

 

Figure 2 – Cybersecurity practices distribution curve for a low maturity organisation: the curve is wider around the centre (mean), where a larger number of questionable and bad cybersecurity practices slip through its operations.

 

 

 

 

Figure 3 – Cybersecurity practices distribution curve for a high maturity organisation: the curve is narrower around the centre (mean), where significantly more best practices are adopted than the less optimal practices.

 

 

Organisations that achieve a high level of cybersecurity maturity generally implement robust practices across all areas of cybersecurity. It's crucial to acknowledge that, even in these organisations, human errors and sub-optimal practices can occur. Learning from these mistakes and integrating the lessons into an ongoing improvement process is essential. This, again, has a parallel analogy in engineering and manufacturing, where feedback loops and iterative processes are vital to achieving excellence.

 

Should all organisations aim for the highest level of cybersecurity maturity, incorporating as many best practices as possible while eliminating all sub-optimal practices? Ideally, yes. However, realistically, an organisation should pursue a maturity level that suits its specific needs and circumstances.

 

What is “fit for purpose” for an organisation, may not be for another, and is often determined by factors specific to an organisation, such as the risks that it faces. In cybersecurity, this is referred to as a risk-based approach. For example, the owner of a small low power output renewables generator may well have much lower risks (financial, operational, safety, etc.) than the risks faced by a country’s large transmission power utility. Of course, if this small generator exchanges data with the distribution or transmission network or connects to the national grid, then its connection to the grid will need to comply with the additional cybersecurity requirements specified by the relevant authorities. Despite this requirement, the generator will likely face lower risks in other operational aspects compared to a large utility. The grid might enforce zero-trust cybersecurity principles, for example, treating the small generator as a low-trust entity and hence perform additional validation for data exchange, or apply additional cybersecurity controls at the connection to the grid. This approach to cybersecurity and the differing levels of trust and risk management between entities like the small generator and the grid is a complex subject that warrants its own detailed discussion. Essentially, the level of inherent risk varies across different companies.

 

Having a higher level of maturity would invariably incur additional cost and effort, and these would eventually need to be passed on along the electricity supply chain, to the consumers or the taxpayers. Indeed, the C2M2 states that “Striving to achieve the highest MIL (maturity indicator level) in all domains may not be optimal. Companies should evaluate the costs of achieving a specific MIL versus its potential benefits” [3]. Unless there is a regulatory mandate to comply to a certain maturity level on specific cybersecurity standards, organisations should assess the appropriate “fit for purpose” target maturity level.

 

In summary, the adoption of cybersecurity initiatives is critically important, given the ever-growing threats to critical infrastructures in the electricity industry. There are many aspects to consider bringing an organisation through the cybersecurity improvement journey which may seem overwhelming. However, this should not dissuade or discourage companies from starting their cybersecurity journey, or improving their cybersecurity posture, by first identifying the appropriate “fit for purpose” maturity level of cybersecurity desired, and then taking the incremental steps to achieving it through adoption of the appropriate levels of best practices within the cybersecurity standards and guidelines.

 

Still on the topic of cybersecurity, I would like to close by highlighting what our Study Committee is working on in the area of cybersecurity. Two interesting cybersecurity working groups are as follows:

 

• WG D2.51 – Implementation of Security Operations Centres (SOC) in Electric Power Industry as Part of Situational Awareness System.

 

• WG D2.54 – Regulatory Approaches to Enhance Electric Power Utilities’ Cybersecurity Frameworks.

 

Both working groups will have the publication of their Technical Brochures estimated to be at the end of this year or early next year.

 

Cybersecurity is just one part of the three areas we cover. With so much happening in our Study Committee in the areas of Artificial Intelligence (AI), drones, cloud computing, 5G, and telecommunications networks, just to name a few, I am looking forward to providing an update in these areas in our next CIGRE publications.

 

The upcoming Paris Session is going to be an exciting one for our Study Committee with a record-breaking number of papers in the above areas, including cybersecurity. I am already looking forward to the discussions and the exchange of ideas to be had with SC D2 members and experts worldwide in August this year.

 

 

 

References

 

[1]	D. Budgen, Software Design, Addison-Wesley, 2023.
[2]	P. e. a. Grasi, “NIST Special Publication 800-63B,” National Institute of Standards and Technology (NIST), 2020.
[3]	F. e. a. Muneer, “Cybersecurity Capability Maturity Model (C2M2),” US Department of Energy, Office of Cybersecurity, Energy Security and Emergency Response, 2022.