Electricity Subsector Cybersecurity Capability Maturity Model
Efforts in establishing standard security practices that can be broadly applied and implemented for the electric utility industry can be found in the evolving “Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2), and is discussed by Balijepalli, Khaparde, Gupta, and Pradeep (2010) as a tool which “can guide the transformation of an entire power grid forward towards smarter grid. This will assess the utility grid state for moving towards the vision of Smart Grid. Some of the utilities are planning their Smart Grid road maps and investments using ES-C2M2. This helps to establish a shared picture of the Smart Grid journey, communicate the Smart Grid vision, and internally and externally assess current opportunities, choices, and desired levels. This also helps in the strategic and decision making framework to develop business, investment and rate cases, build an explicit plan to move from one level to another, measure progress using key performance indicators (KPIs), benchmark and learn from others.” The ES-C2M2 parallels the CMMI model in form as follows, although the ES-C2M2 to date only measures through Level 3.
Figure 5: ES-C2M2 Maturity Levels (Source: DHS, 2011)
There are eight domains of logical groupings with related capabilities and characteristics at each maturity level as shown in Figure 6. Maturity Levels are defined for each domain to assess the current state of a utility’s overall maturity level.
Figure 6: Eight-Domain Elements of Smart Grid – the Logical Grouping (Source: DHS, 2011)
It has been suggested by Cardwell (2013) that the ES-C2M2 be used as litmus for helping utilities achieve and maintain a Maturity Level 3 status, though it is currently used simply as a tool for a utility to assess their own status.