The energy sector today became the first to release sector-specific guidance for its owners and operators to implement the Cybersecurity Framework developed last year by the National Institute of Standards and Technology (NIST).
In 2014, the NIST Cybersecurity Framework laid out a voluntary process for any company in any industry to strengthen their approach to managing cyber risk. Based on recognized standards and guidelines, it was, in essence, designed to set a national bar for cybersecurity practices in critical industries.
The Energy Sector Cybersecurity Framework Implementation Guidance provides a sector-specific entry point to the NIST Framework. We worked with the U.S. Department of Energy as it developed and refined the guidance with energy organizations. It’s a significant accomplishment for energy sector partners for a number of reasons.
First, it takes the industry-neutral approach of the NIST Framework and maps it in detail to an existing energy industry tool: the Cybersecurity Capability Maturity Model (C2M2), which electricity, oil, and natural gas organizations use to evaluate their cybersecurity capabilities and prioritize improvements. The guidance shows how organizations that adopt C2M2 can seamlessly demonstrate their implementation of the NIST Framework.
It also shows how a range of other existing tools and practices can support Cybersecurity Framework adoption. Using the guidance, organizations with robust cybersecurity practices can demonstrate their alignment with Framework practices with minimized effort; others can use the guided approach to strengthen their cyber risk management.
Second, while spearheaded by DOE, the guidance was developed by the industry, for the industry. Nexight Group helped facilitate bi-weekly conference calls with owners and operators from major electricity and oil and natural gas organizations and worked with a team of experts to develop the guidance document. We sought review and input from dozens of federal agencies, industry organizations, energy companies, and the public. A core group of owners and operators worked hard to make sure the document stayed concise and user-friendly as our team used input to repeatedly revise and refine the document over several months.
Finally, it puts the energy sector at the forefront of NIST Cybersecurity Framework adoption. Peer-driven guidance that promotes adoption of the Framework through common industry tools not only raises awareness—it encourages energy companies to join their peers in demonstrating that their practices are meeting the bar set by the NIST Cybersecurity Framework. Energy companies are attractive targets of cyber attack. Their voluntary collaboration in developing the C2M2 in 2012 and releasing this sector-specific guidance demonstrates a sector-wide commitment to collaboratively raising the bar for cybersecurity.