Analysis
Attacks and Vulnerabilities
NERC-CIP
News
Utilities: Energy & Power, Water, Waste

DOE rolls out version 2.1 of its C2M2 model, with significant refinements for energy sector

July 06, 2022
DOE rolls out version 2.1 of its C2M2 model, with significant refinements for energy sector

The U.S. Department of Energy (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER) has released Version 2.1 (V2.1) of the Cybersecurity Capability Maturity Model (C2M2). A free and voluntary resource, the C2M2 tool has been designed to help companies evaluate their cybersecurity capabilities and optimize their security investments.

“Though this is an iterative release, it marks the culmination of a multi-year effort by CESER and the energy industry to comprehensively review, validate, and substantively update the model from its last major release in 2014,” Fowad Muneer, acting deputy director for risk management tools and technologies, said in a statement. “Today’s release reflects important refinements to the model based on real-world testing and user feedback of Version 2.0, released in July 2021.”

The refresh of the C2M2 included two phases that resulted in significant model updates to address maturing cybersecurity approaches, such as zero-trust principles; technology advancements, like cloud, mobile, quantum computing, and artificial intelligence; and evolving threats, such as ransomware and supply chain risks. 

In the first phase, CESER leveraged an industry working group to substantially update the model for the Version 2.0 release to address rapid changes in the energy sector technology and threat landscape over the last decade. In the second phase, CESER solicited public comment and piloted the model with energy companies to validate the updates and other refined model practices with the working group. Many long-time users of the C2M2 are anticipating the Version 2.1 release as an opportunity to refresh their self-evaluations using the updated model and accompanying tools.

Most C2M2 domains contain practices that can be operationalized in the context of this scope. However, three domains—risk management, cybersecurity architecture, and cybersecurity program management—operate in an enterprise context in that they define practices that benefit cybersecurity activities in the organization, regardless of the model scope. 

Model users should recognize that these domains constitute enterprise programs that may be established and operate independently of the in-scope function, the DOE said. “For this reason, the initial objective in each domain is focused on the establishment and maintenance of the related program, which addresses the: development of a strategy for the program governance over the program alignment of the program to the organization’s mission and objectives coordination between the program and the strategy and objectives of related enterprise functions,” it added. 

Additionally, the initial objective in each domain includes practice references to align the domain’s program strategy with other enterprise domains. 

While the model’s overall structure remains the same, Version 2.1 reflects several key updates since the last major release of Version 1.1 in 2014. The update provides revisions to two-thirds of model practices, including substantive changes and clarifications, along with additions, deletions, and combining of practices. Furthermore, a Cybersecurity Architecture domain was added focused on planning, designing, and managing the cybersecurity control environment.

It also includes significant updates to the risk management domain to incorporate leading risk management practices and enhance coordination between cyber and enterprise risk management. It also refreshes the ‘Dependencies’ domain, now called the third-party risk management domain, to ensure the model effectively addresses third-party IT and OT cybersecurity risks, like sensitive data in the cloud and vendors with privileged access, as well as builds supply chain security into organizational culture. 

Additionally, version 2.1 of the C2M2 model integrates information sharing domain activities into the threat and vulnerability management and situational awareness domains. Addition of help text for each practice to improve clarity and consistency in how practices are applied.

Several key updates were made between Version 2.0 and the current Version 2.1 release based on real-world feedback, including the addition of practices to improve the comprehensiveness of cybersecurity activities addressed by the model, and the addition of practices to form a closer alignment with the National Institute of Standards and Technology (NIST) Cybersecurity Framework. It also enables reordering and revision of practices to improve practice progression across maturity indicator levels and within objective areas, clarification of language, and improved consistency of concepts across the model.

The DOE also updated HTML-based and PDF-based tools that are now available to assist companies in conducting C2M2 V2.1 self-evaluations. The tools enable users to evaluate their organization’s implementation of model practices, record responses, and produce a report that summarizes results in various graphical visualizations. The report helps users communicate results to executive decision-makers, identify and prioritize cybersecurity improvements, and demonstrate growth in maturity over time.  

The tools include many usability improvements and feature updates requested by industry partners, including the option to pre-populate the tool with results from prior model versions. This allows users to focus on changed practices between versions and easily transition to the Version 2.1 release.

When requesting the self-evaluation tools, users will also receive additional resources to support a self-evaluation, including tool user guides, a Self-Evaluation Guide, and presentation materials to support the facilitation of self-evaluations.

The C2M2 Version 2.1 builds upon initial development activities and is enhanced through the public-private partnership, best practices and sector alignment, and descriptive, not prescriptive, guidance.

The model defines four maturity indicator levels (MILs), MIL0 through MIL3, which apply independently to each domain in the model. Four aspects of the MILs are important for understanding and applying the model. First, the maturity indicator levels apply independently to each domain. An organization using the model may be operating at different MIL ratings in different domains. 

For example, the DOE said that an organization could operate at MIL1 in one domain, MIL2 in another domain, and MIL3 in a third domain. The MILs—MIL0 through MIL3—are cumulative within each domain. To earn a MIL in a given domain, an organization must perform all practices in that and preceding levels. For example, an organization must perform all the domain practices in MIL1 and MIL2 to achieve MIL2 in the domain. Similarly, the organization must perform all practices in MIL1, MIL2, and MIL3 to achieve MIL3. 

In the C2M2 self-evaluation tools, the DOE said the practice is considered performed if a response of ‘Fully Implemented’ or ‘Largely Implemented’ is selected. Establishing a target MIL for each domain is an effective strategy for using the model to guide cybersecurity program improvement. 

Organizations should become familiar with the model’s practices before determining target MILs. Then, they can focus gap analysis activities and improvement efforts on achieving those target levels. The DOE said that practice performance and MIL achievement must align with business objectives and the organization’s cybersecurity program strategy. Striving to achieve the highest MIL in all domains may not be optimal. Companies should evaluate the costs of achieving a specific MIL versus its potential benefits. However, the model was designed so that all companies, regardless of size, should be able to achieve MIL1 across all domains, it added.

Last week, the DOE’s ​Securing Energy Infrastructure Executive Task Force (SEI ETF) highlighted the work done over the last two years, advancing the state of the practice for industrial control systems (ICS) cybersecurity. Now, portions of this jointly-developed technical work are being adopted and expanded by the Industrial Society of Automation (ISA) and the MITRE’s Common Weakness Enumeration (CWE) framework.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base