Dept. of Energy wants electric utilities to create “cybersecurity governance board”

The Dept. of Energy (DoE) has issued a call for to electric-power companies that encourages them to make cybersecurity a top priority by setting up a cybersecurity governance board to oversee an internal cybersecurity program for protection and share information with the DoE.

                In exchange for information about sensitive information, such as identifying network vulnerabilities or attacks, the government will share this benchmarking data thats given to it anonymously with any other utility that participates in the information-sharing.

MORE: Heated debate over stalled cybersecurity bill pits pro-Defense Democrats versus hands-off Republicans

These ideas, among others, are contained in what the DoE is calling    the Electricity Subsector Cybersecurity Capability Maturity Model, Version 1.0. This document, a joint effort of dozens of representatives from the government and the U.S. electric industry, is said to be a White House initiative. It calls for electric-power companies to appoint a senior executive for cybersecurity that will report to the companys board.

                Senior management doesnt have a very good understanding of their security posture, says Andy Bochman, whose job as IBMs Energy Sector Leader in the IBM Security Systems Division grants him insight into how the whole U.S. power grid works.

Unlike other types of enterprises, many utilities today --whether its their enterprise business side or their industrial-controls systems side--do not have a chief information security officer (CISO) or a chief security officer (CSO) at all, says Bochman. But the evolution of the electric grid, especially as the so-called smart grid takes shape with more interactive information collection and management with consumers, means they need a CISO or CSO more than ever. He says they need an individual acting as a vice president of security who can report directly to the company CEO or board of directors. He adds its better here not to report directly to the CIO but go directly to the top of the company.

                This is a central concept contained in the lengthy Electricity Subsector Cybersecurity Capability Maturity Model document, and  Bochman is among the dozens of representatives from industry, the government and the electric sector that provided input into the document. Others outside of DoE include representatives from Carnegie-Mellon University Software Engineering Institute CERT program; Duke Energy; Oncor; Vermont Electric Cooperative; UtiliSec; American Electric Power; Dept. of Defense; Centerpoint Energy; Consolidated Edison; Baltimore Gas & Electric; Southern California Edison; and several more.

                The DoE guidance, over 90 pages, says the government hopes electric-power companies will each establish a cybersecurity governance board that will develop a cybersecurity strategy for the utility and recruit a new vice president of cybersecurity to implement a program based on the strategy. The approval of the cyber strategy is expected to come from the top management at the utility first before its carried out through the business groups.

The DoE document also suggests that utilities should be not think cyber-incidents wont happen and they should be prepared to respond publicly about any immediate and collateral damage from potential incidents and the public relations issues that follow.

The topic of cybersecurity and critical infrastructure protection has become fiercely debated recently in Congress, where the current critical-infrastructure cybersecurity legislation has stalled due to Republicans blocking it from a vote. That situation has left the White House angered, and its letting it be known that President Obama is considering taking executive action related to cybersecurity controls over industry  if the legislation doesnt move forward in the future.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:



Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place