As cyber threats increase and become more mature, utilities must continually analyze and improve the effectiveness of security programs. Moreover, utilities must administer their security programs across both conventional information technology (IT) and operational technology (OT) systems.

Utilities must even be ready to quantify the investments and technologies needed to satisfy rate case requirements. Determining a utility’s existing cybersecurity posture may be a necessary initiative. Lord Kelvin famously observed, “When you'll measure what you're speaking about, and express it in numbers, you recognize something about it.”

As a part of the electrical Power Research Institute’s (EPRI) research program in Cyber Security, we initiated a collaborative effort with the Edison Electric Institute, the American Public Power Association, the National Rural Electric Cooperative Association, the Utilities Telecom Council, and therefore the SANS Institute to look at security metrics for the electrical sector. In 2015 the association made a security metrics methodology and a framework for building security metrics. In 2016 the group revised the methodology and developed specific metrics for utilities to use as a start line in evaluating their own posture and path forward.

A Practical Methodology for Cyber Security Metrics Development

EPRI’s research commencement incorporated five common-sense rules to our metrics advancement:

• Utility cybersecurity metrics must be supported by quantitative and repeatable data

• Metrics must be autonomous of compliance to compulsory standards

• Metrics must leave tailoring across the utility’s business units, functions, and ownership structures

• Metrics must take into consideration the difference between IT and OT architectures

• Metrics must be ready to clearly communicate the utility’s state of cybersecurity to different stakeholders

EPRI’s approach, shown within the metrics “pyramid” organizes data points, then rolls them up and assigns a weight of importance to either an operational, tactical, or strategic metric. The resulting tiers of knowledge will help a broad range of utility stakeholders gain improved knowledge about cybersecurity postures and thus inform decision-making about policies, investments, and action plans.

“Determining a utility’s existing cybersecurity posture may be a necessary first step" 

More than 100 data points provide the quantitative foundation for the metrics, consisting of varied operational statistics collected from different points in utility operations. The supply and quality of those data are important factors in metrics calculations.

Operational metrics measure real-time, day-to-day operations like logs, rule sets, and signatures. Tactical metrics address programmatic health and progress within the organization. Vital metrics calibrate corporate risk and alignment of the metrics to the direction of the business.

A Cyber Security Scorecard for Utilities

Each succeeding layer of metrics is predicated on rolling up the lower level metrics to the higher-level ones. As shown within the figure, the top-level, three strategic metrics are calculated from 11 tactical metrics; and every tactical metric is calculated by summarizing relevant operational metrics. As data points shift, the effects are reflected in metrics calculations and scorecards.

A Path Forward

As a comparatively new field, security metrics aren't as mature or robust as metrics in finance, reliability operations, or safety. However, EPRI’s collaborative research and practical methodology offer an optimal, standardized and complementary approach utilities can use to gauge their own postures and resulting action plans.

Check out: Top Cyber Security Companies