C2M2 – Cybersecurity Capability Maturity Model: What is it and why is important for organisations to incorporate it?

Cyber-attacks on critical information infrastructure in the energy and utility industry have been increasing. The Ukrainian Power Grid cyber incident which resulted in power outages across Ukraine on the 23 December 2015 demonstrated the continuous need for the industry to improve its resiliency against cyber-attacks. NIST (National Institute of Standards and Technology) has long promoted the information security risk framework, standards and technical controls required to secure both the Operation Technology (OT) and Information Technology (IT) within the electricity, oil and gas industry. There is a strong call by the industry watchdog to improve security management practices and implement the required NIST security controls, one of the key learnings about how the Ukrainian Power Grid hack could have been avoided.

To further support the board and business leaders of the industry in understanding its cyber security risk posture, the Department of Energy in the United State, through a consultative process between the industry peak bodies in North America and NIST, has developed a Cybersecurity Capability Maturity Model (C2M2) which provide a best practice guide in assessing  the cyber security maturity of the business in the electricity or oil and gas, regardless of the organisation size and complexity of technology. The C2M2 speaks a common language and understanding across 4 levels of maturity (MIL – Maturity Indication Level), providing decision makers a dashboard view of its risk posture across 10 security domains, associating the level of investment the business needs to make with the level of cyber security maturity and risk appetite.

The C2M2 is not a standard or a regulatory requirement. However, the North American’s energy and utility sectors have widely adopted C2M2 as a common cyber maturity reporting tool for the industry. The model provide a descriptive rather than prescriptive guidance. The model allows board member to benchmark its cyber security capability between its peers in the industry and inform the required security program. Underpinning C2M2 are the alignment of various security standards applicable in North America, ISO27001 and NIST. ES-C2M2 are aligned for the Electricity subsector, and ONG-C2M2 is aligned with the Oil & Gas subsector. DAMS-C2M2 for water and dam infrastructure has also recently been published.

There has been a significant interest in the Australian energy and utility industry to adopt the C2M2 as a benchmark for the industry as well. The national peak body of the industry such as Energy Networks Australia and the Australian Energy Market Operator (AEMO) are very supportive of this move and since late 2017 several key electricity service providers in the country have performed an ES-C2M2 benchmark assessment.

The C2M2 benchmark assessment will achieve its full potential when it could fully inform the required scope of the security program and the priority of activities to support the desired cyber maturity.  Sense of Security has facilitated several C2M2 assessment and aligning the model with a more relevant security controls for the local industry, such as ISO27001, NIST, ASD Essential 8 and Information Security Manual. A typical maturity program of such nature requires 12 to 24 months of prioritised stream of works and a cyclic maturity assessment to understand the progress of the investment made.

For more information or to discuss your C2M2 requirements today please contact us on 1300 922 923 or fill out our contact us form below
Contact Us.