USAID
The USAID SUPER TO Plan to Enhance Technical Controls Workshop is a comprehensive initiative aimed at strengthening the cybersecurity posture of [UTILITY NAME], a power utility.
2023 · 22 pages

Abstract
The workshop is part of the USAID SUPER (Strengthening Utilities and Promoting Energy Reform) task order, which seeks to enhance the technical controls of utilities in the energy sector. The workshop focuses on three key areas: Domain Objectives and Leading Practices, Discussion and Q&A, and Activity Summary. The Domain Objectives and Leading Practices section outlines the 10 cybersecurity domains identified by the Cybersecurity Capability Maturity Model (C2M2) framework. These domains are aligned with the 10 governance pillar domains in the Distributed Energy Resource Cybersecurity Framework (DERCF) assessment. The C2M2 model was developed by the United States Department of Energy to provide guidance on the implementation and management of cybersecurity practices related to information technology (IT) and operational technology (OT) assets. The model identifies 10 cybersecurity domains, each containing multiple objectives and practices. The purpose of the workshop is to provide insight into practices to achieve MIL1 status, organized by the 10 domains. The workshop covers three priority domains identified in the DERCF assessment: Asset, Change, and Configuration Management; Threat and Vulnerability Management; and Risk Management. Each domain has its own objectives, leading practices, and MIL1 practices. The workshop aims to improve the cybersecurity posture of [UTILITY NAME] by using the C2M2 model and focusing on these three priority domains. The Asset, Change, and Configuration Management domain is responsible for managing IT and OT assets. The objectives of this domain include managing IT and OT asset inventory, managing information asset inventory, managing IT and OT asset configuration, and managing changes to IT and OT assets. The leading practices for implementation include formalizing asset inventory activities within an Organizational Security Policy document, creating a definition for information assets, and implementing a Configuration Management Plan. The Threat and Vulnerability Management domain establishes plans, procedures, and policies to detect and respond to cybersecurity incidents. The objectives of this domain include reducing cybersecurity vulnerabilities, responding to threats, and sharing threat information. The leading practices for implementation include creating a Security Operations Center (SOC) team, leveraging Gartner or OWASP recommended vulnerability assessment solutions, and leveraging CISA's action plan to manage vulnerabilities. The Risk Management domain establishes and operates a cyber risk management program to identify, analyze, and respond to cyber risks. The objectives of this domain include establishing a strategy, identifying cyber risk, analyzing cyber risk, and responding to risk. The leading practices for implementation include integrating cyber risks into broader enterprise-wide risk management strategies, using a Risk Register to inform mitigation plans, and utilizing the NIST Common Vulnerability Scoring System to understand risks. The workshop aims to provide participants with the knowledge and skills necessary to improve the cybersecurity posture of [UTILITY NAME] by using the C2M2 model and focusing on the three priority domains. By the end of the workshop, participants will be able to identify gaps and areas in need of improvement, assign roles and responsibilities, and develop a strong OT security practices and policies.
Connected topics
Classification