Nader Mehravari

Evaluating and improving cybersecurity capabilities of the energy critical infrastructure

This paper describes the Cyber Security Capability Maturity Model (C2M2) and two tailored versions of the model for the energy sector the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) and the Oil & Natural Gas Cybersecurity Capability Maturity Model (ONG-C2M2). These are proven tools which allow owners and operators of components of electricity and oil & natural gas critical infrastructure to assess their cybersecurity capabilities and informs the prioritization of their actions and investments to improve cybersecurity. The models combine elements from existing cybersecurity efforts into a common tool that can be used consistently across the industry. The goal of these models and associated tools are to support ongoing development and measurement of cybersecurity capabilities within the electricity and oil and natural gas subsectors. The model can be used to: (1) Strengthen cybersecurity capabilities in the subsector, (2) Enable subsector entities to effectively and consistently evaluate and benchmark cybersecurity capabilities, (3) Share knowledge, best practices, and relevant references within the subsector, as a means to improve cybersecurity capabilities, and (4) Enable subsector entities to prioritize actions and investments to improve cybersecurity. In this paper we will provide background on the C2M2, including the model architecture, an overview of the domains, and the model practices. We will explain the Cybersecurity Self Evaluation Survey Tool, which helps electric utilities and grid operators use the model to identify opportunities to further develop their own cybersecurity capabilities. Finally, we will share information about how these models have successfully been utilized by an ever increasing number of entities and plans for their continued stewardship, evolution, and applications to other types of organizations.

A proven method for identifying security gaps in international postal and transportation critical infrastructure

The safety, security, and resilience of international postal, shipping, and transportation critical infrastructure are vital to the global supply chain that enables worldwide commerce and communications. But security on an international scale continues to fail in the face of new threats, such as the discovery by Panamanian authorities of suspected components of a surface-to-air missile system aboard a North Korean-flagged ship in July 2013 [1].This reality calls for new and innovative approaches to critical infrastructure security. Owners and operators of critical postal, shipping, and transportation operations need new methods to identify, assess, and mitigate security risks and gaps in the most effective manner possible.

Resilience management through use of CERT-RMM & associated success stories

The CERT Resilience Management Model (CERT-RMM) is the most modern and comprehensive framework for managing operational resilience in a variety of organizations; small or large, simple or complex, public or private. It enables a structured, repeatable, and integrated method for organizations to plan, assess, manage, and sustain not only preparedness planning efforts (e.g., disaster recovery, business continuity, crisis management) but also other key operational risk management activities such as information security and IT operations. In this paper, we share practical and successful applications of CERT-RMM from a wide variety of organizations ranging from the Department of Homeland Security, to the Department of Energy, to the US Postal Service, to industry giants such as Lockheed Martin.