Cybersecurity Policy for Water and Electricity Infrastructures

This course will examine the drinking water and electricity infrastructures, and various policies that have been developed to help guide and strengthen their cybersecurity programs. The drinking water and electricity infrastructures are two of fourteen subsectors comprising what are known as "lifeline infrastructure". The 2013 National Infrastructure Protection Plan identifies four lifeline infrastructure sectors: 1) water, 2) energy, 3) transportation, and 4) communications. These sectors are designated "lifeline" because many other infrastructures depend upon them. The drinking water subsector is part of the water sector, and the electricity subsector is part of the energy sector. Both subsectors are overseen by the Department of Homeland Security National Protection and Programs Directorate which manages the DHS National Infrastructure Protection Program. The NIPP employs a five-step continuous improvement program called the Risk Management Framework. NIPP implementation is overseen by DHS-designated Sector-Specific Agencies staffed by various Federal departments. The Sector-Specific Agencies work in voluntary cooperation with industry representatives to apply the Risk Management Framework and document results in corresponding Sector-Specific Plans. The program began in 2007 and the most recent Sector-Specific Plans were published in 2016. In February 2013, President Obama issued Executive 13636 directing the National Institute of Standards and Technology to develop a voluntary set of recommendations for strengthening infrastructure cybersecurity measures. EO13636 also asked Federal agencies with regulating authority to make a recommendation whether the NIST Cybersecurity Framework should be made mandatory. The Environmental Protection Agency who is both the SSA and regulatory authority for the drinking water subsector recommended voluntary application of the NIST Cybersecurity Framework. The Department of Energy who is both the SSA and regulatory authority for the electricity subsector replied that it was already implementing the Electricity Subsector Cybersecurity Capability Maturity Model, which indeed was what the NIST Cybersecurity Framework was based on. The Department of Energy, though, recommended voluntary application of the ES-C2M2. This module will examine both the drinking water and electricity lifeline infrastructure subsectors, and elements and application of the NIST Cybersecurity Framework and ES-C2M2.