Deriving a capability maturity model for electric utility security assessment.

Endicott-Popovsky, Barbara ; Lockwood, Diane L.

ABSTRACT

The pressures of "better, faster, cheaper" have driven electric utilities to find new, more efficient, cost-cutting approaches to doing business such as using low cost public networks like the Internet for data communications. While many utilities have rushed to take advantage of the apparent benefits, the new security vulnerabilities these technologies introduce have not been fully appreciated. As a result, many utilities are not aware of the potential threats and impacts such vulnerabilities may introduce, nor are they prepared to assess these risks fully. This paper describes a security assessment tool, the Critical Infrastructure Capability Maturity Model (CI-CMM), which is designed to assist the power industry in determining whether their security processes are adequate, including those that address the threats posed by potential electronic intrusion. This proposed new model is based on a derivative of the Software Engineering Institute's Capability Maturity Model (CMM), which has become a well-established tool for assessing the effectiveness of a firm's software development processes. Use of this proposed new tool should not only identify potential security problems, but also provide needed education and awareness to utilities submitting to the assessment process.

INTRODUCTION

While physical destruction due to natural occurrences is still the greatest threat facing North American electric utilities, the growing vulnerability to electronic intrusion has been well documented. The White House report by the National Security Telecommunications Advisory Committee (NSTAC) states that "the security of electric power control networks represents a significant emerging risk to the electric power grid" (NSTACIA, 1997), (Oman, Schweitzer & Frincke, 2000). These systems are increasingly vulnerable to hackers, disgruntled insiders and terrorists; yet, at the same time, traditional security assessment models used by electric utilities have continued to emphasize physical threats (IEEE-PES, 2000).

Recent research has shown the validity of applying tools and techniques from the Infosec community to the safeguarding of critical components of electric utility infrastructures (Oman, Risley, Roberts & Schweitzer, 2002). Likewise, by drawing from techniques used by the InfoSec community to assess the effectiveness of computer security processes, this paper provides an approach for assisting utilities in assessing security risks to their critical infrastructure, including those posed by potential electronic intrusion. Realizing that education and awareness is an important first step to recognizing security risks, this process will also provide valuable learning experiences for those undertaking it (IEEE-PES, 2000).

We begin with a description of what is included in the definition of a critical infrastructure system, then provide an overview of the kinds of assessment models available to the InfoSec community. We discuss how to adapt these models to evaluating security at electric utilities and then make recommendations about how to apply and interpret them during an onsite assessment.

SCOPE OF CRITICAL INFRASTURE SYSTEMS

We have broadened the definition of critical infrastructure to include not only technology, but also the people and processes necessary to run it and the physical boundary that offers the first level of protection.

[FIGURE 1 OMITTED]

People

According to IEEE1402, ignorance is a significant vulnerability in the face of intrusion threats (IEEE-PES, 2000). If individuals working for a public utility are unaware of security vulnerabilities, they might ignore security practices that they perceive as being of no value other than making work more difficult.

The level of security awareness, and the skills and training in security of the people working with a critical infrastructure system, affect its level of vulnerability. Lack of knowledge and awareness of security threats on the part of users make systems more susceptible to intrusion. If we want to assess the security of a critical infrastructure, we must include assessment of the knowledge and skills of the people running it.

Processes

In addition, certain processes must be in place and followed to assure critical infrastructure system security. A component secured by some form of authentication might as well have none if the factory-set default password is not changed upon installation. A surprising majority of utilities leave default passwords in place making systems vulnerable to easy intrusion (Oman, 2003).

Password management is another good example. Firms need to develop processes for creating strong passwords and changing them on a periodic basis. Hacking tools have become increasingly effective. Password models, considered good protection a few years ago, are now vulnerable to cracking in a reasonable period of time (Oman, Schweitzer & Fricnke, 2000). Organizations seeking to secure their systems should develop processes to harden passwords and to gain the cooperation and support of users to follow them.

Technology

Technology is the centerpiece of critical infrastructure; however, security cannot be achieved by just buying a technology. If the technology is not managed using the right processes, it will not achieve its desired end. Technologies must be used properly, and this proper use must be monitored and enforced. An authentication system, turned off because it takes users too long to gain entrance to a system (causing complaints to a system administrator) provides no protection.

Physical Boundary

The first line of defense of any critical infrastructure is the physical facility in which it is located. If the system in question is a network of distant components, we might investigate whether the facility is protected by adequate lighting, fences, or guarded gates. If the system is housed entirely in a single building, we might check whether there are cipher locks on doors or coded entry systems requiring more than one vector of authentication (IEEE-PES, 2000). Security of physical boundaries affects the vulnerability of the entire system and will be included in our assessment model; however, since physical security at electric utilities is covered in other sources, we will not elaborate further on this dimension other than to include it in the CI-CMM (IEEE-PES, 2000).

In summary, when assessing the security level of critical infrastructure systems, it is not enough to look at technology. The people, processes and physical boundaries of such systems will also affect the level of security. Any assessment model that purports to evaluate the security of critical infrastructures must also take into account the people, processes and physical boundaries of the system in question.

THE CRITICAL MATURITY MODEL APPROACH

The Software Engineering Institute's (SEI's) original Capability Maturity Model (CMM) is a framework describing the key elements of an effective software development process (Paulk, Curtis, Chrissis & Weber, 1993; Paulk, Weber, Garcia, Chrissis & Bush, 1993). In the ten years since it was first published, the framework has proved to be a strong theoretical base for developing other process maturity models for other domains. With its focus on processes and the proficiency of the people executing them, the CMM makes a good candidate assessment model to adapt for critical infrastructure assessments.

SEI, itself, has adapted the CMM to a number of different domains. Table 1 describes derivative CMM models that SEI has under current development. They range from a People Capability Maturity Model that addresses the maturity of the human resources infrastructure of an organization, to a Software Acquisition Capability and Maturity Model that proposes best practices for software purchases based on benchmarking government and military procurement practices.

Other organizations in other domains have exploited the versatility of the CMM, as well. The International Institute for Learning and its leading practitioner, Harold Kerzner, have developed the Project Management Maturity Model designed to assist firms in evaluating the maturity level of their project management infrastructure (Kerzner, 2001). Other, similar models have been developed by groups like the International Standards Organization (SPICE, 1995).

Of greater interest to the researchers is the NSA-developed CMM derivative, the INFOSEC Assessment Capability Maturity Model (IA-CMM), which is used to appraise the ability of an organization that conducts the INFOSEC Assessment Process, to support its assessors. This version of the CMM served as a template for the development of the CI-CMM.

The CMM Meta Structure

A Capability Maturity Model is built using a step-by-step process that begins by identifying distinguishing capabilities that an organization has when it is at one of several specific maturity levels proscribed in the model. The maturity levels for the original CMM (for software development) are shown below in Table 2.

According to the model, organizations must pass through all levels, sequentially, from lowest to highest in number, on their way toward Level 5, continuous process improvement. At Level 1, chaos reigns. To get anything done requires the push and persistence of strong personalities. At a Level 2, the organization has described processes for developing software that are regarded as guidelines for managing software development. At a Level 3, processes established at Level 2 are now considered standards that must be followed. At a Level 4, the organization establishes and collects metrics for managing these standard processes so that they become predictable. At a Level 5, processes are managed proactively. They are evaluated periodically and the feedback is used to upgrade and improve processes, continuously. The journey toward continuous process improvement is relevant in any domain and is one of the main architectural building blocks of any Capability Maturity Model.

Referring to Figure 2 on the next page, once capabilities are assigned to each maturity level, key process areas are identified, together with goals that can be attained using these process areas. In the next step, common features characterizing the successful implementation of these process areas are determined. Finally, key practices that indicate successful implementation of the common features (defined as infrastructure in place or activities performed) are described. Once key practices are defined, it is relatively easy to formulate questions that, when asked, would determine the presence of that key practice.

[FIGURE 2 OMITTED]

This analytical process, outlined in Figure 2, is common to each version of the CMM mentioned previously and is another major architectural building block of a Capability Maturity Model. The questions tied to each key practice that fall out of this analysis become an ideal assessment tool for determining the maturity level of an organization's processes, in other words, how reliable a firm's process infrastructure is.

The CMM Maturity Levels and the CMM Development Process are the basic architectural components of any Capability Maturity Model and were employed in the development of the CI-CMM, the Critical Infrastructure Capability Maturity Model.

DEVELOPMENT OF THE CI-CMM

The Critical Infrastructure Capability and Maturity Model (CI-CMM) was developed in order to evaluate the state of security of organizations in the critical infrastructure domain. It is a collection of best practices an organization should adopt in order to secure its critical infrastructure.

The CI-CMM draws upon a CMM derivative model, the INFOSEC Assessment-CMM (IA-CMM), that appeared to be the best analog for a CI-CMM (SPICE, 1995). Additional sources included 1) the IEEE1402, which documents methods and designs to mitigate intrusions, (NSA-INFOSEC, 2003) and several recent publications that provide technical solutions for security problems in the critical infrastructure of electrical utilities (Oman, 2003; Oman, 2001; Oman, Risley, Roberts & Schweitzer, 2002; Oman, Schweitzer & Roberts 2002; Oman, Schweitzer & Frincke, 2000). Best practices for security in critical infrastructure, defined for this initial version of the CI-CMM, were grouped into process areas, by categories that correspond to the basic components of critical infrastructure identified earlier:

People

Processes

Computer Technology

Boundary Defense

Within each category a set of processes was defined, each containing a series of key practices describing how a critical infrastructure would be managed, ideally, for optimal security. The steps taken to produce Version 1.0 are shown in Figure 4 below.

[FIGURES 3-4 OMITTED]

Process Areas

The CI-CMM contains 7 process areas, each of which is composed of key practices that map to questions that can help the assessor determine the organization's appropriate capability level for that process. An analysis of the answers will lead to making recommendations for closing security vulnerabilities discovered in the assessment process. The 7 CI-CMM process areas are listed in Table 3 below by category.

Maturity Levels

The CI-CMM contains 6 levels of maturity as defined in Table 4.

Each maturity (capability) level was applied to each process area in order to define the common features that would describe an organization at that particular maturity level. For example, an organization at a Level 1, where chaos reigns, would have different features than an organization at a Level 5, where processes are under control and managed proactively, anticipating problems before they happen. At Level 1, an assessor would not expect to find any repeatable processes. At a Level 5, an assessor would expect to see not only standardized processes being followed, but also metrics being collected from these processes and being used to determine what process improvement projects an organization might undertake. Describing generic practices expected at each capability level, first, assisted in defining key practices associated with each process area. That approach is shown below in Figure 4.

From key practices, questions were developed for a CI-CMM assessment questionnaire to be used as an assessment tool for evaluating the level of security at an electric utility. Grouped by Domain Category, Key Practices by Key Process Area and related questions are provided in Appendix A.

CONCLUSIONS AND FUTURE RESEARCH DIRECTIONS

We have presented a new Capability Maturity Model, the Critical Infrastructure Capability Maturity Model (CI-CMM) which is based on the basic architecture of the Software Engineering Institute's Capability Maturity Model. While this model was developed as an assessment tool to evaluate critical infrastructure security in the electric utility, it could be applied to assessing critical infrastructure in other industries, as well.

What remains is employing this tool during an assessment at an actual utility. The original CMM has been honed and refined over years of application. The CI-CMM is only in its first version. It is anticipated that, with use, it will be updated and changed over time. Honing this tool through application in the electric utility should lead to understanding how it might be used in other industries such as water, natural gas, oil, and transportation. It is anticipated that this single tool can be employed within any industry having critical infrastructures to protect.

APPENDIX A ASSESSMENT QUESTIONS

PEOPLE CATEGORY

Within this category are those processes required to assure that the
people who are managing and working within a secured environment are
properly prepared to adhere to best security practices. While the
purpose of the CI-CMM model is to assist in assessing the relative
security of critical infrastructure systems, the boundary of those
systems must be drawn to include the people and processes used to run
them.

[FIGURE 5 OMITTED]

As an example, if individuals working for a public utility are unaware
of security vulnerabilities, they might ignore security practices that
they perceive as being of no value other than making their work more
difficult. According to IEEE1402, ignorance is a significant
vulnerability in the face of intrusion threats.

The process areas/key practices within the People Category include:

PA01--Provide ongoing skills and knowledge to support security
 Identify security training needs
 Select/Develop training opportunities
 Train
 Assess the effectiveness of training

PA02--Provide company-wide security awareness
 Develop awareness program
 Disseminate awareness information
 Measure the effectiveness of awareness program

QUESTIONS: PEOPLE CATEGORY

PA01--Provide ongoing skills and knowledge to support security
 PA01.1--Identify security training needs
 PA01.2--Select/Develop training opportunities
 PA01.3--Train
 PA01.4--Assess the effectiveness of training

 Has there been security training of any kind?
 If no,

 Are there any future plans to hold security training? (ask for
 documents)
 If yes,

 Did you develop a training plan? (ask for documents)
 Did you do a needs assessment for the training? (ask for
 documents)
 Did you develop in-house training? (ask for documents)
 Did you hire outside trainers? (ask for documents)
 Did they have adequate credentials? (ask for documents)
 Was training conducted across all job categories? (ask for job
 categories)
 Were all employees trained? (ask for the specific number trained)
 Was training offered more than once? (ask how frequently)
 Have you conducted training assessments?
 Was the training effective?

PA02--Provide company-wide security awareness
 PA02.1--Develop awareness program
 PA02.2--Disseminate awareness information
 PA02.3--Measure the effectiveness of awareness program

 Do you have a security awareness program?
 If no,

 Are there any future plans for a security awareness program?
 (ask for documents)
 If yes,

 Did you develop a security awareness program plan? (ask for
 documents)
 Did you do a needs assessment? (ask for documents)
 Did you receive outside assistance to develop your program?
 Did they have adequate credentials? (ask for documents)
 Was the security awareness program directed to all job
 categories? (which ones)?
 Were all employees exposed to the program? (if not, why?)
 Was the awareness program conducted over a given time period?
 (what time period)
 Have you conducted assessments of any kind?
 Was the security awareness program effective?

PROCESS CATEGORY

Within this category are those processes required to assure that the
processes operating security within the organization are in place and
followed to assure best security practices. While some may believe that
security can be achieved by buying a technology, if the technology is
not managed using the right processes, it will not achieve its desired
end. An example is an authentication system that is turned off because
it takes too long to gain entrance to a system when it's activated.

The process areas/key practices within the Process Category include:

PA03--Planning for a secure environment
 Understand the criticality of the mission, information and
 systems of the organization
 Identify security reporting and regulatory requirements
 Assess security threats
 Assess security vulnerabilities
 Assess potential impacts
 Perform risk analysis
 Develop security plan
 Maintain all security plans
 Monitor plans
 Update plans

PA04--Enforcing security policies
 Develop security policies
 Develop Code of Conduct
 Establish security policies
 Disseminate security policies
 Enforce security policies

QUESTIONS: PROCESS CATEGORY

PA03--Planning for a secure environment
 PA03.1--Understand the criticality of the mission, information
 and systems of the organization
 PA03.2--Identify security reporting and regulatory requirements
 PA03.3--Assess security threats
 PA03.4--Assess security vulnerabilities
 PA03.5--Assess potential impacts
 PA03.6--Perform risk analysis
 PA03.7--Develop security plan
 PA03.8--Maintain all security plans
 PA03.9--Monitor plans
 PA03.10--Update plans

 Do you have a security plan for your organization?
 If yes, ask for documents.

 Do you have an incident response plan?
 Do you have a computer survivability plan?
 Do you have a computer crime reporting/forensics plan?

 Are these plans appropriately disseminated in your firm? (who
 received the plan/s?)
 Do you update the plans on a regular basis? (how often to you
 update the plan/s?)
 Is/are the plan/s followed and enforced?
 Have you identified the criticality of the organization's
 mission, information and systems? (ask for documents)
 Have you identified the organization's security reporting and
 regulatory requirements? (ask for documents)
 Have you identified the security threats to your systems?
 (what are they?)
 Have you ever assessed those threats? (ask for documents)
 Have you identified the vulnerabilities of your systems? (what
 are they?)
 Have you ever assessed those vulnerabilities? (ask for documents)
 Have you identified the potential impacts of threats to your
 systems? (what are they?)
 Have you ever assessed those potential impacts? (ask for
 documents)
 Have you ever performed risk analysis based on security threats
 you have identified? (what are the levels of risk you have
 identified?-ask for documents)

PA04--Enforcing security policies
 PA04.1--Develop security policies
 PA04.2--Develop Code of Conduct
 PA04.3--Establish security policies
 PA04.4--Disseminate security policies
 PA04.5--Enforce security policies

 Have you developed security policies?
 If no,

 Do you have plans to develop security policies?
 If yes, ask for documents
 Have your security policies become established?
 Are they widely disseminated to all appropriate employees?
 Do you enforce the security policies? (If yes, ask for examples)
 Do you have a Code of Conduct for computer usage?
 Is the Code visible, readily available, to all employees?
 Is the Code enforced? (If yes, ask for examples)
 Do you have a password attack defense? (what is it?)
 Do you have a modem attack defense? (what is it?)
 Do you have a public network attack defense? (what is it?)
 Do you have a wireless network attack defense? (what is it?)
 Do you have a telecom attack defense? (what is it?)
 Do you have a private network attack defense? (what is it?)

COMPUTER TECHNOLOGY CATEGORY

Within this category are those processes required to assure that
computer technology is operated using the appropriate levels of
security required to assure best security practices. While
technology by itself will not provide security, it is often the
solution most firm's rely upon to meet their security needs.

The process areas/key practices within the Computer Technology Category
include:

PA05--Establish a secure architecture
 Develop an architecture plan
 Establish architectural standards
 Enforce architectural standards

PA06--Manage authentication
 Develop authentication strategies
 Implement authentication strategies
 Monitor authentication implementations
 Enforce authentication procedures

QUESTIONS: COMPUTER TECHNOLOGY CATEGORY

PA05--Establish a secure architecture
 PA05.1--Develop an architecture plan
 PA05.2--Establish architectural standards
 PA05.3--Enforce architectural standards

 Do you have a computer systems architecture plan? (ask for
 documents)
 Does the architecture plan establish standards? (ask for
 documents)
 Does the architecture plan address program security?
 Does the architecture plan address network security--topologies/
 subnetting?
 Does the architecture plan address OS design from a security
 perspective?
 Does the architecture plan address memory protection?
 Does the architecture plan address file protection?
 Does the architecture plan establish network controls?
 Does the architecture plan address firewalls?
 Does the architecture plan address Intrusion Detection Systems
 Does the architecture plan address secured modems, modem key/
 locks?
 Does the architecture plan address secure e-mail?
 Does the architecture plan address VPN's?
 Does the architecture plan address database security?
 Does the architecture plan address multi-level security in
 databases
 Does the architecture plan address sensitive data in databases?
 Does the architecture plan address data integrity/reliability
 issues?
 Does the architecture plan address encryption?
 Does the architecture plan address anti-virus protection
 software?

PA06--Manage authentication
 PA06.1--Develop authentication strategies
 PA06.2--Implement authentication strategies
 PA06.3--Monitor authentication implementations
 PA06.4--Enforce authentication procedures
 Have you implemented access control techniques?
 Do you impose user authentication on your systems? (Which
 systems?)
Do you use:

--Biometric authentication?
--ID devices?
--Dial back modems?
--Password generators?
--Device-based passwords?
--Two- or three-vector authentication?

 Do you use password generators or device-based passwords?
 Do you employ audit logs?
 Are they reviewed and analyzed frequently? (how frequently?)
 Have you established password strategies?
 Do you regularly review the effectiveness of your authentication
 implementations?
 Do you enforce authentication procedures?

BOUNDARY AND SURROUNDINGS CATEGORY

Within this category are those processes required to protect critical
infrastructures properly at their boundaries in order to assure best
security practices. While people, processes and computer technology are
components of secured systems, as defined in this approach, it is often
easiest to intrude physically by breaching physical boundaries at
plants and substations.

The process areas/key practices within the Boundary Category include:

PA07--Establish secure perimeters, buildings and surroundings
 Develop plans for secure perimeters, buildings and surroundings
 Assess vulnerabilities
 Plan mitigations
 Implement the plan
 Monitor the implementations
 Assess the effectiveness
 Make additions/corrections

QUESTIONS: BUILDINGS AND SURROUNDINGS CATEGORY

PA07--Establish secure perimeters, buildings and surroundings
 PA07.1--Develop plans for secure perimeters, buildings and
 surroundings
 PA07.2--Assess vulnerabilities
 PA07.3--Plan mitigations
 PA07.4--Implement the plan
 PA07.5--Monitor the implementations
 PA07.6--Assess the effectiveness
 PA07.7--Make additions/corrections

 Do you have facilities plans for secure perimeters, buildings and
 surroundings?
 If yes, ask for documents
 If no,

 Do you intend to develop such facilities plans?
 Have you assessed perimeters, buildings and surroundings for
 vulnerabilities?
 Have you planned mitigation for these vulnerabilities?
 Have you implemented any of these planned mitigations?

 Do you have fences surrounding the property?
 Are any poles or towers suitably far away from fences?
 Do your buildings have reinforced secure walls and/or doors?
 Do doors have entrance locks? Computers have equipment locks?
 Have you set up photoelectric / motion-sensing devices on the
 premises?
 Have you set up a video surveillance system?
 Do buildings have alarm systems?
 Has outdoor lighting been designed to eliminate vulnerabilities?
 Has landscaping been designed to eliminate vulnerabilities?
 Are sewers / manhole covers suitable distanced from the facility?
 Have guardrails been established?
 Are warning signs posted appropriately?
 Are the premises and buildings patrolled? (how frequently?, by
 whom?)
 Are there any other barriers established on the property to ward
 off intruders?
 Are security measures monitored and reviewed for effectiveness on
 a regular basis?
 Are these assessments the basis for making improvements?

APPENDIX B EXAMPLE ASSESSMENT QUESTIONNAIRE

The following questionnaire is an example of the form to be used when
evaluating the security levels of an electric utility. The questions
were prepared for the process PA01-Provide Ongoing Skills and Knowledge
To Support Security. One of these questionnaires is required for each
PA.

Each question can be answered, 'yes,' 'no,' 'I don't know,' or 'I'm not
sure.' Capabilities that an organization has when it functions at each
level of maturity indicated on the questionnaire have been determined.
This will allow the assessor to probe further to determine at what
level the organization is functioning.

Example Data Sheet PA01 Level 0 Level 1 Level 2

Has there been security training
of any kind?

If no,

Are there any future plans to
hold security training?
(ask for documents)

If yes,

Did you develop a training
plan?
(ask for documents)

Did you do a needs assessment
for the training?
(ask for documents)

Did you develop in-house
training?
(ask for documents)

Did you hire outside
trainers?
(ask for documents)

Did they have adequate
credentials?
(ask for documents)

Was training conducted across
all job categories?
(ask for job categories)?

Were all employees trained?
(ask for the specific number
trained)

Was training offered more
than once?
(ask how frequently)

Have you conducted training
assessments?
(ask for documents)

Was the training effective?

Example Data Sheet PA01 Level 3 Level 4 Level 5

Has there been security training
of any kind?

If no,

Are there any future plans to
hold security training?
(ask for documents)

If yes,

Did you develop a training
plan?
(ask for documents)

Did you do a needs assessment
for the training?
(ask for documents)

Did you develop in-house
training?
(ask for documents)

Did you hire outside
trainers?
(ask for documents)

Did they have adequate
credentials?
(ask for documents)

Was training conducted across
all job categories?
(ask for job categories)?

Were all employees trained?
(ask for the specific number
trained)

Was training offered more
than once?
(ask how frequently)

Have you conducted training
assessments?
(ask for documents)

Was the training effective?

REFERENCES

Brown, S. (2000). Applying Internet Technology to Utility SCADA Systems, Utility Automation, 5(5), September, .25-26.

Carnegie Mellon Software Engineering Institute, Capability Maturity Models, retrieved March 6, 2003 from the World Wide Web: http://www.sei.cmu.edu/cmm/cmms/cmms.html

IEEE Power Engineering Society, (2000). IEEE Standard 1402-2000: IEEE Guide for Electric Power Substation Physical and Electronic Security, New York: IEEE, Inc. April 4, 2000.

Kerzner, H. (2001). Strategic Planning for Project Management Using a Project management Maturity Model. New York: John Wiley and Sons.

National Security Agency, INFOSEC Assessment-Capability Maturity Model (IA-CMM), retrieved March 6, 2003 from the World Wide Web: http://www.nsa.gov/isso/iam/index.htm

National Security Telecommunications Advisory Committee Information Assurance Task Force, Electric Power risk Assessment, March 1997: http://www.ncs.gov/n5_hp/Reports/EPRA/electric.html

Oman, P. (Spring, 2003). CS504 Power Grid Security, Moscow, ID: University of Idaho.

Oman, P. (2001). Low-Cost Authentication Devices for Secure Modem and Network Connections, Schweitzer Engineering Labs Application Guide AG2001-10.

Oman, P., Risley, A., Roberts, J. & E. Schweitzer. (2002, Apr.9-11). Attack and Defend Tools for Remotely Accessible Control and Protection Equipment in Electric Power Systems, Paper #15, Texas A&M Annual Conference for Protective Relay Engineers, College Station, Texas.

Oman, P., Schweitzer, E. & J. Roberts. (2001). Safeguarding IED's, Substations, and SCADA Systems Against Electronic Intrusions. published as Protecting the Grid from Cyber Attack, in Utility Automation, Part I (Nov/Dec. 2001), pp. 16-22) and Part II (Jan./Feb. 2002, pp. 25-32.)

Oman, P., Schweitzer, E. & D. Frincke, (2000). Concerns about Intrusions into Remotely Accessible Substation Controllers and SCADA Systems, Paper #4, 27th Annual Western Protective Relay Conference, (Oct. 23-26, Spokane, WA).

Paulk, M .C., Curtis, B., Chrissis, M. B. & C. V. Weber. (1993). Capability Maturity Model for Software, v. 1.1 (Tech. Rep. Nos. CMU/SEI-93-TR-024, ESC-TR-03-177 Software Engineering Institute, Carnegie Mellon University.

Paulk, M. C., Weber, C. V., Garcia, S. M., Chrissis, M. B. &. M. Bush. (1993). Key Practices of the Capability Maturity Model, v. 1.1 (Tech. Rep. Nos. CMU/SEI-93-TR-025, ESC-TR-03-178 Software Engineering Institute, Carnegie Mellon University.

Risley, A., Marlow, C., Oman, P. & D. Dolezilek. (2002). Securing Ethernet Products With VPN Technology, Schweitzer Engineering Labs Application Guide AG2002-05.

SPICE Project (1995). ISO/IEC Software Process Assessment working draft v. 1.0. Software Process Improvement and Capability Development Project.

Barbara Endicott-Popovsky, Seattle University Diane L. Lockwood, Seattle University

Table 1: CMM Derivative Models Under Development at SEI (CMU, 2003)

CMM Derivative Domain Function

SW-CMM Processes used Judges the maturity of
Capability Maturity Model by software software processes
for Software professionals of an organization
 Identifies key
 practices required
 to increase process
 maturity
P-CMM Human Resources Addresses critical
People Capability Knowledge people issues
 Management Improves processes for
Maturity Model Organizational managing and
 Development developing a workforce
SA-CMM Software Benchmarks software
Software Acquisition Acquisition acquisition processes
Capability Maturity Model of the government
 and military
 Improves software
 acquisition processes
SE-CMM Systems Ensures good systems
Systems Engineering Engineering engineering
Capability Maturity Model Analog to the software
 engineering CMM
IPD-CMM Product Guides IPD design,
Integrated Product Development development,
Development Capability appraisal and
Maturity Model improvement
 Achieves timely
 collaboration of
 necessary disciplines
 throughout the product
 life cycle

Table 2: CMM Maturity Levels (Paulk, Curtis, Chrissis & Weber 1993;
Paulk, Weber, Garcia, Chrissis & Bush, 1993)

Maturity
Level Name Description

Level 1 Initial Level The organization does not provide a
 stable environment for software
 development. Project success depends
 on having good software managers or
 teams.
Level 2 Repeatable Level At the repeatable level, the
 organization establishes basic
 guidelines for managing the software
 project and its various procedures
Level 3 Defined Level The organization has a formally
 documented standard process for
 developing and maintaining software
 engineering and management.
Level 4 Managed Level At the managed level, the organization
 sets quantitative goals for both
 software products and processes. They
 have a predictable process.
Level 5 Optimizing Level The entire organization is focused on
 continuous process improvement.
 Software processes are evaluated to
 prevent known types of defects from
 recurring and lessons learned are
 spread to other projects.

Table 3: CI-CMM Key Process Areas by Category

 Boundaries
 Computer and
Category People Processes Technology Surroundings

Process PA01-- PA03-- PA05-- PA07--

Areas Provide Planning Establish a Establish
 ongoing for a secure secure
 skills and secure architecture perimeters,
 knowledge to environment buildings
 support and
 security surroundings

 PA02-- PA04-- PA06--

 Provide Enforcing Manage
 Company- security authentication
 wide policies
 security
 awareness

Table 4: CI-CMM Maturity Levels (NSA-INFOSEC, 2003)

Maturity
Level Name Description

Level 0 Not Performed Practice is not conducted
Level 1 Performed Informally Base practices performed.
Level 2 Planned and Tracked Commitment to perform
 Performance planned,
 disciplined, tracked and
 verified.
Level 3 Well Defined Standard process defined and
 tailored Data used to measure
 performance.
Level 4 Quantitatively Controlled Measurable quantity goals
 established
 Process capability determined
 to achieve goals
 Performance objectively managed
Level 5 Continuously Improving Quantitative process
 effectiveness goals
 established
 Effectiveness improved
 continuously