The tool coming from the Office of Cybersecurity, Energy Security, and Emergency Response will quantify what cybersecurity spending delivers in terms of risk management.
The federal cybersecurity agency designated with protecting the energy sector is creating a tool that could help commercial electric critical infrastructure providers put a price tag on managing cybersecurity risk for their networks.
Karen Evans, assistant secretary for the Department of Energy's Office of Cybersecurity, Energy Security, and Emergency Response, said company executives don't want a lot of granular detail on cybersecurity technology, they want to see the bottom line.
"They want to know for 'X' amount of dollars how much risk is being reduced in the enterprise," Evans said. "We're working on a tool right now that will answer that question."
Evans said at a March 14 meeting of the DOE's Energy Electricity Advisory Board that CESER is working with the Energy Department's National Labs on a formula the tool will use.
Earlier this week, DOE officials said CESER would get $157 million for grid cybersecurity to support early-stage research and development to improve security and resilience that will help private infrastructure providers "harden and evolve" their systems against man-made and natural events.
Part of the challenge, experts said, is keeping ahead of cyber threats to the electrical infrastructure as they move down through bulk supply systems to distribution systems.
Evans wants the tool to be easy to use for a wide range of personnel and provide actionable information that doesn't have to be decoded among internal operations.
"We want the interfaces to be really simple, so that your cybersecurity person can sit with your engineer and say, 'We need to ask for $10,000 and here's all the risk points that we're going to reduce.'"
Quantifying risk reduction is a critical piece of protecting electric critical infrastructure, according to Evans and experts at the event participating on a cybersecurity panel.
Critical infrastructure providers, said Scott Aaronson, vice president, security and preparedness at the Edison Electric Institute, have reached a more mature level of understanding of the threat to their facilities.
Instead of fearing individual attackers and their specific tactics, he said, critical infrastructure providers learn what they can protect against, but they are also preparing for an almost inevitable breach.
"You can't protect 100 percent of everything 100 percent of the time," he said. "That's a sign of maturity," he said. Electrical providers, he said, have to prepare to recover as quickly and as effectively as possible.