Electric Sector Failure Scenarios Common Vulnerabilities and Mitigations Mapping – Version 2.0 (technical lead and co-author)

This document serves as a further reference for the National Electric Sector Cybersecurity Organization Resource (NESCOR) Electric Sector Failure Scenarios and Impact Analyses version 3.0 document, which was produced by the Electric Power Research Institute (EPRI) for the U.S. Department of Energy (DOE).

Version 0.9 of the Failure Scenarios document listed the initial lists of vulnerabilities, impacts, and mitigations. The vulnerabilities and mitigations were written as unstructured English sentences. Technical Working Group 1 (TWG1) recognized that consistency of terminology and structure within these lists would have several benefits, including improving document readability and enabling analyses of the Failure Scenarios. In particular, the team wanted to identify the common vulnerabilities and common mitigations. TWG1 devised a structured form for the vulnerabilities and mitigations that would support this goal, and it used the same form for both lists: common vulnerability/mitigation followed by the vulnerability/mitigation context.

The document is structured as follows:

  • Appendix A provides the grouping of common vulnerabilities into NISTIR 7628 Vulnerability Classes,
  • Appendix B provides the mapping of the original vulnerabilities in Failure Scenarios version 1.0 to common vulnerabilities in version 2.0,
  • Appendix C provides the grouping of common mitigations into mitigation classes called mitigation action groups, defined by TWG1, and,
  • Appendix D provides the mapping of the original mitigations in Failure Scenarios version 0.9 to common mitigations in version 1.0.