The Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONG-C2M2) can help oil and natural gas (ONG) organizations evaluate their cybersecurity programs and make improvements. These tools allow owners and operators in the electricity and ONG sectors to assess their cybersecurity capabilities. Additionally, the tool can inform individuals on how to address their needs and invest in improving cybersecurity.

This program supports the ongoing development and measurement of cybersecurity capabilities within the ONG subsector. Here is a quick guide to understanding the basics of the ONG-C2M2 model and its uses.

ONG-C2M2 Model Architecture

The model is a set of industry-vetted cybersecurity practices, grouped into 10 domains and arranged according to maturity level. Each domain is a logical grouping of cybersecurity practices. Each practice is defined and ordered by four maturity indicator levels (MIL0 through MIL3), which apply independently to each domain in the model. The MILs define a dual progression of maturity: approach and institutionalization.



The model can be used to:

  • Strengthen cybersecurity capabilities in the ONG subsector
  • Enable ONG organizations to effectively and consistently evaluate and benchmark cybersecurity capabilities
  • Share knowledge, best practices and relevant references within the subsector as a means to improve cybersecurity capabilities
  • Enable ONG organizations to prioritize actions and investments to improve cybersecurity


Assess Security Operation Center (SOC) with C2M2

Organizations can adopt an iterative approach with four distinct phases when leveraging the C2M2 model to define a cyber resilience program.

1. Evaluation

The evaluation is performed on existing SOC capabilities for people, process and technology based on the threat landscape. All 10 domains will be rated from MIL0 to MIL3 depending on how functions have been deployed. The assessment is carried out using interview sessions and verifying documents. The results are compared with the organization’s ideal maturity level.

2. Gap Analysis for ONG-C2M2

The assessment gaps are analyzed, and specific projects and programs are defined to build or improve maturity. The projects are discussed with the chief information security officer and other security leaders to determine how to best align a plan to their business strategy.

3. Prioritizing Projects 

Projects identified during the gap analysis are prioritized based on risk mitigation and time to value. Each project is analyzed based upon timelines, impact and effort required to complete the project. Timelines can consist of a year or two depending on the number and complexity of projects.

4. Implementing Your Plan for ONG-C2M2

You will build a roadmap to transform your current SOC maturity to a target or to-be state. Your plan should consist of multiple phases.

The initial phase focuses on quick wins to realize an early impact within a short timeline. Future phases should be carried out within a six- to 12-month timeline. Each of these phases will result in increased maturity.

A maturity assessment for SOCs is important to determine if the current tools, technology and processes have the resilience to counter cyber threats. Traditionally, the focus of SOCs has been around maturity in IT; however, now it’s time to assess the operational technology and consider the increase in cyber threats and risks toward this industry.

More from Energy & Utility

X-Force 2022 Insights: An Expanding OT Threat Landscape

This post was written with contributions from Dave McMillen. So far 2022 has seen international cyber security agencies issuing multiple alerts about malicious Russian cyber operations and potential attacks on critical infrastructure, the discovery of two new OT-specific pieces of malware, Industroyer2 and InController/PipeDream, and the disclosure of many operational technology (OT) vulnerabilities. The OT cyber threat landscape is expanding dramatically and OT asset owners and operators, all of whom understand the need to keep critical infrastructures running safely, need to be aware…

One Year After the Colonial Pipeline Attack, Regulation Is Still a Problem

The Colonial Pipeline cyberattack is still causing ripples. Some of these federal mandates may mark major changes for operational technology (OT) cybersecurity. The privately held Colonial Pipeline company, which provides nearly half of the fuel used by the East Coast — gasoline, heating oil, jet fuel and fuel for the military totaling around 100 million gallons a day — was hit by a double-extortion ransomware attack by a DarkSide group in May of 2021.  In reaction, the company shut down…

Lessons Learned by 2022 Cyberattacks: X-Force Threat Intelligence Report

Every year, the IBM Security X-Force team of cybersecurity experts mines billions of data points to reveal today’s most urgent security statistics and trends. This year’s X-Force Threat Intelligence Index 2022 digs into attack types, infection vectors, top threat actors, malware trends and industry-specific insights. This year, a new industry took the infamous top spot: manufacturing. For the first time in over five years, finance and insurance were not the top-attacked industries in 2021, as manufacturing overtook them by a…

A New Cybersecurity Executive Order Puts the Heat on Critical Infrastructure Suppliers

Ransomware. Five years ago, the cybersecurity community knew that term well, although among others it was far from dinner table conversation. Times have changed. Since early 2020, ransomware has hit a slew of headlines. People inside and outside of the security industry are talking about it, and many have experienced the ransomware pain firsthand. The IBM Security 2021 Cost of a Data Breach report notes that ransomware attacks cost on average $4.62 million, excluding the cost of paying the ransom.…