Smart grid security work has initially focused on system design. As smart grid systems become operational, grid operators will also need to build an operational security capability. They need to be able to identify and deal with incidents and vulnerabilities on a day-to-day basis. As a first step, many grid operators are now setting up security monitoring. They are purchasing intrusion detection systems for their critical SCADA systems, and setting up a team (such as a CSIRT, CERT, or SOC) to analyze and respond to the alerts. The responsibilities of these smart grid security operations teams will grow in the future, as it has done in other industries such as telecommunication and banking. They will take on tasks such as incident response, vulnerability scanning, forensics, managing firewalls, security assessments, and penetration testing. This document analyzes the capabilities a smart grid security operations team will need in the future. To attract and train personnel with the right skills, grid operators require a long-term view of the ca-pabilities the team needs. This document describes a model that defines the required capabilities, and to give a roadmap to develop these vulnerabilities, from the current pilots with monitoring to having a mature security operations team for the future smart grid.