• Like
Electricity Subsector Cybersecurity Risk Management Process
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Electricity Subsector Cybersecurity Risk Management Process

  • 132 views
Published

Matt Light from the Department of Energy discussed in this presentation the general make-up of a cybersecurity risk management process. He addressed the Risk Management Process and its various …

Matt Light from the Department of Energy discussed in this presentation the general make-up of a cybersecurity risk management process. He addressed the Risk Management Process and its various components.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
132
On SlideShare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
11
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Posture is contextual – it is relative to a threat17 successful pilots; 10 on waiting list100’s of comments from >40 industry experts30-member advisory group to guide developmentEngaged 50utilities, 8 gov’t organizations, 6 industry associations, 2 national labs, 1 FFRDCJoint commitment to path forward
  • Key Points:Development leveraged existing resources and the expertise of security practitioners from utilitiesFast-paced: ~4.5 months of developmentModel: 10 domains, 4 defined maturity indicator levels (MIL), 1 reserved MIL, 27 domain themes + 10 common themes (1 per domain), 310 practicesSurvey -> automated scoringPilot participants represented IOUs, COOPs, and Munis, and covered generation, transmission, distribution, and markets functionsPilot participants provided helpful feedback on the structure and language of the model and on the presentation of resultsPilot participants reported that the process was valuable to them; some have already reported making improvements to their cybersecurity practices

Transcript

  • 1. Electricity Subsector CybersecurityRisk Management Process
  • 2. What is Risk Management? Risk management is about people • It’s about organizing people • It’s about communication between people • It’s about the safety of peopleOffice of Electricity Delivery and Energy Reliability 2
  • 3. Risk Management: Safety Example • Radiological Work – Risk to personnel safety – Implemented processes and procedures to provide a consistent approach to managing risk – Risk tolerance and risk assessment built into processes and procedures – Allows for getting work done while ensuring adequate risk mitigationOffice of Electricity Delivery and Energy Reliability 3
  • 4. Risk Management: Safety Example cont’d • It’s about the people – Clearly communicate risks • Awareness • Procedures, plans, policies – Educate workforce on risks • Training • Testing – Provide processes for re-assessing risk • Dry-runs • Project team meetingsOffice of Electricity Delivery and Energy Reliability 4
  • 5. So What is the RMP About? • It’s about people and the organizations in which they operate – How to organize people to effectively make risk informed decisions – Target of RMP is cybersecurity risk but fundamentally could be applied to any risk management domain Electricity subsector organizations deal with risk every day in meeting their business objectives…this management of risk is conducted as an interactive, ongoing process as part of normal operations.Office of Electricity Delivery and Energy Reliability 5
  • 6. Guiding Principles of the RMP • Describe “what” not “how” • Adaptable to any size or type of organization • Cybersecurity alignment with mission and business processes • Based on NIST 800-39: Managing Information Security RiskOffice of Electricity Delivery and Energy Reliability 6
  • 7. Risk is Part of Any Activity You have to accept some risk to get stuff done…but you don’t blindly accept that risk • Organizations must understand the risks • Evaluate risks • Decide on reasonable measures to minimize risks • Periodically re-assess risksOffice of Electricity Delivery and Energy Reliability 7
  • 8. RMP Overview: Risk Management Model • The risk management model is a three-tiered structure that provides a comprehensive view of an organization • It provides a structure for how cybersecurity risk management activities are undertaken across an organization • Strategy is communicated down through the organization, risk evaluations are communicated upOffice of Electricity Delivery and Energy Reliability 8
  • 9. RMP Overview: Risk Management Cycle • The risk management cycle provides four elements that structure an organization’s approach to cybersecurity risk management • The risk management cycle is not static but a continuous process, constantly re-informed by the changing risk landscape as well as by organizational priorities and functional changesOffice of Electricity Delivery and Energy Reliability 9
  • 10. RMP Overview: Risk Management Cycle cont’d • Risk Framing – Describes the environment in which decisions are made – Assumptions, constraints, tolerance, priorities • Risk Assessment – Identify, prioritize, and estimate risk to organization – Includes supply chain and external service providers • Risk Response – How the organization responds to risk – Develop courses of action and implement • Risk Monitoring – How risks are monitored and communicated over time – Verify and evaluate risk response measuresOffice of Electricity Delivery and Energy Reliability 10
  • 11. RMP Overview: Risk Management Process The risk management process is the application of the risk management cycle to each of the tiers in the risk management modelOffice of Electricity Delivery and Energy Reliability 11
  • 12. RMP Overview: Fundamental Elements Governance – In developing a governance structure, the organization establishes a risk executive function responsible for the organization-wide strategy to address risks, establishing accountability. – Can take on many forms and will vary depending on the size, type, and operations of the organization – This element is important to providing a consistent and effective approach to managing riskOffice of Electricity Delivery and Energy Reliability 12
  • 13. RMP Overview: Fundamental Elements Cybersecurity Architecture – An embedded, integral part of the enterprise architecture that describes the structure and behavior for an enterprise’s security processes, cybersecurity systems, personnel, and subordinate organizations, showing their alignment with the organization’s mission and strategic plans – Categorizing IT and ICS into levels by risk and value to mission and business processes – Allocating cybersecurity controls to systemsOffice of Electricity Delivery and Energy Reliability 13
  • 14. RMP Implementation Challenges • Tier 1 – Determining priorities – Providing strategic guidance • Tier 2 (Possibly most challenging) – De-conflicting system Tier 3 with Tier 1 priorities – Implementing change: plans & procedures • Tier 3 – Implementing technical solutions – Communicating technical challengesOffice of Electricity Delivery and Energy Reliability 14
  • 15. Why Implement the RMP? • Equip your organization to make better informed cybersecurity decisions and investments – Protect your investment (systems & equipment) – Better serve your customers • Build an organization equipped to meet future cybersecurity challenge – Sustainability and continuity through policies, plans, procedures – Not solely dependent on individuals • Build an industry-wide common approach leading to improved cybersecurity capabilityOffice of Electricity Delivery and Energy Reliability 15
  • 16. RMP: Next Steps • RMP Case Study – Fictional story – Illustrates how an organization may implement the RMP • RMP Pilot – Work with 1-3 organizations to implement the RMP – Approx. 1 year engagement – Capture lessons learned and best practices • RMP Website – Develop a resource center for the RMP – Provide additional contentOffice of Electricity Delivery and Energy Reliability 16
  • 17. Final Thoughts As you read through the RMP, think about your organization and the people within it – for each element, consider your organization’s goals and its organizational culture in deciding “how” best to do it.Office of Electricity Delivery and Energy Reliability 17
  • 18. RMP Information • Energy.gov: Office of Electricity Delivery and Energy Reliability • http://energy.gov/oe/downloads/cybersecurity-risk- management-process-rmp-guideline-final-may-2012 My Contact Info: Matt Light U.S. Department of Energy matthew.light@hq.doe.govOffice of Electricity Delivery and Energy Reliability 18
  • 19. BACKUP SLIDESOffice of Electricity Delivery and Energy Reliability 19
  • 20. Capability Maturity Model OverviewMaturity Indicator Levels reserved Managed Performed Initiated Not Performed Model Domains Office of Electricity Delivery and Energy Reliability
  • 21. Sample Model Text from THREAT DomainOffice of Electricity Delivery and Energy Reliability