Electricity Subsector Cybersecurity Risk Management Process

Office of Electricity Delivery and Energy Reliability 2

Risk management is about people

• It’s about organizing people

• It’s about communication between people

• It’s about the safety of people

What is Risk Management?

Office of Electricity Delivery and Energy Reliability 3

• Radiological Work– Risk to personnel safety– Implemented processes and procedures to

provide a consistent approach to managing risk – Risk tolerance and risk assessment built into

processes and procedures– Allows for getting work done while ensuring

adequate risk mitigation

Risk Management: Safety Example

Office of Electricity Delivery and Energy Reliability 4

• It’s about the people– Clearly communicate risks• Awareness• Procedures, plans, policies

– Educate workforce on risks• Training• Testing

– Provide processes for re-assessing risk• Dry-runs• Project team meetings

Risk Management: Safety Example cont’d

Office of Electricity Delivery and Energy Reliability 5

• It’s about people and the organizations in which they operate– How to organize people to effectively make risk informed

decisions– Target of RMP is cybersecurity risk but fundamentally

could be applied to any risk management domain

Electricity subsector organizations deal with risk every day in meeting their business objectives…this management of risk is conducted as an interactive, ongoing process as part of normal operations.

So What is the RMP About?

Office of Electricity Delivery and Energy Reliability 6

• Describe “what” not “how”

• Adaptable to any size or type of organization

• Cybersecurity alignment with mission and business processes

• Based on NIST 800-39: Managing Information Security Risk

Guiding Principles of the RMP

Office of Electricity Delivery and Energy Reliability 7

You have to accept some risk to get stuff done…but you don’t blindly accept that risk

• Organizations must understand the risks• Evaluate risks• Decide on reasonable measures to minimize risks• Periodically re-assess risks

Risk is Part of Any Activity

Office of Electricity Delivery and Energy Reliability 8

RMP Overview: Risk Management Model

• The risk management model is a three-tiered structure that provides a comprehensive view of an organization

• It provides a structure for how cybersecurity risk management activities are undertaken across an organization

• Strategy is communicated down through the organization, risk evaluations are communicated up

Office of Electricity Delivery and Energy Reliability 9

RMP Overview: Risk Management Cycle

• The risk management cycle provides four elements that structure an organization’s approach to cybersecurity risk management

• The risk management cycle is not static but a continuous process, constantly re-informed by the changing risk landscape as well as by organizational priorities and functional changes

Office of Electricity Delivery and Energy Reliability 10

• Risk Framing– Describes the environment in which decisions are made– Assumptions, constraints, tolerance, priorities

• Risk Assessment– Identify, prioritize, and estimate risk to organization– Includes supply chain and external service providers

• Risk Response– How the organization responds to risk– Develop courses of action and implement

• Risk Monitoring– How risks are monitored and communicated over time– Verify and evaluate risk response measures

RMP Overview:Risk Management Cycle cont’d

Office of Electricity Delivery and Energy Reliability 11

The risk management process is the application of the risk management cycle to each of the tiers in the risk management model

RMP Overview: Risk Management Process

Office of Electricity Delivery and Energy Reliability 12

Governance– In developing a governance structure, the organization

establishes a risk executive function responsible for the organization-wide strategy to address risks, establishing accountability.

– Can take on many forms and will vary depending on the size, type, and operations of the organization

– This element is important to providing a consistent and effective approach to managing risk

RMP Overview: Fundamental Elements

Office of Electricity Delivery and Energy Reliability 13

Cybersecurity Architecture– An embedded, integral part of the enterprise architecture

that describes the structure and behavior for an enterprise’s security processes, cybersecurity systems, personnel, and subordinate organizations, showing their alignment with the organization’s mission and strategic plans

– Categorizing IT and ICS into levels by risk and value to mission and business processes

– Allocating cybersecurity controls to systems

RMP Overview: Fundamental Elements

Office of Electricity Delivery and Energy Reliability 14

• Tier 1– Determining priorities– Providing strategic guidance

• Tier 2 (Possibly most challenging)– De-conflicting system Tier 3 with Tier 1 priorities– Implementing change: plans & procedures

• Tier 3– Implementing technical solutions– Communicating technical challenges

RMP Implementation Challenges

Office of Electricity Delivery and Energy Reliability 15

• Equip your organization to make better informed cybersecurity decisions and investments– Protect your investment (systems & equipment)– Better serve your customers

• Build an organization equipped to meet future cybersecurity challenge– Sustainability and continuity through policies, plans,

procedures– Not solely dependent on individuals

• Build an industry-wide common approach leading to improved cybersecurity capability

Why Implement the RMP?

Office of Electricity Delivery and Energy Reliability 16

• RMP Case Study– Fictional story– Illustrates how an organization may implement the RMP

• RMP Pilot – Work with 1-3 organizations to implement the RMP– Approx. 1 year engagement– Capture lessons learned and best practices

• RMP Website– Develop a resource center for the RMP– Provide additional content

RMP: Next Steps

Office of Electricity Delivery and Energy Reliability 17

As you read through the RMP, think about your organization and the people within it – for each element, consider your organization’s goals and its organizational culture in deciding “how” best to do it.

Final Thoughts

Office of Electricity Delivery and Energy Reliability 18

• Energy.gov: Office of Electricity Delivery and Energy Reliability

• http://energy.gov/oe/downloads/cybersecurity-risk-management-process-rmp-guideline-final-may-2012

My Contact Info:Matt LightU.S. Department of Energymatthew.light@hq.doe.gov

RMP Information

Office of Electricity Delivery and Energy Reliability 19

BACKUP SLIDES

Office of Electricity Delivery and Energy Reliability

Capability Maturity Model OverviewM

atur

ity In

dica

tor L

evel

s

Model Domains

Not Performed

Initiated

Performed

Managed

reserved

Office of Electricity Delivery and Energy Reliability

Sample Model Text from THREAT Domain