The electricity subsector cybersecurity Risk Management Process (RMP) guideline was developed by the Department of Energy (DOE), in collaboration with the National Institute of Standards and Technology (NIST) and the North American Electric Reliability Corporation (NERC). Members of industry and utility-specific trade groups were included in authoring this guidance designed to be meaningful and tailored for the electricity subsector. The NIST Special Publication (SP) 800-39, Managing Information Security Risk, provides the foundational methodology for this document. The NIST Interagency Report (NISTIR) 7628, Guidelines for Smart Grid Cyber Security, and NERC critical infrastructure cybersecurity standards further refine the definition and application of effective cybersecurity for all organizations in the electricity subsector.
It is intended to be used by the electricity subsector, to include organizations responsible for the generation, transmission, distribution, and marketing of electric power, as well as supporting organizations such as vendors. The RMP is written with the goal of enabling organizations— regardless of size or organizational or governance structure—to apply effective and efficient risk management processes and tailor them to meet their organizational requirements. This guideline may be used to implement a new cybersecurity program within an organization or to build upon an organization’s existing internal cybersecurity policies, standard guidelines, and procedures.
Cybersecurity risk is one of the components of the overall business risk environment and feeds into an organization’s enterprise Risk Management Strategy and program. Cybersecurity risk, as with all risks, cannot be completely eliminated, but instead must be managed through informed decision making processes. The RMP is built on the premise that managing cybersecurity risk is critical to the success of an organization’s mission in achieving its business’s goals and objectives, specifically the reliable generation and delivery of electric power. Implementation of the RMP will facilitate more informed decision making throughout an organization leading to more effective resource allocation, operational efficiencies, and the ability to mitigate and rapidly respond to cybersecurity risk. The goal is to reduce the likelihood and impact of a cyber event to an organization’s operations, assets, and individuals. Implementation of the RMP across the electricity subsector will result in a common approach to managing cybersecurity risk, facilitating improved information exchange among organizations, between other stakeholders to include private sector and State and Federal agencies, and across international boundaries (Canada and Mexico). This will result in an improved dialogue that recognizes the need to manage this risk through an ongoing process to achieve the common goal of generating and delivering electric power.