Matt Light from the Department of Energy discussed in this presentation the general make-up of a cybersecurity risk management process. He addressed the Risk Management Process and its various components.
2. What is Risk Management?
Risk management is about people
• It’s about organizing people
• It’s about communication between people
• It’s about the safety of people
Office of Electricity Delivery and Energy Reliability 2
3. Risk Management: Safety Example
• Radiological Work
– Risk to personnel safety
– Implemented processes and procedures to
provide a consistent approach to managing risk
– Risk tolerance and risk assessment built into
processes and procedures
– Allows for getting work done while ensuring
adequate risk mitigation
Office of Electricity Delivery and Energy Reliability 3
4. Risk Management: Safety Example
cont’d
• It’s about the people
– Clearly communicate risks
• Awareness
• Procedures, plans, policies
– Educate workforce on risks
• Training
• Testing
– Provide processes for re-assessing risk
• Dry-runs
• Project team meetings
Office of Electricity Delivery and Energy Reliability 4
5. So What is the RMP About?
• It’s about people and the organizations in
which they operate
– How to organize people to effectively make risk informed
decisions
– Target of RMP is cybersecurity risk but fundamentally
could be applied to any risk management domain
Electricity subsector organizations deal with risk every day in
meeting their business objectives…this management of risk is
conducted as an interactive, ongoing process as part of normal
operations.
Office of Electricity Delivery and Energy Reliability 5
6. Guiding Principles of the RMP
• Describe “what” not “how”
• Adaptable to any size or type of
organization
• Cybersecurity alignment with
mission and business processes
• Based on NIST 800-39: Managing
Information Security Risk
Office of Electricity Delivery and Energy Reliability 6
7. Risk is Part of Any Activity
You have to accept some risk to get stuff done…but you
don’t blindly accept that risk
• Organizations must understand the risks
• Evaluate risks
• Decide on reasonable measures to minimize risks
• Periodically re-assess risks
Office of Electricity Delivery and Energy Reliability 7
8. RMP Overview:
Risk Management Model
• The risk management model is a
three-tiered structure that provides
a comprehensive view of an
organization
• It provides a structure for how
cybersecurity risk management
activities are undertaken across an
organization
• Strategy is communicated down
through the organization, risk
evaluations are communicated up
Office of Electricity Delivery and Energy Reliability 8
9. RMP Overview:
Risk Management Cycle
• The risk management cycle provides
four elements that structure an
organization’s approach to
cybersecurity risk management
• The risk management cycle is not
static but a continuous process,
constantly re-informed by the
changing risk landscape as well as by
organizational priorities and functional
changes
Office of Electricity Delivery and Energy Reliability 9
10. RMP Overview:
Risk Management Cycle cont’d
• Risk Framing
– Describes the environment in which decisions are made
– Assumptions, constraints, tolerance, priorities
• Risk Assessment
– Identify, prioritize, and estimate risk to organization
– Includes supply chain and external service providers
• Risk Response
– How the organization responds to risk
– Develop courses of action and implement
• Risk Monitoring
– How risks are monitored and communicated over time
– Verify and evaluate risk response measures
Office of Electricity Delivery and Energy Reliability 10
11. RMP Overview:
Risk Management Process
The risk management
process is the application
of the risk management
cycle to each of the tiers
in the risk management
model
Office of Electricity Delivery and Energy Reliability 11
12. RMP Overview:
Fundamental Elements
Governance
– In developing a governance structure, the organization
establishes a risk executive function responsible for the
organization-wide strategy to address risks, establishing
accountability.
– Can take on many forms and will vary depending on the
size, type, and operations of the organization
– This element is important to providing a consistent and
effective approach to managing risk
Office of Electricity Delivery and Energy Reliability 12
13. RMP Overview:
Fundamental Elements
Cybersecurity Architecture
– An embedded, integral part of the enterprise architecture
that describes the structure and behavior for an
enterprise’s security processes, cybersecurity systems,
personnel, and subordinate organizations, showing their
alignment with the organization’s mission and strategic
plans
– Categorizing IT and ICS into levels by risk and value to
mission and business processes
– Allocating cybersecurity controls to systems
Office of Electricity Delivery and Energy Reliability 13
14. RMP Implementation Challenges
• Tier 1
– Determining priorities
– Providing strategic guidance
• Tier 2 (Possibly most challenging)
– De-conflicting system Tier 3 with Tier 1 priorities
– Implementing change: plans & procedures
• Tier 3
– Implementing technical solutions
– Communicating technical challenges
Office of Electricity Delivery and Energy Reliability 14
15. Why Implement the RMP?
• Equip your organization to make better informed
cybersecurity decisions and investments
– Protect your investment (systems & equipment)
– Better serve your customers
• Build an organization equipped to meet future
cybersecurity challenge
– Sustainability and continuity through policies, plans,
procedures
– Not solely dependent on individuals
• Build an industry-wide common approach leading to
improved cybersecurity capability
Office of Electricity Delivery and Energy Reliability 15
16. RMP: Next Steps
• RMP Case Study
– Fictional story
– Illustrates how an organization may implement the RMP
• RMP Pilot
– Work with 1-3 organizations to implement the RMP
– Approx. 1 year engagement
– Capture lessons learned and best practices
• RMP Website
– Develop a resource center for the RMP
– Provide additional content
Office of Electricity Delivery and Energy Reliability 16
17. Final Thoughts
As you read through the RMP, think about your
organization and the people within it – for each
element, consider your organization’s goals and its
organizational culture in deciding “how” best to do it.
Office of Electricity Delivery and Energy Reliability 17
18. RMP Information
• Energy.gov: Office of Electricity Delivery and Energy
Reliability
• http://energy.gov/oe/downloads/cybersecurity-risk-
management-process-rmp-guideline-final-may-2012
My Contact Info:
Matt Light
U.S. Department of Energy
matthew.light@hq.doe.gov
Office of Electricity Delivery and Energy Reliability 18
20. Capability Maturity Model
Overview
Maturity Indicator Levels
reserved
Managed
Performed
Initiated
Not Performed
Model Domains
Office of Electricity Delivery and Energy Reliability
21. Sample Model Text from THREAT
Domain
Office of Electricity Delivery and Energy Reliability
Notas do Editor
Posture is contextual – it is relative to a threat17 successful pilots; 10 on waiting list100’s of comments from >40 industry experts30-member advisory group to guide developmentEngaged 50utilities, 8 gov’t organizations, 6 industry associations, 2 national labs, 1 FFRDCJoint commitment to path forward
Key Points:Development leveraged existing resources and the expertise of security practitioners from utilitiesFast-paced: ~4.5 months of developmentModel: 10 domains, 4 defined maturity indicator levels (MIL), 1 reserved MIL, 27 domain themes + 10 common themes (1 per domain), 310 practicesSurvey -> automated scoringPilot participants represented IOUs, COOPs, and Munis, and covered generation, transmission, distribution, and markets functionsPilot participants provided helpful feedback on the structure and language of the model and on the presentation of resultsPilot participants reported that the process was valuable to them; some have already reported making improvements to their cybersecurity practices