The Department of Energy (DOE) collaborated with the National Institute of Standards and Technology (NIST) and the North American Electric Reliability Corporation (NERC) to release a second draft of the Electricity Sector Cybersecurity Risk Management Process (RMP) guideline.
According to DOE, RMP has been designed to provide a consistent, repeatable, and adaptable process for the Electricity Sector that will help organizations proactively manage cybersecurity risk.
RMP was designed with the idea that the process should scale for use at organizations of any size and that cybersecurity risk management should be driven by the business needs of the company.
Furthermore, the group responsible for creating RMP identified foundational concepts regarding technical security efforts, which are core to the success of enterprise cybersecurity risk management planning:
• The belief that cybersecurity risk is not just a technology problem but a business risk with the potential to cause any number of critical business impacts
• The idea that cybersecurity risk cannot be eliminated but must be managed through informed decision-making
• The need to incorporate cybersecurity risk management into the organizational enterprise risk management program.
Risk Management Model:
The RMP model represents a fairly standard strategic approach to breaking down business responsibilities for enterprise risk management. Responsibility for risk management is divided into three different business layers and their associated areas of business functionality:
• Organization—responsible for executive leadership
• Mission and business process—responsible for business management
• Information technology (IT) and industrial control system (ICS) teams—responsible for systems management.
The RMP model addresses a number of areas in which lack of clarity or attention can significantly impede enterprise risk management efforts. Use of such common roles in the RMP facilitates the integration of cybersecurity risk management into existing enterprise risk management programs as does the focus on aligning technical security needs with business operations and requirements.
The RMP is very clear about the level of engagement required by people at each tier and how insufficient support disrupts the timing and sequence of critical, programmatic workflow.
Risk Management Life Cycle
The four stages of the risk management life cycle described in the
RMP are also commonly defined steps in enterprise risk management
• Framing—provides a framework by which technical risk to critical IT and ICS assets can be put into context with business and organizational needs, ensuring future risk identification and prioritization are considered holistically
• Assessment—is the primary process by which risks to business are identified and prioritized
• Response—defines how to address risk based on impact and risk tolerance rather than technical urgency
• Monitoring—completes the business improvement loop by ensuring the risk response addressed cybersecurity risk as planned.
RMP comprehensively addresses what each tier, or group in the risk management model, is responsible for during the individual stages of the risk management life cycle.
The use of consistent work flow descriptions, i.e., the inputs, activities, and outputs, throughout the life cycle sections allows for consistency throughout RMP planning and implementation. Where inputs, activities, and outputs are called out, the RMP provides thorough explanation of what they are, how they fit into the RMP, and why they are significant.
DOE and its partners have done an excellent job of organizing and presenting the strategic tasks necessary to either integrating cybersecurity risk into existing risk management processes or creating a risk management function specific to cybersecurity.
The clear and consistent mapping between the risk model and life cycle provides enough strategic planning information to make the pitch for leveraging RMP an easy one to enterprise risk management stakeholders.
And, given its strategic focus, the RMP could be easily modified for use in other critical sectors as well as the electrical.