From Research to Action

How to Navigate Existing Cyber Security Risk Management Guidance

By Annabelle Lee Currently, the nation?s power system consists of both legacy and next generation technologies. This increased digital functionality provides a larger attack surface for any potential adversaries, such as nationstates, terrorists, malicious contractors, and disgruntled employees. The U.S. federal government has responded to all of these changes in technology and the threat environment by developing and updating cyber security guidance. Utilities are dedicating significant resources to understand the guidance and determine what is applicable. For many utilities with limited cyber security technical expertise, attempting to understand and implement all this guidance is daunting. EPRI initiated a project last year, not to develop a new guidance document, but to assist utilities in navigating all the diverse existing guidance that is applicable to the electric sector that resulted in three new reports: ? Risk Management in Practice ? A Guide for the Electric Sector 1 ? Security Posture using the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) 2 ? Cyber Security Risk Management in Practice ? Comparative Analyses Tables 3 New grid technologies are introducing millions of novel, intelligent components to the electric grid that communicate in much more advanced ways (two-way communications, dynamic optimization, and wired and wireless communications) than in the past. These new components will operate in conjunction with legacy equipment that may be several decades old and provide little to no cyber security controls. In addition, with alternative energy sources such as solar power and wind, there is increased interconnection across organizations and systems. With the increase in the use of digital devices and more advanced communications, the overall cyber risk has increased. For example, as substations are modernized, the new equipment is digital, rather than analog. These new devices include commercially available operating systems, protocols, and applications with vulnerabilities that may be exploited. Address a constantly changing environment Some utilities have the technical expertise to assess and use the various documents as part of an overall cyber security risk management program. However, not all utilities have in-house expertise and must rely on external organizations and guidance. In addition, some utilities are being asked by management and by regulatory organizations, such as state public utility commissions (PUCs), to demonstrate how they meet the requirements and/or content of these various documents. Currently, responding to these requests is difficult because there is no overarching guidance that tells utilities how to get started. To address this constantly changing environment ? including new technology, threats, guidance, and regulations, EPRI initiated a collaborative effort with DOE, utilities, the trade associations, Carnegie-Mellon University, and researchers. The goal was to assist utilities in assessing and applying the various cyber security documents, rather than developing new guidance. Follow the flowchart The first task was to develop a flowchart (Figure 1) that related the guidance and methodologies of an enterprise risk management process and strategy, focusing on cyber security. All the new cyber security guidance needs to be included in the context of an overall enterprise risk management process and strategy. The following flowchart has been used by utility cyber security staff in meetings with management, to provide an overview of cyber security. Figure 1 Risk Management Guidance Flowchart Standardize the guidance and make it free The second task was to provide a comparative analysis of the referenced documents. All of the documents included in the diagram are at different levels of specificity and may be used for different purposes related to managing cyber security risk. For example, the ES-C2M2 may be used to determine the maturity level of an organization and the National Institute of Standards and Technology Interagency Report (NISTIR) 7628 security requirements may be used as part of a cyber security risk assessment of specific control systems. 20 ElectricEnergy T&D MAGAZINE I JANUARY-FEBRUARY 2015 Issue

You need to upgrade your Flash Player

You need to upgrade the version of your Flash Player to version 9 minimum.

Click here

Adobe Flash Player Download Center