Draft cybersecurity risk management process guideline released


Patricia Hoffman,
Assistant Secretary,
DOE Office of
Electricity Delivery
& Energy Reliability
Washington, DC, U.S.A. — (METERING.COM) — September 13, 2011 – The U.S. Department of Energy has released for comment a draft cybersecurity risk management process guideline.

The draft guideline, which was developed together with the National Institute of Standards and Technology (NIST) and the North American Electric Reliability Corporation (NERC), is aimed to help utilities better understand their cybersecurity risks, assess severity, and allocate resources more efficiently to manage those risks.

The document describes risks at three tiers – tier 1 the electricity sector organization, tier 2 the mission and business processes, and tier 3 information technology and industrial control systems.

“Addressing cyber security is critical to enhancing the security and reliability of the nation’s electric grid,” said Patricia Hoffman, Assistant Secretary for the Office of Electricity Delivery and Energy Reliability. “The risk management process guideline will provide utilities with consistent, adaptable solutions that help them manage their cybersecurity risks more effectively.”

The foundational methodology for the guideline is the NIST SP 800-39: Managing Information Security Risk. The NIST report NISTIR 7628: Guidelines for Smart Grid Cyber Security and NERC critical infrastructure cyber security standards provide a strong foundation for the development of cybersecurity guidelines that will further refine the definition and application of effective cybersecurity for all organizations in the electricity sector.