According to SGIP, the whitepaper ‘NIST Cybersecurity Framework Implementation Case Study’ aims to help utility firms to implement cybersecurity framework developed by the National Institute of Standards and Technology (NIST).
The SGIP says the whitepaper is drafted to help energy providers to integrate the NIST cybersecurity framework with the Department of Energy’s Cybersecurity Maturity Model to implement an effective and sustainable cybersecurity risk management programme.
The SGIP claims that the paper falls under its efforts to help in the modernisation of grid networks to enable a sustainable energy future.
The whitepaper comprises nine recommendations which utility firms can follow in deploying cybersecurity programmes.
According to the SGIP, utility companies should:
- Scope and prioritise (Identify and prioritise business functions and systems.
- Orient (Identify scope systems)
- Create a current profile (Identify their current cybersecurity state and business operations.)
- Conduct risk assessment
- Create a target profile by identifying their desired state
- Identify gaps
- Brief management through dashboard
- Create an action plan to mitigate gaps
- Maintain CSF programme.
In steps one and two, the SGIP recommends utilities to identify their business functional areas and sponsors for the implementation of cybersecurity programmes using the NIST and DoE’s frameworks.
The two steps would also allow energy companies to establish their cybersecurity risk management strategy and would include:
- Identifying an executive sponsor for implementation of cybersecurity programme,
- The Executive sponsor establishing a cybersecurity risk management governance team,
- The cybersecurity risk management governance team identifying organisational business functions,
- The creation of an organisational business function, risk profile table,
- Performance of analyses to determine the organisational business functions as well as prioritise the organisational business functions to rank the criticality to the organisation.
In step 4, a utility will conduct a risk assessment that will identify the security posture for each business function by identifying, locating and classifying digital assets based on the potential harm to the organisation should the assets and data become compromised.
The SGIP recommends that briefing of executive management on a utility’s cybersecurity state through a dashboard should be done on at least an annual basis.
The briefing should include highlights on areas of greatest and lowest maturity, drivers behind changes since previous briefings and clarifications on the company’s cybersecurity and operational targets.
In creating an action plan, the SGIP concludes that utility firms need to:
- Mitigate the gaps between the current situation and organizational targets
- Identify responsible subject matter experts including project staff from the procurement specialists, security department, IT department and administrative support staff required to complete the individual
- Set a date on which a project is expected to be completed. [SGIP paper examines security concerns of smart grid broadcast comms].
Image credit: Shutterstock.