Cyber Security Risk Management and Risk Assessment Methodology Template 

by Annabelle Lee, Chief Cyber Security Specialist, Nevermore Security

1  Risk Management Overview

The current power grid consists of both legacy and next generation technologies. These new components operate in conjunction with legacy equipment that may be several decades old and provide no cyber security controls. In addition, industrial control systems/supervisory control and data acquisition (ICS/SCADA) systems were originally isolated from the outside world. Sensors would monitor equipment and provide that information to a control room center. As networking technology has advanced and become more accessible, organizations have made decisions to integrate systems. This integration is necessary to take advantage of the new technology that is being deployed. With the increase in the use of digital devices and more advanced communications and information technology (IT), the overall attack surface has increased. 

Cyber security must address deliberate attacks launched by disgruntled employees and nation states as well as non-malicious cyber security events such as user errors. Because organizations, including utilities, do not have unlimited resources such as personnel and funds, cyber security must be prioritized with the other components of enterprise risk. Risk is the potential for an unwanted impact resulting from an event. Cyber security risk is one component of enterprise risk management, which addresses many types of risk (e.g., financial, mission, public perception). 

In addition, to adequately address potential threats and vulnerabilities, cyber security must be included in all phases of the system development life cycle, from the design phase through implementation, operations and maintenance, and disposition/sunset. Cyber security must be constantly assessed and revised to address evolving threats, vulnerabilities, and security incidents. 

The purpose of this document is to specify a risk management and risk assessment template that may be used by utilities. This also includes the selection and tailoring of cyber security requirements and measures/controls. This document is NOT an attempt to develop new guidance but rather document the diverse existing guidance that is applicable to the electric sector.