A proposed Energy Department cybersecurity risk management process guideline for the U.S. electric energy industry draws heavily from existing guidance published by the National Institute of Standards and Technology.
In a March 7 Federal Register notice, DOE solicits feedback on the draft process guideline (.pdf), which freely acknowledges that it is based on NIST Special Publication 800-39. The NIST publication is the foundation for Federal Information Security Management Act implementation; however, neither document specifies a set of security controls.
Rather, both documents describe a method organizations are supposed to use when framing, assessing, responding to and monitoring cyber risk.
The DOE document therefore makes use of the ubiquitous NIST risk pyramid, which classifies risk according to three tiers, from highest to lowest: organizational (missions/business functions); mission and business processes; and information systems, which, in the electricity industry, includes industrial control systems.
The model, the DOE draft document notes, can be applied to any electricity subsector organization of any size. Within the electricity industry, it also says risk assessment inputs include North American Electric Reliability Corporation critical infrastructure protection standards and other federal and state regulatory requirements.
Generally, it adds, risk is a function of the four variables of threat, vulnerability, likelihood and the consequence or impact of an adverse event.