Typically, a cyber security strategy and risk management framework at the organization level are at a high-level. The strategy and framework may be tailored at lower levels in an organization such as for business and operational components. Cyber security risk is one component of organizational risk that may include many types of risk (e.g., public image, financial, safety, and legal liability). A cyber security risk assessment includes identifying assets, vulnerabilities, and impacts. The output is the basis for the selection of security requirements and subsequent risk-mitigation strategies.

Increased interconnection in electric sector systems and devices results in a larger attack surface that may be exploited by potential adversaries. Typically, an enterprise architecture does not address cyber security, specifically, the overall attack surface, attack vectors, potential vulnerabilities, and applicable response strategies. The challenge is to develop and implement a security architecture methodology that augments, rather than replaces current enterprise architecture methodologies.

To adequately address potential vulnerabilities, cyber security must be included in all phases of the system development life cycle, from the design phase through implementation, operations and maintenance, and disposition/sunset. Although there are cyber security reference documents available, utilities need to tailor them for their specific environments.