USAID and USEA Enhancing Cybersecurity in Eastern Europe

Risk Management in Practice: A Guide for the Electric Sector (co-author)

This report provides guidance for risk management in practice in the electric sector. This present work builds upon the technical update, Integrating Electricity Subsector Failure Scenarios into a Risk Assessment Methodology, 3002001181 that was published in 2013; the DOE Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2); the National Institute of Standards and Technology Interagency Report (NISTIR) 7628, Guidelines for Smart Grid Cyber Security, the National Rural Electric Cooperative Association (NRECA) Guidance, and other documents.

The focus of this document is to provide guidance on applying the diverse existing cyber security guidance that is applicable to the electric sector. The goal of this document is to provide a framework and comparative analyses of existing guidance that may be used by cyber security practitioners in addressing cyber security.

This document was developed jointly by several organizations, including EPRI, DOE, NRECA, Carnegie Mellon University, and several utilities. This document is a companion document to the EPRI technical update, Security Posture Using the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2), Technical Update 3002003332, also published in 2014.

Cyber Security Risk Management in Practice: Comparative Analyses Tables (co-author)

Utilities are assessing various federal guidelines that are applicable to cyber security for the electric sector—a significant task requiring all new guidance. This report is a companion document to EPRI technical update 3002003333, Risk Management in Practice—A Guide for the Electric Sector, and EPRI technical update 3002003332, Security Posture Using the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2). The focus of this technical update is to provide guidance on the various cyber security regulations, guidelines, and specifications that may be applicable to the electric sector. This update is not intended to provide new guidance but rather to present information on how to navigate and relate the diverse existing guidance that is applicable to the electric sector. To this end, several additional comparative analyses tables referenced in the other two documents will serve as a roadmap for utilities to use in understanding and applying the cyber security guidance. Information in the various tables will also help utilities implement their own cyber security programs and perform cyber security risk management activities, including risk and maturity assessments.

Security Posture using the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) (co-author)

This report provides guidance for performing a capability maturity model assessment using the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2). Currently, the ES-C2M2 is intended for application at the organization level. This document includes application guidance that may be used by utilities to apply the ES-C2M2 to systems. This technical update addresses all ten domains in the ES-C2M2, and allocates the National Institute of Standards and Technology Interagency Report (NISTIR) 7628 security requirements to objectives and maturity indicator levels (MILs) within each of the ten domains. The results of the system assessment may be used to determine the security posture of utility systems.

Integrating Electricity Subsector Failure Scenarios into a Risk Assessment Methodology (co-author)

The purpose of this report is to specify a risk assessment process that may be used by utilities. Included are high-level diagrams that illustrate the risk assessment process at the security requirements and security-control-selection stages, as well as for ongoing assessment and for assessing emerging changes. These are generic high-level diagrams based on commonly available reference documents. A second objective of this report is to illustrate how to use the content of the National Electric Sector Cybersecurity Organization Resource (NESCOR) cyber security failure scenarios and impact analyses document in the risk assessment process. A cyber security failure scenario is a realistic event in which the failure to maintain confidentiality, integrity, and/or availability of sector cyber assets creates a negative impact on the generation, transmission, and/or distribution of power.

Cyber Security Strategy Guidance for the Electric Sector (author)

This report provides guidance to utilities on developing an overall cyber security strategy, developing a risk management process (including a risk assessment process), and selecting and tailoring cyber security requirements for the electric sector. The National Institute of Standards and Technology Interagency Report (NISTIR) 7628, Guidelines for Smart Grid Cyber Security, is referenced along with other source documents and approaches. The goal is to provide practical guidance to an organization.