Thursday, September 29, 2011

Prepping for the Risk Management Process (RMP) Panel

In San Diego, Wednesday morning of next week I'll have the good fortune to be moderating a panel comprised of some of our industry's heavy hitters, including:
  • Marianne Swanson, CSWG Chairperson, NIST
  • Craig Miller, PM, National Rural Electric Cooperative Association (NRECA)
  • Lisa Kaiser, Security Consultant, DHS
  • Matthew Light, Infrastructure Analyst, Office of Electricity Delivery and Energy Reliability, DOE
  • James Sample, Director, NERC Critical Infrastructure Protection, Pacific Gas & Electric
As you may or may not know, a new document (in draft) which ties all of these organizations (and FERC and NERC and more) together has been released for public comment. Call the "Electricity Sector Cybersecurity Risk Management Process (RMP) Guideline" or RMP for short, it's viewable HERE and you can register to make comments HERE.

During the panel session, we'll be moving quickly through intro's and prepared Qs&As so that the audience will have ample time to ask questions of the panelists.

But here's an ultra short intro to the dock in case you won't get a chance to be there in person or to look at the draft yourself. One way I've heard it described is to say the RMP attempts to blend and extend traditional IT security with OT and thereby bridge internal utility stovepipes. That's ambitious for sure but most would agree, sorely needed.

The draft breaks out the following objectives right up front, presented here, with my color commentary in color:
  • "Effectively and efficiently implement a risk management process (RMP) across the whole organization" - So they're saying there should be policy that extends across the entire enterprise; that'll be new to most utilities.
  • "Establish the organizational tolerance for risk and communicate throughout the organization including guidance on how risk tolerance impacts ongoing decision making" - Figuring out how much risk is acceptable  and how much is too much is classic business case material. To do this you have to do some solid translation between cybersecurity geek speak and hard business requirements ... should be interesting to say the least, but definitely well worth the effort.
  • "Prioritize and allocate resources for managing cybersecurity risk" - Prioritizing with confidence becomes possible once you've got a defined and level playing field. This could be quite refreshing for execs who get this far.
  • "Create an organizational climate in which cybersecurity risk is considered within the context of the mission and business objectives of the organization" - Culture change 101, but much more difficult by far than technology change IMHO.
  • "Improve the understanding of cybersecurity risk and how these risks potentially impact the mission and business success of the organization" - Also sorely needed and well worth the effort: drawing solid line connections, where they exist, between cybersecurity and reliability. If it's not about reliability, or some of the lesser values like efficiency, or cost effectiveness, why bother?
OK, that's enough for now. Will try to take notes so I can write up the RMP panel session highlights here afterwards. Meanwhile, you can click HERE for conference website if you seek more info.