News Media Contact: (202) 586-4940
For Immediate Release: May 23, 2012

Department of Energy Releases Electricity Subsector Cybersecurity Risk Management Process (RMP) Guideline
Public-Private Sector Collaboration Produces Guidance to Help Electric Utilities Better Understand and Assess Cybersecurity Risk

WASHINGTON, DC - The Department of Energy’s (DOE) Office of Electricity Delivery and Energy Reliability, in collaboration with the National Institute of Standards and Technology (NIST) and the North American Electric Reliability Corporation (NERC), today released guidance to help utilities better understand their cybersecurity risks, assess severity, and allocate resources more efficiently to manage those risks. The Electricity Subsector Cybersecurity Risk Management Process (RMP) guideline, which provides a flexible approach to managing cybersecurity risks across all levels of the organization, was developed by a public-private sector team that was led by the Office of Electricity Delivery and Energy Reliability and included representatives from across the industry. 

“Addressing cybersecurity is critical to enhancing the security and reliability of the nation’s electric grid and must be done in a cost-effective manner,” said Patricia Hoffman, Assistant Secretary for the Office of Electricity Delivery and Energy Reliability. “The Department of Energy has been working closely with the Department of Homeland Security, other government agencies, and industry for years to reduce the risk of energy disruptions due to cyber attack. The RMP guideline provides utilities with consistent, adaptable solutions that help them manage their cybersecurity risks more effectively.”

Feedback provided by industry, vendors, and other electricity subsector stakeholders during two comment periods was invaluable in refining the final RMP guideline. The guideline is now available for downloading. 

The electricity subsector increasingly relies on digital technology to reduce costs, increase efficiency, and maintain reliability during the generation, transmission, and distribution of electric power. Managing cybersecurity risk is critical to the success of organizations in achieving their strategic goals and objectives, including reliability, resiliency, security, and safety. DOE has a long history of working closely and steadily with Federal partners, including the Department of Homeland Security, on cybersecurity on the North American electric grid. All of these activities align with the Roadmap to Achieve Energy Delivery Systems Cybersecurity, which was released in September 2011 by DOE and outlines a strategic framework over the next decade to design, install, operate, and maintain a resilient energy delivery system capable of surviving a cyber incident while sustaining critical functions. The Electricity Subsector Cybersecurity Risk Management Maturity Initiative, which will tie together elements from existing cybersecurity efforts to develop a common model that allows electric utilities and grid operators to assess their cybersecurity capabilities and assist in prioritizing their investments, is the next logical step in a continued effort by public and private stakeholders to identify steps to improve the cybersecurity of the electric grid. The Electricity Subsector Cybersecurity Capabilities Maturity Model is expected to be available to the electricity subsector this summer.    

To learn more about national efforts to ensure a reliable, secure, and resilient electric grid, visit the Office of Electricity Delivery and Energy Reliability.