SlideShare ist ein Scribd-Unternehmen logo

Electricity Subsector Cybersecurity Risk Management Process

Als PPTX, PDF herunterladen
EnergySec
EnergySec

Matt Light from the Department of Energy discussed in this presentation the general make-up of a cybersecurity risk management process. He addressed the Risk Management Process and its various components.

TechnologieBusinessWirtschaft & Finanzen
1 von 21
Electricity Subsector Cybersecurity Risk Management Process
What is Risk Management? Risk management is about people • It’s about organizing people • It’s about communication between people • It’s about the safety of people Office of Electricity Delivery and Energy Reliability 2
Risk Management: Safety Example • Radiological Work – Risk to personnel safety – Implemented processes and procedures to provide a consistent approach to managing risk – Risk tolerance and risk assessment built into processes and procedures – Allows for getting work done while ensuring adequate risk mitigation Office of Electricity Delivery and Energy Reliability 3
Risk Management: Safety Example cont’d • It’s about the people – Clearly communicate risks • Awareness • Procedures, plans, policies – Educate workforce on risks • Training • Testing – Provide processes for re-assessing risk • Dry-runs • Project team meetings Office of Electricity Delivery and Energy Reliability 4
So What is the RMP About? • It’s about people and the organizations in which they operate – How to organize people to effectively make risk informed decisions – Target of RMP is cybersecurity risk but fundamentally could be applied to any risk management domain Electricity subsector organizations deal with risk every day in meeting their business objectives…this management of risk is conducted as an interactive, ongoing process as part of normal operations. Office of Electricity Delivery and Energy Reliability 5
Guiding Principles of the RMP • Describe “what” not “how” • Adaptable to any size or type of organization • Cybersecurity alignment with mission and business processes • Based on NIST 800-39: Managing Information Security Risk Office of Electricity Delivery and Energy Reliability 6
Risk is Part of Any Activity You have to accept some risk to get stuff done…but you don’t blindly accept that risk • Organizations must understand the risks • Evaluate risks • Decide on reasonable measures to minimize risks • Periodically re-assess risks Office of Electricity Delivery and Energy Reliability 7
RMP Overview: Risk Management Model • The risk management model is a three-tiered structure that provides a comprehensive view of an organization • It provides a structure for how cybersecurity risk management activities are undertaken across an organization • Strategy is communicated down through the organization, risk evaluations are communicated up Office of Electricity Delivery and Energy Reliability 8
RMP Overview: Risk Management Cycle • The risk management cycle provides four elements that structure an organization’s approach to cybersecurity risk management • The risk management cycle is not static but a continuous process, constantly re-informed by the changing risk landscape as well as by organizational priorities and functional changes Office of Electricity Delivery and Energy Reliability 9
RMP Overview: Risk Management Cycle cont’d • Risk Framing – Describes the environment in which decisions are made – Assumptions, constraints, tolerance, priorities • Risk Assessment – Identify, prioritize, and estimate risk to organization – Includes supply chain and external service providers • Risk Response – How the organization responds to risk – Develop courses of action and implement • Risk Monitoring – How risks are monitored and communicated over time – Verify and evaluate risk response measures Office of Electricity Delivery and Energy Reliability 10
RMP Overview: Risk Management Process The risk management process is the application of the risk management cycle to each of the tiers in the risk management model Office of Electricity Delivery and Energy Reliability 11
RMP Overview: Fundamental Elements Governance – In developing a governance structure, the organization establishes a risk executive function responsible for the organization-wide strategy to address risks, establishing accountability. – Can take on many forms and will vary depending on the size, type, and operations of the organization – This element is important to providing a consistent and effective approach to managing risk Office of Electricity Delivery and Energy Reliability 12
RMP Overview: Fundamental Elements Cybersecurity Architecture – An embedded, integral part of the enterprise architecture that describes the structure and behavior for an enterprise’s security processes, cybersecurity systems, personnel, and subordinate organizations, showing their alignment with the organization’s mission and strategic plans – Categorizing IT and ICS into levels by risk and value to mission and business processes – Allocating cybersecurity controls to systems Office of Electricity Delivery and Energy Reliability 13
RMP Implementation Challenges • Tier 1 – Determining priorities – Providing strategic guidance • Tier 2 (Possibly most challenging) – De-conflicting system Tier 3 with Tier 1 priorities – Implementing change: plans & procedures • Tier 3 – Implementing technical solutions – Communicating technical challenges Office of Electricity Delivery and Energy Reliability 14
Why Implement the RMP? • Equip your organization to make better informed cybersecurity decisions and investments – Protect your investment (systems & equipment) – Better serve your customers • Build an organization equipped to meet future cybersecurity challenge – Sustainability and continuity through policies, plans, procedures – Not solely dependent on individuals • Build an industry-wide common approach leading to improved cybersecurity capability Office of Electricity Delivery and Energy Reliability 15
RMP: Next Steps • RMP Case Study – Fictional story – Illustrates how an organization may implement the RMP • RMP Pilot – Work with 1-3 organizations to implement the RMP – Approx. 1 year engagement – Capture lessons learned and best practices • RMP Website – Develop a resource center for the RMP – Provide additional content Office of Electricity Delivery and Energy Reliability 16
Final Thoughts As you read through the RMP, think about your organization and the people within it – for each element, consider your organization’s goals and its organizational culture in deciding “how” best to do it. Office of Electricity Delivery and Energy Reliability 17
RMP Information • Energy.gov: Office of Electricity Delivery and Energy Reliability • http://energy.gov/oe/downloads/cybersecurity-risk- management-process-rmp-guideline-final-may-2012 My Contact Info: Matt Light U.S. Department of Energy matthew.light@hq.doe.gov Office of Electricity Delivery and Energy Reliability 18
BACKUP SLIDES Office of Electricity Delivery and Energy Reliability 19
Capability Maturity Model Overview Maturity Indicator Levels reserved Managed Performed Initiated Not Performed Model Domains Office of Electricity Delivery and Energy Reliability
Sample Model Text from THREAT Domain Office of Electricity Delivery and Energy Reliability

Empfohlen

The Expanding Web of Cybersecurity Requirements
The Expanding Web of Cybersecurity RequirementsThe Expanding Web of Cybersecurity Requirements
The Expanding Web of Cybersecurity RequirementsEnergySec
 
EISS Cybersecurity Briefing
EISS Cybersecurity BriefingEISS Cybersecurity Briefing
EISS Cybersecurity BriefingEnergySec
 
EnergySec and the NESCO overview
EnergySec and the NESCO overviewEnergySec and the NESCO overview
EnergySec and the NESCO overviewEnergySec
 
EnergySec & NESCO Overview
EnergySec & NESCO OverviewEnergySec & NESCO Overview
EnergySec & NESCO OverviewEnergySec
 
What's "Smart" Got to Do With It?: A technical overview of Advanced Metering ...
What's "Smart" Got to Do With It?: A technical overview of Advanced Metering ...What's "Smart" Got to Do With It?: A technical overview of Advanced Metering ...
What's "Smart" Got to Do With It?: A technical overview of Advanced Metering ...EnergySec
 
NESCO Year 2 Overview
NESCO Year 2 OverviewNESCO Year 2 Overview
NESCO Year 2 OverviewEnergySec
 
North American Generator Forum Update
North American Generator Forum UpdateNorth American Generator Forum Update
North American Generator Forum UpdateEnergySec
 
Bridging the Gap: Between Operations and IT
Bridging the Gap: Between Operations and ITBridging the Gap: Between Operations and IT
Bridging the Gap: Between Operations and ITEnergySec
 

Empfohlen

The Expanding Web of Cybersecurity Requirements
The Expanding Web of Cybersecurity RequirementsThe Expanding Web of Cybersecurity Requirements
The Expanding Web of Cybersecurity RequirementsEnergySec
 
EISS Cybersecurity Briefing
EISS Cybersecurity BriefingEISS Cybersecurity Briefing
EISS Cybersecurity BriefingEnergySec
 
EnergySec and the NESCO overview
EnergySec and the NESCO overviewEnergySec and the NESCO overview
EnergySec and the NESCO overviewEnergySec
 
EnergySec & NESCO Overview
EnergySec & NESCO OverviewEnergySec & NESCO Overview
EnergySec & NESCO OverviewEnergySec
 
What's "Smart" Got to Do With It?: A technical overview of Advanced Metering ...
What's "Smart" Got to Do With It?: A technical overview of Advanced Metering ...What's "Smart" Got to Do With It?: A technical overview of Advanced Metering ...
What's "Smart" Got to Do With It?: A technical overview of Advanced Metering ...EnergySec
 
NESCO Year 2 Overview
NESCO Year 2 OverviewNESCO Year 2 Overview
NESCO Year 2 OverviewEnergySec
 
North American Generator Forum Update
North American Generator Forum UpdateNorth American Generator Forum Update
North American Generator Forum UpdateEnergySec
 
Bridging the Gap: Between Operations and IT
Bridging the Gap: Between Operations and ITBridging the Gap: Between Operations and IT
Bridging the Gap: Between Operations and ITEnergySec
 
Hype, Hope and Happenstance: Cyber Threats and Opportunities in an Age of Aut...
Hype, Hope and Happenstance: Cyber Threats and Opportunities in an Age of Aut...Hype, Hope and Happenstance: Cyber Threats and Opportunities in an Age of Aut...
Hype, Hope and Happenstance: Cyber Threats and Opportunities in an Age of Aut...EnergySec
 
Global Warming And Revolutionary Way To Combat It
Global Warming And Revolutionary Way To Combat ItGlobal Warming And Revolutionary Way To Combat It
Global Warming And Revolutionary Way To Combat ItJaypee Institute of Information Technology
 
Transport: South African government fleet case study
Transport: South African government fleet case studyTransport: South African government fleet case study
Transport: South African government fleet case studyTristan Wiggill
 
Cgreen EMS 2.5 (Energy Management Software)
Cgreen EMS 2.5 (Energy Management Software)Cgreen EMS 2.5 (Energy Management Software)
Cgreen EMS 2.5 (Energy Management Software)Rui Loureiro
 
O posicionamento das empresas de energia num Mundo em mudança
O posicionamento das empresas de energia num Mundo em mudançaO posicionamento das empresas de energia num Mundo em mudança
O posicionamento das empresas de energia num Mundo em mudançaamvidigal
 
Michelle Redfield, Schneider Electric, Global Management Systems for Enterpri...
Michelle Redfield, Schneider Electric, Global Management Systems for Enterpri...Michelle Redfield, Schneider Electric, Global Management Systems for Enterpri...
Michelle Redfield, Schneider Electric, Global Management Systems for Enterpri...Kevin Perry
 
Using Demand-Side Management to Support Electricity Grids
Using Demand-Side Management to Support Electricity GridsUsing Demand-Side Management to Support Electricity Grids
Using Demand-Side Management to Support Electricity GridsLeonardo ENERGY
 
Final Year Project Report. (Management of Smart Electricity Grids)
Final Year Project Report. (Management of Smart Electricity Grids)Final Year Project Report. (Management of Smart Electricity Grids)
Final Year Project Report. (Management of Smart Electricity Grids)Jatin Pherwani
 
Gap analysis - Análise de Lacunas
Gap analysis - Análise de LacunasGap analysis - Análise de Lacunas
Gap analysis - Análise de LacunasRui Loureiro
 
Opportunities for Power Electronics in Renewable Electricity Generation 2016 ...
Opportunities for Power Electronics in Renewable Electricity Generation 2016 ...Opportunities for Power Electronics in Renewable Electricity Generation 2016 ...
Opportunities for Power Electronics in Renewable Electricity Generation 2016 ...Yole Developpement
 
Inverter Technology Trends and Market Expectations 2016 Report by Yole Develo...
Inverter Technology Trends and Market Expectations 2016 Report by Yole Develo...Inverter Technology Trends and Market Expectations 2016 Report by Yole Develo...
Inverter Technology Trends and Market Expectations 2016 Report by Yole Develo...Yole Developpement
 
PREPAID ELECTRICITY REVENUE MANAGEMENT oral defense
PREPAID ELECTRICITY REVENUE MANAGEMENT oral defensePREPAID ELECTRICITY REVENUE MANAGEMENT oral defense
PREPAID ELECTRICITY REVENUE MANAGEMENT oral defenseDr Allen Mutono
 
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseGary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseEnergySec
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsEnergySec
 
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...EnergySec
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyEnergySec
 
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...EnergySec
 
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityDaniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityEnergySec
 
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change ManagementLessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change ManagementEnergySec
 
Explore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsExplore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsEnergySec
 
Wireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of ReachWireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of ReachEnergySec
 
Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!EnergySec
 

Weitere ähnliche Inhalte

Andere mochten auch

Hype, Hope and Happenstance: Cyber Threats and Opportunities in an Age of Aut...
Hype, Hope and Happenstance: Cyber Threats and Opportunities in an Age of Aut...Hype, Hope and Happenstance: Cyber Threats and Opportunities in an Age of Aut...
Hype, Hope and Happenstance: Cyber Threats and Opportunities in an Age of Aut...EnergySec
 
Transport: South African government fleet case study
Transport: South African government fleet case studyTransport: South African government fleet case study
Transport: South African government fleet case studyTristan Wiggill
 
Cgreen EMS 2.5 (Energy Management Software)
Cgreen EMS 2.5 (Energy Management Software)Cgreen EMS 2.5 (Energy Management Software)
Cgreen EMS 2.5 (Energy Management Software)Rui Loureiro
 
O posicionamento das empresas de energia num Mundo em mudança
O posicionamento das empresas de energia num Mundo em mudançaO posicionamento das empresas de energia num Mundo em mudança
O posicionamento das empresas de energia num Mundo em mudançaamvidigal
 
Michelle Redfield, Schneider Electric, Global Management Systems for Enterpri...
Michelle Redfield, Schneider Electric, Global Management Systems for Enterpri...Michelle Redfield, Schneider Electric, Global Management Systems for Enterpri...
Michelle Redfield, Schneider Electric, Global Management Systems for Enterpri...Kevin Perry
 
Using Demand-Side Management to Support Electricity Grids
Using Demand-Side Management to Support Electricity GridsUsing Demand-Side Management to Support Electricity Grids
Using Demand-Side Management to Support Electricity GridsLeonardo ENERGY
 
Final Year Project Report. (Management of Smart Electricity Grids)
Final Year Project Report. (Management of Smart Electricity Grids)Final Year Project Report. (Management of Smart Electricity Grids)
Final Year Project Report. (Management of Smart Electricity Grids)Jatin Pherwani
 
Gap analysis - Análise de Lacunas
Gap analysis - Análise de LacunasGap analysis - Análise de Lacunas
Gap analysis - Análise de LacunasRui Loureiro
 
Opportunities for Power Electronics in Renewable Electricity Generation 2016 ...
Opportunities for Power Electronics in Renewable Electricity Generation 2016 ...Opportunities for Power Electronics in Renewable Electricity Generation 2016 ...
Opportunities for Power Electronics in Renewable Electricity Generation 2016 ...Yole Developpement
 
Inverter Technology Trends and Market Expectations 2016 Report by Yole Develo...
Inverter Technology Trends and Market Expectations 2016 Report by Yole Develo...Inverter Technology Trends and Market Expectations 2016 Report by Yole Develo...
Inverter Technology Trends and Market Expectations 2016 Report by Yole Develo...Yole Developpement
 
PREPAID ELECTRICITY REVENUE MANAGEMENT oral defense
PREPAID ELECTRICITY REVENUE MANAGEMENT oral defensePREPAID ELECTRICITY REVENUE MANAGEMENT oral defense
PREPAID ELECTRICITY REVENUE MANAGEMENT oral defenseDr Allen Mutono
 

Andere mochten auch (12)

Hype, Hope and Happenstance: Cyber Threats and Opportunities in an Age of Aut...
Hype, Hope and Happenstance: Cyber Threats and Opportunities in an Age of Aut...Hype, Hope and Happenstance: Cyber Threats and Opportunities in an Age of Aut...
Hype, Hope and Happenstance: Cyber Threats and Opportunities in an Age of Aut...
 
Global Warming And Revolutionary Way To Combat It
Global Warming And Revolutionary Way To Combat ItGlobal Warming And Revolutionary Way To Combat It
Global Warming And Revolutionary Way To Combat It
 
Transport: South African government fleet case study
Transport: South African government fleet case studyTransport: South African government fleet case study
Transport: South African government fleet case study
 
Cgreen EMS 2.5 (Energy Management Software)
Cgreen EMS 2.5 (Energy Management Software)Cgreen EMS 2.5 (Energy Management Software)
Cgreen EMS 2.5 (Energy Management Software)
 
O posicionamento das empresas de energia num Mundo em mudança
O posicionamento das empresas de energia num Mundo em mudançaO posicionamento das empresas de energia num Mundo em mudança
O posicionamento das empresas de energia num Mundo em mudança
 
Michelle Redfield, Schneider Electric, Global Management Systems for Enterpri...
Michelle Redfield, Schneider Electric, Global Management Systems for Enterpri...Michelle Redfield, Schneider Electric, Global Management Systems for Enterpri...
Michelle Redfield, Schneider Electric, Global Management Systems for Enterpri...
 
Using Demand-Side Management to Support Electricity Grids
Using Demand-Side Management to Support Electricity GridsUsing Demand-Side Management to Support Electricity Grids
Using Demand-Side Management to Support Electricity Grids
 
Final Year Project Report. (Management of Smart Electricity Grids)
Final Year Project Report. (Management of Smart Electricity Grids)Final Year Project Report. (Management of Smart Electricity Grids)
Final Year Project Report. (Management of Smart Electricity Grids)
 
Gap analysis - Análise de Lacunas
Gap analysis - Análise de LacunasGap analysis - Análise de Lacunas
Gap analysis - Análise de Lacunas
 
Opportunities for Power Electronics in Renewable Electricity Generation 2016 ...
Opportunities for Power Electronics in Renewable Electricity Generation 2016 ...Opportunities for Power Electronics in Renewable Electricity Generation 2016 ...
Opportunities for Power Electronics in Renewable Electricity Generation 2016 ...
 
Inverter Technology Trends and Market Expectations 2016 Report by Yole Develo...
Inverter Technology Trends and Market Expectations 2016 Report by Yole Develo...Inverter Technology Trends and Market Expectations 2016 Report by Yole Develo...
Inverter Technology Trends and Market Expectations 2016 Report by Yole Develo...
 
PREPAID ELECTRICITY REVENUE MANAGEMENT oral defense
PREPAID ELECTRICITY REVENUE MANAGEMENT oral defensePREPAID ELECTRICITY REVENUE MANAGEMENT oral defense
PREPAID ELECTRICITY REVENUE MANAGEMENT oral defense
 

Mehr von EnergySec

Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseGary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseEnergySec
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsEnergySec
 
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...EnergySec
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyEnergySec
 
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...EnergySec
 
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityDaniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityEnergySec
 
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change ManagementLessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change ManagementEnergySec
 
Explore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsExplore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsEnergySec
 
Wireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of ReachWireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of ReachEnergySec
 
Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!EnergySec
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network ArchitecturesEnergySec
 
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleNERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleEnergySec
 
Industrial Technology Trajectory: Running With Scissors
Industrial Technology Trajectory: Running With ScissorsIndustrial Technology Trajectory: Running With Scissors
Industrial Technology Trajectory: Running With ScissorsEnergySec
 
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...EnergySec
 
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...EnergySec
 
Where Cyber Security Meets Operational Value
Where Cyber Security Meets Operational ValueWhere Cyber Security Meets Operational Value
Where Cyber Security Meets Operational ValueEnergySec
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?EnergySec
 
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...EnergySec
 
Industry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working TogetherIndustry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working TogetherEnergySec
 
What the Department of Defense and Energy Sector Can Learn from Each Other
What the Department of Defense and Energy Sector Can Learn from Each OtherWhat the Department of Defense and Energy Sector Can Learn from Each Other
What the Department of Defense and Energy Sector Can Learn from Each OtherEnergySec
 

Mehr von EnergySec (20)

Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseGary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and Mitigations
 
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, Anecdotally
 
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
 
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityDaniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
 
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change ManagementLessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
 
Explore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsExplore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWs
 
Wireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of ReachWireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of Reach
 
Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network Architectures
 
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleNERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
 
Industrial Technology Trajectory: Running With Scissors
Industrial Technology Trajectory: Running With ScissorsIndustrial Technology Trajectory: Running With Scissors
Industrial Technology Trajectory: Running With Scissors
 
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
 
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
 
Where Cyber Security Meets Operational Value
Where Cyber Security Meets Operational ValueWhere Cyber Security Meets Operational Value
Where Cyber Security Meets Operational Value
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?
 
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
 
Industry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working TogetherIndustry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working Together
 
What the Department of Defense and Energy Sector Can Learn from Each Other
What the Department of Defense and Energy Sector Can Learn from Each OtherWhat the Department of Defense and Energy Sector Can Learn from Each Other
What the Department of Defense and Energy Sector Can Learn from Each Other
 

Kürzlich hochgeladen

A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 

Kürzlich hochgeladen (20)

A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 

Electricity Subsector Cybersecurity Risk Management Process

  • 2. What is Risk Management? Risk management is about people • It’s about organizing people • It’s about communication between people • It’s about the safety of people Office of Electricity Delivery and Energy Reliability 2
  • 3. Risk Management: Safety Example • Radiological Work – Risk to personnel safety – Implemented processes and procedures to provide a consistent approach to managing risk – Risk tolerance and risk assessment built into processes and procedures – Allows for getting work done while ensuring adequate risk mitigation Office of Electricity Delivery and Energy Reliability 3
  • 4. Risk Management: Safety Example cont’d • It’s about the people – Clearly communicate risks • Awareness • Procedures, plans, policies – Educate workforce on risks • Training • Testing – Provide processes for re-assessing risk • Dry-runs • Project team meetings Office of Electricity Delivery and Energy Reliability 4
  • 5. So What is the RMP About? • It’s about people and the organizations in which they operate – How to organize people to effectively make risk informed decisions – Target of RMP is cybersecurity risk but fundamentally could be applied to any risk management domain Electricity subsector organizations deal with risk every day in meeting their business objectives…this management of risk is conducted as an interactive, ongoing process as part of normal operations. Office of Electricity Delivery and Energy Reliability 5
  • 6. Guiding Principles of the RMP • Describe “what” not “how” • Adaptable to any size or type of organization • Cybersecurity alignment with mission and business processes • Based on NIST 800-39: Managing Information Security Risk Office of Electricity Delivery and Energy Reliability 6
  • 7. Risk is Part of Any Activity You have to accept some risk to get stuff done…but you don’t blindly accept that risk • Organizations must understand the risks • Evaluate risks • Decide on reasonable measures to minimize risks • Periodically re-assess risks Office of Electricity Delivery and Energy Reliability 7
  • 8. RMP Overview: Risk Management Model • The risk management model is a three-tiered structure that provides a comprehensive view of an organization • It provides a structure for how cybersecurity risk management activities are undertaken across an organization • Strategy is communicated down through the organization, risk evaluations are communicated up Office of Electricity Delivery and Energy Reliability 8
  • 9. RMP Overview: Risk Management Cycle • The risk management cycle provides four elements that structure an organization’s approach to cybersecurity risk management • The risk management cycle is not static but a continuous process, constantly re-informed by the changing risk landscape as well as by organizational priorities and functional changes Office of Electricity Delivery and Energy Reliability 9
  • 10. RMP Overview: Risk Management Cycle cont’d • Risk Framing – Describes the environment in which decisions are made – Assumptions, constraints, tolerance, priorities • Risk Assessment – Identify, prioritize, and estimate risk to organization – Includes supply chain and external service providers • Risk Response – How the organization responds to risk – Develop courses of action and implement • Risk Monitoring – How risks are monitored and communicated over time – Verify and evaluate risk response measures Office of Electricity Delivery and Energy Reliability 10
  • 11. RMP Overview: Risk Management Process The risk management process is the application of the risk management cycle to each of the tiers in the risk management model Office of Electricity Delivery and Energy Reliability 11
  • 12. RMP Overview: Fundamental Elements Governance – In developing a governance structure, the organization establishes a risk executive function responsible for the organization-wide strategy to address risks, establishing accountability. – Can take on many forms and will vary depending on the size, type, and operations of the organization – This element is important to providing a consistent and effective approach to managing risk Office of Electricity Delivery and Energy Reliability 12
  • 13. RMP Overview: Fundamental Elements Cybersecurity Architecture – An embedded, integral part of the enterprise architecture that describes the structure and behavior for an enterprise’s security processes, cybersecurity systems, personnel, and subordinate organizations, showing their alignment with the organization’s mission and strategic plans – Categorizing IT and ICS into levels by risk and value to mission and business processes – Allocating cybersecurity controls to systems Office of Electricity Delivery and Energy Reliability 13
  • 14. RMP Implementation Challenges • Tier 1 – Determining priorities – Providing strategic guidance • Tier 2 (Possibly most challenging) – De-conflicting system Tier 3 with Tier 1 priorities – Implementing change: plans & procedures • Tier 3 – Implementing technical solutions – Communicating technical challenges Office of Electricity Delivery and Energy Reliability 14
  • 15. Why Implement the RMP? • Equip your organization to make better informed cybersecurity decisions and investments – Protect your investment (systems & equipment) – Better serve your customers • Build an organization equipped to meet future cybersecurity challenge – Sustainability and continuity through policies, plans, procedures – Not solely dependent on individuals • Build an industry-wide common approach leading to improved cybersecurity capability Office of Electricity Delivery and Energy Reliability 15
  • 16. RMP: Next Steps • RMP Case Study – Fictional story – Illustrates how an organization may implement the RMP • RMP Pilot – Work with 1-3 organizations to implement the RMP – Approx. 1 year engagement – Capture lessons learned and best practices • RMP Website – Develop a resource center for the RMP – Provide additional content Office of Electricity Delivery and Energy Reliability 16
  • 17. Final Thoughts As you read through the RMP, think about your organization and the people within it – for each element, consider your organization’s goals and its organizational culture in deciding “how” best to do it. Office of Electricity Delivery and Energy Reliability 17
  • 18. RMP Information • Energy.gov: Office of Electricity Delivery and Energy Reliability • http://energy.gov/oe/downloads/cybersecurity-risk- management-process-rmp-guideline-final-may-2012 My Contact Info: Matt Light U.S. Department of Energy matthew.light@hq.doe.gov Office of Electricity Delivery and Energy Reliability 18
  • 19. BACKUP SLIDES Office of Electricity Delivery and Energy Reliability 19
  • 20. Capability Maturity Model Overview Maturity Indicator Levels reserved Managed Performed Initiated Not Performed Model Domains Office of Electricity Delivery and Energy Reliability
  • 21. Sample Model Text from THREAT Domain Office of Electricity Delivery and Energy Reliability

Hinweis der Redaktion

  1. Posture is contextual – it is relative to a threat17 successful pilots; 10 on waiting list100’s of comments from >40 industry experts30-member advisory group to guide developmentEngaged 50utilities, 8 gov’t organizations, 6 industry associations, 2 national labs, 1 FFRDCJoint commitment to path forward
  2. Key Points:Development leveraged existing resources and the expertise of security practitioners from utilitiesFast-paced: ~4.5 months of developmentModel: 10 domains, 4 defined maturity indicator levels (MIL), 1 reserved MIL, 27 domain themes + 10 common themes (1 per domain), 310 practicesSurvey -> automated scoringPilot participants represented IOUs, COOPs, and Munis, and covered generation, transmission, distribution, and markets functionsPilot participants provided helpful feedback on the structure and language of the model and on the presentation of resultsPilot participants reported that the process was valuable to them; some have already reported making improvements to their cybersecurity practices