Assessing Smart Grid Cybersecurity Risk Management with NISTIR 7628

Energy and Utility organizations, driven by regulatory requirements and the desire to demonstrate a strong security posture, can turn to NIST Cybersecurity Framework and NISTIR 7628 for guidance. The National Institute of Standards and Technology Interagency Report 7628 (NISTIR 7628), Guidelines for Smart Grid Cybersecurity, is a three-volume report that presents a cybersecurity framework that organizations can follow to develop effective cybersecurity strategies tailored to meeting the security challenges of operating a smart grid advanced metering infrastructure (AMI). Using NISTIR 7628 in conjunction with the NIST cybersecurity framework helps organizations develop, implement, and communicate risks and vulnerabilities to executives in an organization. Utilities and third party service providers (e.g. energy management providers, and electric vehicle and charging station service providers) can all leverage NISTIR 7628 to assess risk and implement appropriate security requirements.

Risk management planning is a continuous process and is a crucial aspect of ensuring processes are being followed and technical requirements are met when securing smart grid systems. This allows an organization to evaluate and fully address risks and vulnerabilities in their smart grid system. NISTIR 7628 has six risk management and assessment requirements which can be broken down into two major themes; policies and procedures and assessment actions.

Risk Management and Assessment Requirements

Policies and Procedures

  • Policy and procedures
  • Risk management plan
  • Security impact level

Assessment Actions

  • Risk assessment
  • Risk assessment update
  • Vulnerability assessment and awareness


Policies and Procedures

NISTIR 7628’s risk management and assessment focus on the creation of policies, procedures, and plans within the organization. These requirements ensure that risk assessments policies are developed, implemented, updated, and frequently reviewed by the organization. The risk management plan addresses how risk-reduction mitigation strategies are planned, implemented, and monitored to ensure effectiveness of the plan. Security impact levels specify that the impact level designation is based on priority, need, and level of protection required while taking into account the loss of availability, integrity, and confidentiality of the smart grid system.

Assessment Actions

These requirements focus on the actions taken to protect the smart grid system. Risk assessments within the organization should be updated on a pre-defined frequency, when significant changes to the system are made, or when the security of the smart grid may be impacted. Risk assessments will also take into account threat sources, vulnerabilities, risk tolerances, and security mechanisms planned to determine residual risk posed to the organization. The organization will also monitor and evaluate the smart grid system according to the risk management plan to identify risks and vulnerabilities that may affect the security of the smart grid system. Other responsibilities include analyzing vulnerability scan reports, remediating vulnerabilities within a defined time frame, sharing vulnerability scan information with designated organizational personnel, and updating the list of smart grid vulnerabilities when new vulnerabilities are identified.

In order to reduce your organization’s risk, it is vital to have a risk management program in place. Risk management provides assurance that an organization can develop and implement an effective plan to prevent loss or to reduce the impact if a loss occurs. Having a risk management plan doesn’t eliminate risk but demonstrates that your organization is committed to operating a secure smart grid AMI.

West Monroe Partners advises its Energy and Utility clients to use NISTIR 7628 along with the NIST cybersecurity framework to help the organization manage risk and increase their overall security posture.

NISTIR 7628 Cybersecurity framework:

NIST Framework for Improving Critical Infrastructure Cybersecurity:

Have you considered adopting NISTIR 7628 or other security frameworks? This post shows how NIST provides guidance on managing risk in your organization. If you would like to discuss this in more detail, feel free to reach out to us. Contact Dan Frein at

Phone: 312-602-4000
222 W. Adams
Chicago, IL 60606
Show Buttons
Share On Facebook
Share On Twitter
Share on LinkedIn
Hide Buttons