Just this week on Tuesday, NIST published release 1.0 of the smart grid interoperability standards. Most notably, this is the first attempt to address cyber security in smart grid deployments. This release points to various standards that can be used for implementing interoperability and security controls, and it’s fair to say that it plants the seeds for what should become comprehensive, control-driven guidelines for implementing various aspects of smart grid.
The timing of this report is perfect, as current smart grid rollouts are often criticized for lack of proper security controls. Our utility customers have shown similar concern about the lack of planning for information security before the roll out phase. This lack of security and risk management perspective in the smart grid ecosystem can jeopardize the overall objective of these smart energy initiatives, and it’s about time that we devise a game plan going forward.
The NIST publication will be an important piece of work as it brings various standards, bodies, and regulators like IEEE, NERC, and FERC to the table. Note, this is not a control based standard like others published by NIST, but a guideline to other frameworks that should be referenced when working in a smart ecosystem. A more control based work on cyber security in smart grid is in development and the draft of these standards is available for public review.
A few important highlights to pay close attention to in the cyber security sections are:
Outlining the cyber security strategy. The overall strategy defines the complexity of the ecosystem and vulnerabilities that are associated with it. It entails alignment with proper frameworks at each stage of implementation to maintain confidentiality, integrity, and availability of data.
Defining cyber security’s role for the energy sector. According to President Obama’s mandate, modernization of the electric grid is a top priority. Cyber security strategy is an important ingredient to protecting grid infrastructure and retaining reliability of the information and services. For example, Department of Energy (DOE) has an energy sector-specific plan that calls for effective risk management programs and secure communication.
Defining the scope of cyber security. The cyber security sections of the guidelines include electronic information, communication systems and services, as well as the information contained in these systems and services. It also defines two approaches for security and risk management, namely 1) top-down – deals with components/domains and their interconnection, and 2) bottom-up – identifies vulnerability classes, such as protocol errors.
Mapping standards specific to smart grid. The NIST guidelines explain that cyber security for smart gird should be based on prevention, response, and recovery strategy in the event of cyber attack. It states, “Implementation of a cyber security strategy requires the definition and implementation of an overall cyber security risk assessment process for the Smart Grid”. This section also provides a set of frameworks that are relevant to smart grid implementation. Moreover, it lays out five specific tasks for cyber security strategy, which are:
Task 1. Selection of use cases with cyber security considerations
Task 2. Performance of a risk assessment
Task 3. Specification of high level security requirements
Task 4a. Development of security architecture, and Task 4b. Assessment of Smart Grid standards
Task 5. Conformity assessment
This publication should give some guidance to the smart grid projects currently underway, but more importantly will provide a platform to build a long term strategy that should be adopted by the various constituencies (utilities, regulators, power equipment manufacturers, retail service providers, and electricity and financial market traders) to mitigate risks related to smart rollouts.
As always, I’d love to hear your thoughts and experiences.