The new guidelines for securing an intelligent power distribution network released build on a security framework released in January and are the product of a 450-member public-private working group headed by the National Institute of Standards and Technology.
A final set of guidelines for a smart-grid security architecture has been released by the National Institute of Standards and Technology, outlining how security requirements will be incorporated into the design of the nation’s next-generation power distribution system.
“The United States has embarked on a major transformation of its electric power infrastructure,” the interagency report states. “This vast infrastructure upgrade — extending from homes and businesses to fossil-fuel-powered generating plants and wind farms, affecting nearly everyone and everything in between — is central to national efforts to increase energy efficiency, reliability, and security; to transition to renewable sources of energy; to reduce greenhouse gas emissions; and to build a sustainable economy that ensures future prosperity.”
But security challenges will come with the new intelligent infrastructure.
“While integrating information technologies is essential to building the smart grid and realizing its benefits, the same networked technologies add complexity and also introduce new interdependencies and vulnerabilities,” the report states. “Approaches to secure these technologies and to protect privacy must be designed and implemented early in the transition to the smart grid.”
The three-volume Interagency Report 7628, “Guidelines for Smart Grid Cyber Security,” builds on an architecture for security and interoperability released by NIST in January. The guidelines provide a framework for developing effective cybersecurity strategies to address smart grid-related characteristics, risks and vulnerabilities. The methods and supporting information can be used to assess risk and identify appropriate security requirements.
“This approach recognizes that the electric grid is changing from a relatively closed system to a complex, highly interconnected environment,” the report states. “Each organization’s cybersecurity requirements should evolve as technology advances and as threats to grid security inevitably multiply and diversify.”
The report was prepared by the Cyber Security Working Group of the smart grid's Interoperability Panel, a public-private partnership launched by NIST with American Recovery and Reinvestment Act funding from the Energy Department. The guidelines are the second major output of NIST-coordinated efforts to identify and develop standards needed to convert the nation's aging electric grid into an advanced, digital infrastructure with two-way capabilities for communicating information, controlling equipment and distributing energy.
The smart-grid program was established in the Energy Independence and Security Act of 2007, which mandated that security be built into the system that would use intelligent networking and automation to better control the flow and delivery of electricity to consumers. This would require a two-way flow of electricity and information between the power plant and the end user, and to points in between. Security requirements are being developed using a high-level risk assessment process and are recognized as critical in all of the priority action plans discussed in the “Framework and Roadmap for smart-grid Interoperability Standards, Release 1.0,” (NIST Special Publication 1108) released in January.
“Given the transcending importance of cybersecurity to smart grid performance and reliability, this document ‘drills down’ from the initial release of the NIST Framework and Roadmap, providing the technical background and additional details that can inform organizations in their risk management efforts to securely implement smart grid technologies,” the report says.
Smart-grid security requirements will be developed for specific domains, business and mission functions and interfaces, as well as for the overall grid. But they are being developed at a high level and will not be spelled out for specific systems or components because of the impossible complexity of that job. The security requirements and architecture will address not only deliberate attacks but errors, failures and natural disasters that also could destabilize the grid.
The security architecture being developed will identify interfaces between functional domains of the new grid and categorize them according to the criticality of their data accuracy and availability. The constraints, issues and impacts of breaches at these interfaces will be considered for each category, and security requirements will be developed.
The guidelines identify 137 interfaces — points of data exchange or other types of interactions within or between different smart-grid systems and subsystems. They are assigned to one or more of 22 categories based on shared or similar functional and security characteristics. In all, the report details 189 high-level security requirements applicable either to the entire smart grid or to particular parts of the grid and associated interface categories.
The new report also includes:
- A description of the risk-assessment process used to identify the requirements.
- A discussion of technical cryptographic and key management issues across the scope of smart-grid systems and devices.
- Initial recommendations for addressing privacy risks and challenges pertaining to personal residences and electric vehicles.
- An overview of the process that the CSWG developed to assess whether existing or new standards that enable smart-grid interoperability also satisfy the high-level security requirements included in the report.
- Summaries of research needs.
The work of developing guidelines and standards for smart-grid security will continue as the security architecture continues to evolve. The process ultimately will deliver the hundreds of communication protocols, standard interfaces, and other technical specifications needed to build an advanced, secure electric power grid with two-way communication and control capabilities.
NEXT STORY: Can you trust your data recovery vendor?