State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
A Voice for Smart-Grid Security
Who will oversee the industry’s cyber standards?
the cyber security of the smart grid?
While any of these organizations might lay claim to authoritative responsibility, much work would need to be done to ease political tensions and perceptions of governance by people the industry perceives as outsiders. Electric utilities are steeped in the belief that their world is different from any other for good reasons. Nowhere else does one find electric power’s combination of unique market structure, specialized technical knowledge, and obligation to public service and safety. In order to be accepted and effective as the entity responsible for smart-grid security, an organization will have to prove it understands electric utilities. This is no small task, and the pressures of the day simply might not provide the luxury of learn-as-you-go for an organization unfamiliar with the electric power market, drivers, and regulations.
One organization that’s no stranger to electric power is the National Institute of Standards and Technology (NIST). The Energy Independence and Security Act of 2007 (EISA) assigned NIST the responsibility to coordinate the development of an interoperability framework for the smart grid, and until recently this role was an unfunded mandate. However, the American Reinvestment and Recovery Act of 2009 (ARRA) provided NIST with substantial funds, $10 million of which were transferred from the Department of Energy to “develop a comprehensive framework for a nationwide, fully interoperable smart grid for the U.S. electric power system.” 4 NIST subsequently contracted with the Electric Power Research Institute (EPRI) to help develop this framework, and work has been carried out at a furious pace since April of this year.
NIST is a proven leader in facilitating standards and technology development; however it lacks significant experience as an agency of enforcement. While the organization might be quite capable of such a role, the authoritative responsibility for smart-grid security would be a new type of endeavor for NIST and current indications don’t suggest it has any agenda on this front. The agency also is more than a bit busy at the moment, leading the industry in efforts to develop the interoperability framework. Assumptions are dangerous things, however, especially in the world of security. Even if NIST never makes a move in this direction, its activities certainly are worth tracking.
United We Stand
The security of the smart grid depends on the actions of many. Smart-grid applications will push communications technologies to the furthest endpoints of the electric system, from the transmission substation to the distribution system to the meter all the way into the customer premises. The magnitude of impact from this fundamental paradigm change is difficult to overstate. The grid is transitioning from a relatively isolated system operated by a very small, highly trained set of known individuals to a completely connected, fuzzily-bordered system that invites everyone and everything to participate. Security must not only be built into the smart grid from the beginning—it must be engineered at each point and every level.
The key point, however, is that the smart grid is pushing control further and further out into the system. The single remote disconnect of a meter might not