State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
A Voice for Smart-Grid Security
Who will oversee the industry’s cyber standards?
a means to address a cross-cutting concern such as cyber security? First and foremost, the industry must reach consensus on a set of requirements for smart-grid security.
The set of smart-grid security requirements with the broadest acceptance in the utility community today is the “Advanced Metering Infrastructure System Security Requirements” produced by the AMI-Security Task Force (AMI-SEC) as part of the UCA International Users Group (UCAIug). This work currently is being transformed from AMI-specific guidance into specifications for the entire smart grid through the activities of the U.S. Department of Energy (DOE), the UtiliSec Working Group (also part of the UCAIug) and the NIST Cyber Security Coordination Task Group (CSCTG).
The NIST CSCTG work represents the cyber-security component of NIST’s smart-grid interoperability framework effort. The organization is taking a broad sampling of input in this process, leveraging industry experts for core document composition, while engaging the industry in commentary, use-case review, requirements gathering, and feedback. NIST is receiving tremendous support from the industry in this effort, as participation in face-to-face workshops and the volunteer offerings among vendors, utilities, and consultants alike is strong. This activity offers clear proof the industry is ready and willing to step up to the plate when the call is made for cyber-security guidance. NIST’s challenge here won’t be in development of new material, but rather in coalescing a heterogeneous assembly of sound, high-quality standards and specifications.
The foremost organization defining these specifications today is the UtiliSec Working Group—a utility-driven industry collaborative focused on producing vendor-neutral requirements for smart-grid security. Interestingly, UtiliSec is following a pattern set by the AMI-SEC Task Force in 2008 of forming a public-private partnership to fund industry experts and get the real work done. This unique approach addressed two critical issues with industry collaborative efforts: lack of resource accountability and scarcity of essential knowledge and experience.
While volunteer efforts are commendable and illustrate industry support, the pace of the resultant technical work often suffers due to an inability to authoritatively assert priority in the schedules of key resources. In a single organization this may be overcome by managerial direction. But when critical participants are spread across numerous organizations, priorities have a way of slipping out of synchronization. The original AMI Security Acceleration Project (ASAP) proved that utilities, government, and academia could pull together to surmount the challenges of prioritization and resource availability by forming an actionable and accountable, project-oriented team. This team produced a landmark smart-grid security document in an extraordinarily short timeframe (about six months), titled “AMI System Security Requirements”—sometimes abbreviated and merged with the task force name as the “AMI-SEC SSR.”
While the AMI-SEC SSR has been very well received in the industry, it isn’t perfect and could stand for improvement in two primary areas. First, the AMI-SEC SSR is a thick, somewhat intimidating document that does not segment readily nor facilitate ease of consumption. And second, the document was written for those with an explicit understanding of advanced metering infrastructure. Fortunately, the ASAP team had the foresight to assume the underlying communications infrastructure of AMI might be used for other