State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
A holistic approach to smart-grid security.
of objectives and measures codified in the security roadmap and IAP. SDL includes instrumented and measurable quality gates, enabling artifacts to support the processes and practices, and maturity assessments and certifications. It guides manufacturing, development and testing standards for hardware, firmware and software—enabling best practices, knowledge management, and process maturity.
A measurable, repeatable and evolvable approach for performing internal and external security testing is a core SDL component. Secure solution development depends on vulnerability assessment and testing incorporating both internal and external third-party approaches—and including active and passive black, gray and white box-focused penetration testing, automated code profiling, physical and low-tech penetration testing, social engineering and many other aspects.
Utilities and smart-grid solution providers often hear permutations of the following imperative from their own stakeholders: “Be as secure as the ATM and ACH networks.” Regardless of any perceptions or reality about the security of these networks, especially in light of the high-profile breaches in recent years, the message in the industry is clear: “Develop an infrastructure that has undergone rigorous testing, will evolve to meet ever-changing threats, and exhibits the same or better security, resiliency, monitoring and other aspects as more well-established, battle-tested infrastructures that currently convey critical resources and information.” A look outside the utility industry is one of the key aspects of smart-grid security.
In addition to addressing immediate concerns, utilities and solution providers must actively consider the future of smart-grid security. While challenging to enact, a meaningful dialog is a key enabler of ongoing long-term success. Utilities and solution providers can become mutually trusted security advisors by:
• Exchanging security expertise and lessons learned in order to drive improvements in solution and services offerings as well as utility implementations;
• Assessing available security technology and best practices to better mitigate risks, reduce costs and maximize efficiencies; and
• Encouraging a focus on, and sharing of, new technology ideas or developments with broad industry applicability.
These key aspects of successful and secure smart-grid implementations represent a core subset of an evolutionary and holistic security approach. By definition, this approach must continue to evolve in order to address the equally dynamic landscape of smart-grid needs, capabilities, standards, and of course security threats.
Smart-grid security exerts a range of influence on the typical touch points of business-case development and enterprise architecture. Many times, these influences aren’t properly recognized and addressed, potentially impacting the realization of business outcomes and enterprise initiatives.
Some of the key considerations include ensuring that enterprise architecture, risk management, facilities, and information security resources are involved in all aspects of business-case development, smart-grid architecture, solution evaluation and, of course, solution implementation and business-case realization.
Utilities should make a concerted effort to consider the range of influences of smart-grid security. For example, when developing an AMI business case it’s important to account for the acquisition and recurring costs of additional security infrastructure, services and testing. Further, the utility will want to account for ongoing security services, infrastructure, training and industry participation in its fiscal planning, project planning and other key enterprise processes. Security isn’t a snapshot in time