State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
A holistic approach to smart-grid security.
and it isn’t a destination. Security requires ongoing investments across infrastructure, processes, knowledge and other core areas of the enterprise.
Investments in marketing and communications to utility customers and other key stakeholders around smart-grid security also should be recognized. Many utility customers, for example, are concerned by mainstream media reports of hackers shutting off their power, the utility spying on how they use electricity and resultant privacy concerns, and many other aspects of the paradigm shift to smart grid. Utilities must proactively cultivate stakeholder buy-in as capital to offset situations ranging from implementation challenges to the ongoing FUD factor ( e.g., fear, uncertainty and doubt) introduced by mainstream media.
The granting of funds for smart-grid investment comes with the potential for security and operational audits of the utility plans on which the funding is predicated. With this in mind, preparation for future audits should addresss resources, remediation costs and even damages and capital.
Smart-grid security likely will drive a wave of changes to policies, processes, technology, organizational constructs and other areas including the supporting data, information and knowledge value chain. These changes will impact a range of stakeholders including customers, staff, external partners and others, and will present operational and organizational challenges.
Smart-grid security will require the development or redesign of organizational processes, with one classic example being remote disconnect and reconnect. Utilities will need to think broadly and deeply around triggering events, separation of duties, throttling and other aspects of a remote disconnect process. This process likely will be one that spans the white space between discrete system domains such as AMI, CIS, customer self-service and others.
New integration paradigms also will need to be developed to support smart-grid capabilities. Typically, this involves a much better understanding of the process, application, and data integration points, both extant and required, as well as the mechanisms ranging from manual to file-based to service-based integration. For example, using the remote-disconnect scenario, not only do organizations have various security aspects to consider, but they also must ensure that only authentic and authorized entities—including users, systems, processes and others—are able to interact in a meaningful way with the infrastructure implementing remote disconnect. Since the process context may span multiple system domains, it’s crucial to ensure that remote disconnects have a transactional context ( i.e., an operation was requested, executed and verified across the entire process domain, versus just sending out 100 remote disconnect commands from the customer-service system to the head-end system).
Compliance policies, processes and information will need to be instantiated or extended relative to smart-grid investment. Funding constraints may proscribe using existing infrastructure, such as IT assets, for AMI initiatives, and many funding recipients have adopted a net-new infrastructure policy. Obviously, this directly would affect business-case inputs relative to acquisition, licensing and support costs, among others.
A secure smart grid also requires changing the processes, policies and interactions involving external partners such as billing and other infrastructure and service providers. In many cases, these entities have not dealt with stringent security constraints to their access and usage of relevant information and