State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
A holistic approach to smart-grid security.
individual customer demands, marketing strategies, acquisitions and other factors, without sufficient consideration of potential security threats presented by new business or technical functionalities. Remote firmware updates, as one example, provide great potential benefits to an organization, yet without sufficient capabilities—for separation of duties, source authentication, code signing and encryption, completion checks and rollback functions—a significant risk could be introduced into the AMI system.
The inherent characteristics of many AMI systems present a significant threat surface for security vigilance. A majority of AMI endpoint assets are physically dispersed over wide areas with few, if any, physical controls. The fact that these endpoints might provide functionality beyond metering ( e.g., appliance control), and also might be manufactured and supplied by a variety of sources, means that AMI providers need to ensure that their own infrastructure is as secure as possible and resilient to potential threats they can’t predict from sources over which they have little or no influence.
Intermediate field-deployed assets, such as collectors and extenders, as well as the pervasive integration of head-end systems, also may present their own vulnerabilities and introduce potential risks for malicious endpoint and system control, including systems outside the immediate AMI sphere of concern, such as meter-data-management systems and outage-management systems.
Modern AMI systems have incorporated, to varying degrees, sophisticated software development, middleware and integration capabilities into their fabric. This means AMI systems now can provide usage information for meter data management and billing, as well as low latency, bi-directional interfaces to such operational systems as outage management, demand response and others. These capabilities hold huge potential for making the grid smarter, and they also radically increase the threat surface, not only for AMI, but also for the entirety of the interconnected systems and their associated business processes.
It isn’t difficult to imagine an attack that takes malicious control of other operational systems connected to AMI because the systems didn’t incorporate sufficient security controls at their integration points. Even the potential effects of an inadvertent AMI load shed, potentially initiated en masse and by accident from an existing customer-service system process, should be enough to make utilities, vendors and other grid stakeholders think very seriously about their security posture and controls. The expanding role that AMI systems play in the smart grid demands a holistic and equally evolutionary approach to security.
As security imperatives have ramped up over the past few years, providers of AMI and other solution offerings and services have faced intense scrutiny from existing and potential utility clients around their security controls and features. Although the conversations between vendors and utilities have become much more constructive and extensive, the typical view of solution security is often too limited.
Utility focus often is skewed toward discovering how solutions have implemented specific controls versus the provider’s overall approach to security in the solution. For example, it’s important to ask if a provider uses a virtual private network (VPN) in the solution and what kind of VPN, but probably more important is discovering the roles of all communications channels being used throughout the solution, the