State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
A holistic approach to smart-grid security.
options for securing those channels, and what the vendor enables.
When utilities explore candidate smart-grid solutions, they are particularly concerned around the security controls and features of the solution—and rightly so. Often left unexplored, however, are the processes and practices that the solution providers are living and breathing every day. It’s important to understand the penetration tests that have been done for a particular solution, but even more important to understand how the provider has instantiated a repeatable security development lifecycle as part of a larger product-development lifecycle.
Utilities justly are concerned about these and many other security aspects in the candidate smart-grid solutions they explore. The question is: Can they shine the same bright light on themselves? Too often, utilities will hold solution providers to standards they simply don’t emulate themselves. For example, using the corporate directory infrastructure to provide authentication and authorization services to an AMI solution, without sufficient controls on that directory infrastructure itself, could present a significant risk of attack to critical cyber assets.
Secure Smart-grid Implementations
To implement smart-grid solutions that incorporate core principles of layered, reinforcing controls providing in-depth defense, utilities and solution providers must share the responsibility of achievement. A number of key aspects, if viewed as mutual responsibilities, will help to enable utilities and their solution providers to mitigate security risks and exposures (see Figure 1) .
Utilities and solution providers should begin by embodying a proactive security stance, evaluating and addressing the principles of smart-grid security across both individual solutions and their entire spectrum of initiatives. Objectives of such a security stance may include preventing data theft, minimizing manufacturing and maintenance costs, preventing malicious uses, and logging and auditing all modifications, among many others.
An evolvable security roadmap is needed to guide the organization’s strategic intent relative to security, as well as the other aspects of the organization’s security stance including policies, processes, product development, features and functions, etc. Analogous to a good business case in many respects, the security roadmap provides greater granularity in the near- and medium-term timeframes. Inputs to the roadmap include business drivers, regulatory constraints, current and emerging standards, competitive landscape, and potential system vulnerabilities and risks. The roadmap: 1) expresses the business case for security investment including expected return on investment (ROI); 2) conveys formal security requirements; 3) plans for appropriate certifications from recognized organizations; and 4) defines assessment, remediation, verification and prevention of vulnerabilities.
The roadmap should set forth an information assurance process (IAP) to guide internal and external security governance with rationale, objectives, metrics and priorities. The IAP includes supporting processes, artifacts and other substantive framework. The IAP guides internally focused security processes such as confidentiality and protection of intellectual property, trade secrets and other critical information. It also ensures coherence and alignment with externally enabling initiatives such as the security development lifecycle (SDL) framework, testing and others.
The SDL framework provides a measurable, repeatable and evolvable approach for developing and delivering secure products and services. It encompasses the design and implementation of processes, information and technology, the goal of which is to enable the realization