State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
Securing Tomorrow's Grid (Part I)
Protecting smart systems against cyber threats.
the utility through the advanced metering infrastructure (AMI) or through the Internet using customer-selected third-party service providers. The two-way flow of information allows utilities, customers and even third-party service providers to actively participate in energy markets. For example, dynamic price signals sent to customers’ smart meters through a utility’s advanced metering infrastructure (AMI) will empower electricity consumers to better manage their electricity use or even approve utility-initiated changes to energy usage, often in return for a better electric rate. In turn, this information exchange will help the utility hold costs down by extending the life of its transmission infrastructure and reducing the use of inefficient peak generation capacity.
However, this detailed, two-way information exchange presents new cyber security challenges to protect data security and customer privacy. Cyber security protections are needed not only to ensure the privacy of detailed customer data, but also to protect against malicious load manipulation that could lead to a disruption in the delivery of electricity.
Today, collaborations of utilities, vendors, academic institutions, national laboratories and government representatives are actively working to systematically address smart grid cyber security issues and provide actionable information and best practices to those designing, manufacturing, and implementing smart grid technologies and architectures.
Smart Security Goals
The electricity industry needs cyber security solutions and smart grid security implementations that achieve the following objectives: 2
• Protect all smart grid services from malicious attack and unintended adverse cyber and physical events that interrupt critical functions.
• Protect the electrical system, the people that work on it, and the people that are served by it, as well as stakeholders and their own services and assets—including networks and other technology—from harm caused by security events associated with smart grid services.
• Don’t allow smart grid services, networks, or technologies to be used as a stepping stone or conduit for attacks—or to amplify the effects of attacks—on other smart grid services, end users, external service providers ( e.g., cell phone networks, ISPs), or other interconnected entities. The same should be true for natural disasters and human error.
• Ensure that sufficient information about a security event is available when and where it’s needed to support tactical decisions, such as preventing or minimizing disruption to the mission of the affected smart grid service. This includes the collection and delivery of the real-time data needed for situational awareness as well as the collection and protection of forensics data needed for post-mortem analysis.
• Ensure the integrity and availability of services and mechanisms required for system security and survivability. System security mechanisms shouldn’t provide an attack vector themselves, nor should they incorrectly respond to either malicious or benign commands in a manner that would create or worsen a security event.
As smart grid technologies are being deployed, the electric sector is collaboratively developing and demonstrating various cyber security solutions. Current case study examples illustrate how cyber security solutions are being applied in the T&D and customer domains. Specifically, home area networks help customers better understand and control their energy usage. Cyber security controls must restrict unwanted access to customers’ information