State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
Better Safe Than Compliant
Protecting the smart grid requires a broader strategy.
result of secure two-way data flow throughout a system of meters, switches, gateways, SCADA/EMS control centers, databases and energy sources, the entire system must be viewed holistically and the data must be protected from the meter to the utility and back. In addition, utilities and regulators will need to take a new holistic view of resource allocation and performance expectations, balancing—or allowing the market to balance—benefits, risks and costs.
As Gartner Research observed in its April 2010 report The Myth of Smart Grid Security , “There is no such thing as perfect security, and residual risk will always be an issue. Utilities need to assess the risks and make good decisions over which controls are reasonable and appropriate to their situation.” Of course, this approach might be problematic with the regulators. However, simple legislation and adding more rules might not help fill the gap to maintain security of the transmission and distribution grids. Therefore, there needs to be a balance between the accountability on which regulatory systems rely and the flexibility needed to respond to changing risks.
The weakest link in this chain will be different in every system and will change from day to day. Each link could yield a potential vulnerability to allow penetration by outsiders and chances of damaging mistakes by employees. But both cyber- and physical security vigilance across this system will be the price for the immense opportunities of real-time pricing, load and consumption management, cost savings, improved environmental impact, and more effective distributed power integration.
The industry has taken productive initial steps to increase cyber security vigilance with NERC CIP mandates—which don’t directly address all smart grid deployments because of the NERC CIP focus on the bulk electric system. These actions have included participation in the NERC Smart Grid Task Force, the NIST Smart Grid Cyber Security Working Group, and GridWise, to name a few.
But in the intensive next phases of work to be done to protect the confidentiality, integrity, and availability of the smart grid’s two-way data streams, the industry needs to consider a risk-based, holistic security approach that’s more consistent with major global standards, such as ISO27001 and NIST 800-39, which are used across many industries worldwide.
Work is underway on that front. “NERC recognizes that there needs to be additional emphasis on identifying critical assets and increasing the focus on risk-based approaches to security,” observes Mark Weatherford, NERC vice president and chief security officer. “NERC, DOE, NIST and selected utilities are currently working together in a public-private collaboration to develop cyber security risk management guidelines that provide a consistent, repeatable, and adaptable process for the entire electricity sector. These voluntary guidelines sit on top of current CIP standards and will enable organizations to proactively manage risk.”
Tiered Defense & Tools
In implementation, utility smart grid deployments must be able to contend with potential threats on three levels: administrative, physical and logical security. In assuring the adequacy and currency of implementation, utilities and regulators must develop an expanded focus with a range of evaluation and oversight requirements that go beyond the current NERC