State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
Better Safe Than Compliant
Protecting the smart grid requires a broader strategy.
CIPs, which tend to be more of a required minimum.
An effective, comprehensive tiered defense structure functions on four primary levels:
1) Risk framework: The foundation for an effective security approach is to evaluate your assets and identify those that are most critical— i.e., critical data stores, critical assets most important to the utility’s core purpose, etc. Then with these assets in mind, identifying the key threats to the utility and the vulnerabilities of concern can help lead to a comprehensive security defense focused on protecting the critical assets.
2) Administrative security: Policies and standards for the organization and its vendors to maintain a secure network, including development of a robust program, identification of leadership, determination of key smart grid assets, a security exception management process, an information protection program, policies on change control and configuration management, an audit and oversight function, and properly trained personnel.
3) Physical security: Protection of critical assets and smart grid components and systems from direct physical attack or environmental impact by use of fences, surveillance systems, robust component design, and alert systems.
4) Logical security: Processes and steps to protect the digital data flowing through the system, including encryption, authentication requirements, application security controls, security patches, malware removal, maintenance hooks, and testing and hardening,
Constant vigilance will be required to maintain cyber security, including focused awareness of the threats, continuous monitoring for intrusion or abnormalities, real-time reporting and monitoring of metrics, and preparation of and practicing an incident management and recovery plan.
To address and move beyond current compliance and oversight standards, utilities will need to expand their focus. Basic NERC CIP compliance should be extended to cover non-routable protocols and associated electronics and systems that are important to the control and reliability of the electric grid. Regulators also should adopt a performance-based oversight and assessment scheme to focus on a utility’s actual security posture and performance, rather than on the quality or content of its supporting paperwork. In other words, utilities should first spend their resources on identifying and protecting the critical assets, then complete the NERC CIP paperwork.
Additionally, the industry should consider risk-based security practices from other industries, such as defense, banking, and financial services, including improved monitoring and alerting capabilities in a holistic, risk-based perspective.
Utilities should implement best practices defined by internationally recognized ISO standards, such as ISO27001/2, that are focused on risk-management and will establish a base of fundamental performance-oriented security practices on which the organization can build.
Finally, we should learn lessons from industrial controls failures and data breach investigations. As the strategies, tactics and technologies used by those attempting to invade secure systems evolves, an important response by security professionals as an industry is to gather information about attempted and successful invasions as a basis for updating and adjusting standards and procedures. Utilities will move to a higher level of preparedness by participating in this process.
The deployment of the smart grid will bring an increasingly complex command, control and information system and a multiplicity of new communications paths with two-way data flows. This is likely to