Please enter the URL that you'd like to shorten or click here to shorten current:
The Smart Grid Interoperability Panel – Cyber Security Working Group
U. S. Department of Commerce, National Institute of Standards and Technology
The United States has embarked on a major transformation of its electric power infrastructure. This vast infrastructure upgrade—extending from homes and businesses to fossil-fuel-powered generating plants and wind farms, affecting nearly everyone and everything in between—is central to national efforts to increase energy efficiency, reliability, and security; to transition to renewable sources of energy; to reduce greenhouse gas emissions; and to build a sustainable economy that ensures future prosperity. These and other prospective benefits of "smart" electric power grids are being pursued across the globe.
Steps to transform the nation's aging electric power grid into an advanced, digital infrastructure with two-way capabilities for communicating information, controlling equipment, and distributing energy will take place over many years. In concert with these developments and the underpinning public and private investments, key enabling activities also must be accomplished. Chief among them is devising effective strategies for protecting the privacy of Smart Grid-related data and for securing the computing and communication networks that will be central to the performance and availability of the envisioned electric power infrastructure. While integrating information technologies is essential to building the Smart Grid and realizing its benefits, the same networked technologies add complexity and also introduce new interdependencies and vulnerabilities. Approaches to secure these technologies and to protect privacy must be designed and implemented early in the transition to the Smart Grid.
This three-volume report, Guidelines for Smart Grid Cyber Security, presents an analytical framework that organizations can use to develop effective cyber security strategies tailored to their particular combinations of Smart Grid-related characteristics, risks, and vulnerabilities. Organizations in the diverse community of Smart Grid stakeholders—from utilities to providers of energy management services to manufacturers of electric vehicles and charging stations—can use the methods and supporting information presented in this report as guidance for assessing risk and identifying and applying appropriate security requirements. This approach recognizes that the electric grid is changing from a relatively closed system to a complex, highly interconnected environment. Each organization's cyber security requirements should evolve as technology advances and as threats to grid security inevitably multiply and diversify.
This initial version of Guidelines for Smart Grid Cyber Security was developed as a consensus document by the Cyber Security Working Group (CSWG) of the Smart Grid Interoperability Panel (SGIP), a public-private partnership launched by the National Institute of Standards and Technology (NIST) in November 2009.1 The CSWG now numbers more than 475 participants from the private sector (including vendors and service providers), manufacturers, various standards organizations, academia, regulatory organizations, and federal agencies. A number of these members are from outside of the U.S.
This document is a companion document to the NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 1.0 (NIST SP 1108),2 which NIST issued on January 19, 2010. The framework and roadmap report describes a high-level conceptual reference model for the Smart Grid, identifies standards that are applicable (or likely to be applicable) to the ongoing development of an interoperable Smart Grid, and specifies a set of high-priority standards-related gaps and issues. Cyber security is recognized as a critical, cross-cutting issue that must be addressed in all standards developed for Smart Grid applications. Given the transcending importance of cyber security to Smart Grid performance and reliability, this document "drills down" from the initial release of the NIST Framework and Roadmap, providing the technical background and additional details that can inform organizations in their risk management efforts to securely implement Smart Grid technologies. The Framework document is the first installment in an ongoing standards and harmonization process. Ultimately, this process will deliver the hundreds of communication protocols, standard interfaces, and other widely accepted and adopted technical specifications necessary to build an advanced, secure electric power grid with two-way communication and control capabilities. The Guidelines for Smart Grid Cyber Security expands upon the discussion of cyber security included in the Framework document. The CSWG will continue to provide additional guidance as the Framework document is updated and expanded to address testing and certification, the development of an overall architecture, and as additional standards are identified.
This document is the product of a participatory public process that, starting in March 2009, included workshops as well as weekly teleconferences, all of which were open to all interested parties. Drafts of the three volumes have undergone at least one round of formal public review. Portions of the document have undergone two rounds of review and comment, both announced through notices in the Federal Register.
The three volumes that make up this initial set of guidelines are intended primarily for individuals and organizations responsible for addressing cyber security for Smart Grid systems and the constituent subsystems of hardware and software components. Given the widespread and growing importance of the electric infrastructure in the U.S. economy, these individuals and organizations comprise a large and diverse group. It includes vendors of energy information and management services, equipment manufacturers, utilities, system operators, regulators, researchers, and network specialists. In addition, the guidelines have been drafted to incorporate the perspectives of three primary industries converging on opportunities enabled by the emerging Smart Grid—utilities and other business in the electric power sector, the information technology industry, and the telecommunications sector.
Following this executive summary, the first volume of the report describes the analytical approach, including the risk assessment process, used to identify high-level security requirements. It also presents a high-level architecture followed by a logical interface architecture used to identify and define categories of interfaces within and across the seven Smart Grid domains. High-level security requirements for each of the 22 logical interface categories are then described. The first volume concludes with a discussion of technical cryptographic and key management issues across the scope of Smart Grid systems and devices.
The second volume is focused on privacy issues within personal dwellings. It provides awareness and discussion of such topics as evolving Smart Grid technologies and associated new types of information related to individuals, groups of individuals, and their behavior within their premises and electric vehicles; and whether these new types of information may contain privacy risks and challenges that have not been legally tested yet. Additionally, the second volume provides recommendations, based on widely accepted privacy principles, for entities that participate within the Smart Grid. These recommendations include things such as having entities develop privacy use cases that track data flows containing personal information in order to address and mitigate common privacy risks that exist within business processes within the Smart Grid; and to educate consumers and other individuals about the privacy risks within the Smart Grid and what they can do to mitigate these risks.
The third volume is a compilation of supporting analyses and references used to develop the high-level security requirements and other tools and resources presented in the first two volumes. These include categories of vulnerabilities defined by the working group and a discussion of the bottom-up security analysis that it conducted while developing the guidelines. A separate chapter distills research and development themes that are meant to present paradigm changing directions in cyber security that will enable higher levels of reliability and security for the Smart Grid as it continues to become more technologically advanced. In addition, the third volume provides an overview of the process that the CSWG developed to assess whether standards, identified through the NIST-led process in support of Smart Grid interoperability, satisfy the high-level security requirements included in this report.
Beyond this executive summary, it is assumed that readers of this report have a functional knowledge of the electric power grid and a functional understanding of cyber security.
Enter your email address to subscribe or unsubscribe from the eGov What's New mailing list.
Please enter email address of the person you wish to send this page to.