Government
Contact Centre
1300 366 356
Main Menu
Resize Text
Categories, RSS and More
RSS News Feeds
Rate this Site
Members Forum
NISTIR 7628 Guidelines for Smart Grid Cyber Security
The Smart Grid Interoperability Panel – Cyber Security Working Group
August 2010
U. S. Department of Commerce, National Institute of Standards and Technology
Executive Summary
The United States has embarked on a major transformation of its electric power infrastructure. This vast infrastructure upgrade—extending from homes and businesses to fossil-fuel-powered generating plants and wind farms, affecting nearly everyone and everything in between—is central to national efforts to increase energy efficiency, reliability, and security; to transition to renewable sources of energy; to reduce greenhouse gas emissions; and to build a sustainable economy that ensures future prosperity. These and other prospective benefits of "smart" electric power grids are being pursued across the globe.
Steps to transform the nation's aging electric power grid into an advanced, digital infrastructure with two-way capabilities for communicating information, controlling equipment, and distributing energy will take place over many years. In concert with these developments and the underpinning public and private investments, key enabling activities also must be accomplished. Chief among them is devising effective strategies for protecting the privacy of Smart Grid-related data and for securing the computing and communication networks that will be central to the performance and availability of the envisioned electric power infrastructure. While integrating information technologies is essential to building the Smart Grid and realizing its benefits, the same networked technologies add complexity and also introduce new interdependencies and vulnerabilities. Approaches to secure these technologies and to protect privacy must be designed and implemented early in the transition to the Smart Grid.
This three-volume report, Guidelines for Smart Grid Cyber Security, presents an analytical framework that organizations can use to develop effective cyber security strategies tailored to their particular combinations of Smart Grid-related characteristics, risks, and vulnerabilities. Organizations in the diverse community of Smart Grid stakeholders—from utilities to providers of energy management services to manufacturers of electric vehicles and charging stations—can use the methods and supporting information presented in this report as guidance for assessing risk and identifying and applying appropriate security requirements. This approach recognizes that the electric grid is changing from a relatively closed system to a complex, highly interconnected environment. Each organization's cyber security requirements should evolve as technology advances and as threats to grid security inevitably multiply and diversify.
This initial version of Guidelines for Smart Grid Cyber Security was developed as a consensus document by the Cyber Security Working Group (CSWG) of the Smart Grid Interoperability Panel (SGIP), a public-private partnership launched by the National Institute of Standards and Technology (NIST) in November 2009.1 The CSWG now numbers more than 475 participants from the private sector (including vendors and service providers), manufacturers, various standards organizations, academia, regulatory organizations, and federal agencies. A number of these members are from outside of the U.S.
This document is a companion document to the NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 1.0 (NIST SP 1108),2 which NIST issued on January 19, 2010. The framework and roadmap report describes a high-level conceptual reference model for the Smart Grid, identifies standards that are applicable (or likely to be applicable) to the ongoing development of an interoperable Smart Grid, and specifies a set of high-priority standards-related gaps and issues. Cyber security is recognized as a critical, cross-cutting issue that must be addressed in all standards developed for Smart Grid applications. Given the transcending importance of cyber security to Smart Grid performance and reliability, this document "drills down" from the initial release of the NIST Framework and Roadmap, providing the technical background and additional details that can inform organizations in their risk management efforts to securely implement Smart Grid technologies. The Framework document is the first installment in an ongoing standards and harmonization process. Ultimately, this process will deliver the hundreds of communication protocols, standard interfaces, and other widely accepted and adopted technical specifications necessary to build an advanced, secure electric power grid with two-way communication and control capabilities. The Guidelines for Smart Grid Cyber Security expands upon the discussion of cyber security included in the Framework document. The CSWG will continue to provide additional guidance as the Framework document is updated and expanded to address testing and certification, the development of an overall architecture, and as additional standards are identified.
This document is the product of a participatory public process that, starting in March 2009, included workshops as well as weekly teleconferences, all of which were open to all interested parties. Drafts of the three volumes have undergone at least one round of formal public review. Portions of the document have undergone two rounds of review and comment, both announced through notices in the Federal Register.
The three volumes that make up this initial set of guidelines are intended primarily for individuals and organizations responsible for addressing cyber security for Smart Grid systems and the constituent subsystems of hardware and software components. Given the widespread and growing importance of the electric infrastructure in the U.S. economy, these individuals and organizations comprise a large and diverse group. It includes vendors of energy information and management services, equipment manufacturers, utilities, system operators, regulators, researchers, and network specialists. In addition, the guidelines have been drafted to incorporate the perspectives of three primary industries converging on opportunities enabled by the emerging Smart Grid—utilities and other business in the electric power sector, the information technology industry, and the telecommunications sector.
Following this executive summary, the first volume of the report describes the analytical approach, including the risk assessment process, used to identify high-level security requirements. It also presents a high-level architecture followed by a logical interface architecture used to identify and define categories of interfaces within and across the seven Smart Grid domains. High-level security requirements for each of the 22 logical interface categories are then described. The first volume concludes with a discussion of technical cryptographic and key management issues across the scope of Smart Grid systems and devices.
The second volume is focused on privacy issues within personal dwellings. It provides awareness and discussion of such topics as evolving Smart Grid technologies and associated new types of information related to individuals, groups of individuals, and their behavior within their premises and electric vehicles; and whether these new types of information may contain privacy risks and challenges that have not been legally tested yet. Additionally, the second volume provides recommendations, based on widely accepted privacy principles, for entities that participate within the Smart Grid. These recommendations include things such as having entities develop privacy use cases that track data flows containing personal information in order to address and mitigate common privacy risks that exist within business processes within the Smart Grid; and to educate consumers and other individuals about the privacy risks within the Smart Grid and what they can do to mitigate these risks.
The third volume is a compilation of supporting analyses and references used to develop the high-level security requirements and other tools and resources presented in the first two volumes. These include categories of vulnerabilities defined by the working group and a discussion of the bottom-up security analysis that it conducted while developing the guidelines. A separate chapter distills research and development themes that are meant to present paradigm changing directions in cyber security that will enable higher levels of reliability and security for the Smart Grid as it continues to become more technologically advanced. In addition, the third volume provides an overview of the process that the CSWG developed to assess whether standards, identified through the NIST-led process in support of Smart Grid interoperability, satisfy the high-level security requirements included in this report.
Beyond this executive summary, it is assumed that readers of this report have a functional knowledge of the electric power grid and a functional understanding of cyber security.
Content of the Report
Volume 1 – Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements
- Chapter 1 – Cyber Security Strategy includes background information on the Smart Grid and the importance of cyber security in ensuring the reliability of the grid and the confidentiality of specific information. It also discusses the cyber security strategy for the Smart Grid and the specific tasks within this strategy.
- Chapter 2 – Logical Architecture includes a high level diagram that depicts a composite high level view of the actors within each of the Smart Grid domains and includes an overall logical reference model of the Smart Grid, including all the major domains. The chapter also includes individual diagrams for each of the 22 logical interface categories. This architecture focuses on a short-term view (1–3 years) of the Smart Grid.
- Chapter 3 – High Level Security Requirements specifies the high level security requirements for the Smart Grid for each of the 22 logical interface categories included in Chapter 2.
- Chapter 4 – Cryptography and Key Management identifies technical cryptographic and key management issues across the scope of systems and devices found in the Smart Grid along with potential alternatives.
- Appendix A – Crosswalk of Cyber Security Documents
- Appendix B – Example Security Technologies and Procedures to Meet the High Level Security Requirements
- Volume 1 is available in pdf format (3611 kb). (This document requires the use of Adobe Acrobat Reader). .
Volume 2 – Privacy and the Smart Grid
- Chapter 5 – Privacy and the Smart Grid includes a privacy impact assessment for the Smart Grid with a discussion of mitigating factors. The chapter also identifies potential privacy issues that may occur as new capabilities are included in the Smart Grid.
- Appendix C – State Laws – Smart Grid and Electricity Delivery
- Appendix D – Privacy Use Cases
- Appendix E – Privacy Related Definitions
- Volume 2 is available in pdf format (706 kb). (This document requires the use of Adobe Acrobat Reader). .
Volume 3 – Supportive Analyses and References
- Chapter 6 – Vulnerability Classes includes classes of potential vulnerabilities for the Smart Grid. Individual vulnerabilities are classified by category.
- Chapter 7 – Bottom-Up Security Analysis of the Smart Grid identifies a number of specific security problems in the Smart Grid. Currently, these security problems do not have specific solutions.
- Chapter 8 – Research and Development Themes for Cyber Security in the Smart Grid includes R&D themes that identify where the state of the art falls short of meeting the envisioned functional, reliability, and scalability requirements of the Smart Grid.
- Chapter 9 – Overview of the Standards Review includes an overview of the process that is being used to assess standards against the high level security requirements included in this report.
- Chapter 10 – Key Power System Use Cases for Security Requirements identifies key use cases that are architecturally significant with respect to security requirements for the Smart Grid.
- Appendix F – Logical Architecture and Interfaces of the Smart Grid
- Appendix G – Analysis Matrix of Interface Categories
- Appendix H – Mappings to the High Level Security Requirements
- Appendix I – Glossary and Acronyms
- Appendix J – SGIP-CSWG Membership
- Volume 3 is available in pdf format (2607 kb). (This document requires the use of Adobe Acrobat Reader). .
Related Links
- As smart grid approaches, security concerns follow
- NIST releases guidelines for securing the grid infrastructure, By William Jackson. Federal Computer Week, September 7, 2010. "A final set of guidelines for a smart-grid security architecture has been released by the National Institute of Standards and Technology, outlining how security requirements will be incorporated into the design of the nation’s next-generation power distribution system..."
Translate, Search, Login and Options
Search
Translate
Mailing List
Enter your email address to subscribe or unsubscribe from the eGov What's New mailing list.
Email a Friend
Please enter email address of the person you wish to send this page to.
