NIST task group outlines security tactics for Smart Grid
The plan, key to the grid’s interoperability, is open for public comment
The cybersecurity working group developing a security architecture for the Smart Grid has released a preliminary report for public comment that outlines how security requirements will be incorporated into the design of the nation’s next-generation, power-distribution system.
“With the Smart Grid’s transformation of the electric system to a two-way flow of electricity and information, the information technology (IT) and telecommunications infrastructures have become critical to the energy-sector infrastructure,” the Smart Grid Cyber Security Coordination Task Group said in Interagency Report 7628, titled Smart Grid Cyber Security Strategy and Requirements. “Therefore, the management and protection of systems and components of these infrastructures must also be addressed by an increasingly diverse energy sector. To achieve this requires that security be designed in at the architectural level,” the report added.
The security plan is a critical part of the Smart Grid interoperability effort being spearheaded by the National Institute of Standards and Technology (NIST). It is being developed in conjunction with the Smart Grid interoperability framework, a first draft of which was released last week by NIST. The 236-page security document, which includes a comprehensive set of security requirements, is a work in process and a second draft is expected to be posted for comment in December. Annabelle Lee, senior cybersecurity strategist at NIST’s Computer Security Division, said the document is expected to be finalized by March.
The Smart Grid program was established in the Energy Independence and Security Act of 2007, which mandated that security be built into the system that would use intelligent networking and automation to better control the flow and delivery of electricity to consumers. This would require a two-way flow of electricity and information between the power plant and the end user, as well as points in between.
“History has shown that you can’t add security later” to complex systems,” said George Arnold, NIST deputy director of technical services, who is leading the effort to define Smart Grid interoperability standards. “We’re putting the security architecture and requirements up front.”
“This is very different for us,” Lee said. The Computer Security Division traditionally has been called upon to develop security standards and requirements for systems that already have been deployed.
The draft contains the overall security strategy for the Smart Grid and the products developed from this strategy. Comments on the report should be sent by Nov. 25 to firstname.lastname@example.org.
Smart Grid security requirements will be developed for specific domains, business and mission functions, and interfaces, as well as for the overall grid. But they are being developed at a high level and will not be spelled out for specific systems or components because of the impossible complexity of that job. The security requirements and architecture will address not only deliberate attacks, but errors, failures and natural disasters that also could destabilize the grid.
The security architecture being developed will identify interfaces between functional domains of the new grid, and categorize them according to the importance of their data accuracy and availability. The constraints, issues and impacts of breaches at these interfaces will be considered for each category, and security requirements will be developed.
The next steps in developing the security plan after the architecture is finalized will be to assess existing standards that could apply to security requirements, to identify gaps where adequate standards do not exist, and to assess development of new standards to address those gaps.