Gaithersburg, MD, U.S.A. — (METERING.COM) — July 15, 2010 – The United States National Institute of Standards and Technology (NIST) has issued its “Guidelines for Smart Grid Cyber Security” Version 1.0 setting out an overall cyber security strategy and guidelines for parties involved in the development of the smart grid.
The three volume publication extending, with appendices, to almost 600 pages (NISTIR 7628, still in draft form), presents a comprehensive analysis of smart grid security issues and guidance for assessing risk and selecting the appropriate security requirements, and is the outcome of an extensive consultation process by the more than 450 strong Smart Grid Interoperability Panel–Cyber Security Working Group (SGIP-CSWG, formerly the Cyber Security Coordination Task Group) (see Expanded smart grid cyber security strategy and requirements released).
The chair of the SGIP-CSWG is NIST senior cyber security strategist Annabelle Lee, with Alan Greenberg (Boeing), Dave Dalva (CISCO Systems), and Bill Hunteman (Department of Energy) as the vice chairs.
Volume 1, "Smart Grid Cyber Security Strategy," comprises an overview of the cyber security strategy, a high level logical architecture for the smart grid, and a discussion of privacy and the smart grid. Volume 2, “Security Architecture and Security Requirements,” includes the logical reference model and high level security requirements, and Volume 3, “Supportive Analyses and References,” contains the detailed analyses used to select and modify the security requirements included in Volume 2.
The smart grid cyber security strategy presented is based around five tasks: Selection of use cases with cyber security considerations; performance of a risk assessment; specification of high level security requirements; development of a logical reference model and assessment of smart grid standards; and finally conformity assessment. In addition a privacy impact assessment is required in specifying the security requirements.
Based on the logical reference model, 19 high level security requirements are identified, as follows:
- Access control
- Awareness and training
- Audit and accountability
- Security assessment and authorization
- Configuration management
- Continuity of operations
- Identification and authentication
- Information and document management
- Incident response
- Smart grid information system development and maintenance
- Media protection
- Physical and environmental security
- Security program management
- Personnel security
- Risk management and assessment
- Smart grid information system and services acquisition
- Smart grid information system and communication protection
- Smart grid information system and information integrity
The document also identifies technical cryptographic and key management issues across the scope of systems and devices found in the smart grid along with potential alternatives
Finally the document notes outstanding areas of work, including combined cyber-physical attacks, and R&D on synchrophasor security, anonymization, and use of IPv6 in large scale real time control systems among other topics.
The smart grid cyber security initiative forms part of the NIST’s smart grid interoperability standards project, under which the development of smart grid standards is being accelerated.