Washington, DC, U.S.A. — (METERING.COM) — September 6, 2010 – The U.S. National Institute of Standards and Technology (NIST) has issued the first “Guidelines for Smart Grid Cyber Security,” presenting an analytical framework that organizations can use to develop effective cyber security strategies.
The three volume publication extending, with appendices, to almost 600 pages (NISTIR 7628) includes high level security requirements, a framework for assessing risks, an evaluation of privacy issues at personal residences, and additional information for businesses and organizations to use as they craft strategies to protect the modernizing power grid from attacks, malicious code, cascading errors, and other threats.
The product of two formal public reviews and the focus of numerous workshops and teleconferences over the past 17 months, the document is intended to facilitate organization specific smart grid cyber security strategies focused on prevention, detection, response and recovery.
The guidelines identify 137 interfaces, or points of data exchange or other types of interactions within or between different smart grid systems and subsystems, which in turn are assigned to one or more of 22 logical interface categories on the basis of shared or similar functional and security characteristics. The high level security requirements, which are described for each of these 22 logical interface categories, are:
- Cyber security objectives
- Confidentiality, integrity, and availability impact levels
- Impact levels for the CI&A categories
- Selection of security requirements
- Security requirements example
- Recommended security requirements
- Access control
- Awareness and training
- Audit and accountability
- Security assessment and authorization
- Configuration management
- Continuity of operations
- Identification and authentication
- Information and document management
- Incident response
- Smart grid information system development and maintenance
- Media protection
- Physical and environmental security
- Security program management
- Personnel security
- Risk management and assessment
- Smart grid information system and services acquisition
- Smart grid information system and communication protection
- Smart grid information system and information integrity.
In all, the report details 189 high level security requirements applicable either to the entire smart grid or to particular parts of the grid and associated interface categories.
The report also includes a description of the risk assessment process used to identify the requirements; a discussion of technical cryptographic and key management issues across the scope of smart grid systems and devices; and initial recommendations for addressing privacy risks and challenges pertaining to personal residences and electric vehicles. Further, there is an overview of the process that was developed to assess whether existing or new standards that enable smart grid interoperability also satisfy the high level security requirements included in the report, and a summary of research needs.
“These advisory guidelines are a starting point for the sustained national effort that will be required to build a safe, secure and reliable smart grid,” said George Arnold, NIST’s national coordinator for Smart Grid interoperability. “They provide a technical foundation for utilities, hardware and software manufacturers, energy management service providers, and others to build upon. Each organization’s implementation of cyber security requirements should evolve as technology advances and new threats to grid security arise.”
The guidelines were developed by the Cyber Security Working Group (CSWG) of the Smart Grid Interoperability Panel, now numbering more than 475 participants and chaired by the NIST’s Annabelle Lee and latterly Marianne Swanson.
The NIST was mandated under the Energy Independence and Security Act of 2007 to coordinate the development of a framework for an end to end safe, secure and interoperable smart grid.