Over the last couple of years we have become more involved helping companies in the Energy sector get security right. As our nation’s traditional electric grid is modernized and upgraded to the smart grid, the associated cyber security challenges continue to increase and consequences of not addressing them systematically become more significant.
Smart grid technologies introduce significant new risks. Smart grid, by design, makes extensive use of remote network connectivity, advanced communication protocols, more sophisticated hardware that is harder to configure, and more complex software. All of this added complexity and connectivity introduces additional security risk. Furthermore, smart grid technologies introduce substantial IT infrastructure into the electric utility environment, which results in both the traditional security risks with which the IT industry at large has struggled over the last two decades, as well as domain specific avenues for attack and risks inherent in the electrical utility space and smart grid components. Additionally, the rapid changes being introduced into the environment with all the new smart grid equipment and changing processes can in themselves inadvertently augment the risk exposure of electric utilities.
Software security is a significant problem for electric utilities and technology vendors. Everything from SCADA systems and Meter Data Management systems, down to field devices like smart meters, reclosers, and substation data collector units run software. Maintaining integrity of that software in this distributed system, the integrity of data and control communications, authentication, key management, and password management are all major challenges that require proper solutions adaptable to the unique constraints imposed by the environment.
It is in this environment that electric utilities and the smart grid technology vendors need to consider their overall risk posture and implement appropriate security controls to manage cyber security risks to an acceptable level. It is not possible to achieve a zero risk posture, but instead the goal should be to methodically consider the likelihood and potential impact of various security risks and have in place security controls that are capable of reducing the risk exposure to an acceptable level. The adequacy and sufficiency of the security controls need to be continuously assessed in light of new security risks and the changing environment. It is also important to recognize that failures will happen and so an organization needs to plan for them, isolate them, contain their damage, and recover from them gracefully. In other words, a risk management program is needed.
As smart grid is becoming a reality, addressing cyber security concerns holistically and systematically is a primary consideration for successful integration of these new technologies. In recognition of the importance of cyber security, the Department of Energy, which recently invested $3.4B from the American Reinvestment and Recovery Act (ARRA) to fund smart grid demonstration projects, explicitly identified cyber security in acquisition, deployment, and operation of smart grid technologies to be a top priority.
As part of its ongoing mission to provide reliable, safe and affordable electric service to rural America, the National Rural Electric Cooperative Association (NRECA), on May 16th 2011, published its Interoperability and Cyber Security Plan, Cyber Security Guide for Electric Utilities, and Cyber Security Plan Template for use by all electric utilities.
To provide practical guidance for its participating electric cooperatives, NRECA and Cigital (a part of Synopsys), the security team lead for NRECA’s smart grid demonstration project, have produced three key artifacts: The Interoperability and Cyber Security Plan (ICSP), the Cyber Security Guide for an Electric Utility, and a Cyber Security Plan Template.
The first two of these help electric utilities establish an overall culture of cyber security risk management and provide actionable “how to” guidance for security activities, best practices, and controls to mitigate cyber security risks across people, process, and technology dimensions. The Cyber Security Plan Template helps utilities to systematically baseline their existing security posture against the best practices found in the ICSP and the Cyber Security Guide, identify gaps, and then build an actionable roadmap for closing the gaps to mitigate cyber security risks, where appropriate.
The released cyber security guidance documents created have built upon guidance in NIST IR 7628, NERC CIP, as well as other industry resources and standards. They also leveraged our cyber security risk management experience gained through 20 years of security consulting and research. The goal was to create actionable, digestible, and practical guidance for electric utilities that would allow them to assess the existing maturity of their cyber security practices and technologies, and then build a plan for continuous improvement. Cyber security standards for the smart grid remain a moving target, but electric cooperatives are not waiting. The current approach to cyber security puts a stake in the ground and gives utilities something they can start with now.
The US Department of Energy has recognized the leadership position that NRECA and we have taken on cyber security and has complimented NRECA’s cyber security approach, serving as an exemplar to other Smart Grid ARRA funding recipients.
Assessing electric utility’s current cyber security maturity against recommended best practices and creating a plan for continuous improvement is only the beginning. Executing on the plan by following the mitigation roadmap is the next step. The goal is to use the plan to continue to improve the organization’s security risk posture and integrate all the new technology without negatively impacting the ability to perform the organization’s core mission. To help in that effort, we are developing additional artifacts, training materials, and services programs to help utilities successfully execute on their cyber security plans.