Cybersecurity for Smart Grid Systems

Smart Grid cybersecurity must address not only deliberate attacks, such as from disgruntled employees, industrial espionage, and terrorists, but also inadvertent compromises of the information infrastructure due to user errors, equipment failures, and natural disasters. The Smart Grid Interoperability Panel (SGIP) Cyber Security Working Group (CSWG), which is led and managed by the NIST Information Technology Laboratory (ITL), Computer Security Division, is moving forward in FY 13 to address the critical cybersecurity needs in the areas of: Advanced Metering Infrastructure (AMI), encryption key management, AMI security requirements, testing criteria for remote AMI upgrades, and privacy recommendations for third party data usage. We will to continue to provide foundational cybersecurity guidance, outreach, and foster collaborations in the cross-cutting issue of cybersecurity in the Smart Grid.

Objective: To advance Smart Grid cybersecurity, including privacy, through measurement science and standards for interoperating and using AMI with the electric grid by 2014. 

What is the new technical idea? As a result of deployment of new Smart Grid technologies, the electric power industry is faced with new and changing threats, vulnerabilities, and requirements for the Smart Grid in general and in specific areas such as privacy, smart grid architecture, and AMI. Efforts to address similar issues have been underway in other sectors, such as banking, federal systems, defense networks, and industrial control systems.  The new technical idea is to adapt existing cybersecurity best practice methodologies and tools and to understand how to apply them to the electric sector, while identifying gaps and unique requirements for the grid that require new methodologies and tools.  The Cyber Security Working Group (CSWG)[1] will address these challenges through collaborations with federal agencies, academia, and industry, and through the development of guidance documents.

What is the research plan? To conduct research that will enable the development of industry standards and guidance in order to successfully implement secure Smart Grid technologies.

• Technical leadership of the CSWG: Providing cybersecurity expertise, technical leadership, and oversight required to manage the CSWG.
• Review identified standards against the high-level security requirements in NIST Interagency Report (IR) 7628, Guidelines for Smart Grid Cyber Security. Sound interoperability standards are needed to enable diverse systems and their components to work together and securely exchange meaningful, actionable information. The CSWG Standards subgroup assesses standards and other technical documents against the cybersecurity and privacy requirements from NISTIR 7268.  They then determine if a document does or should contain cybersecurity and/or privacy requirements, correlates them with NISTIR 7628 requirements, identifies any gaps, and provides recommendations for further work to mitigate gaps. 
• Further development and refinement of specific Smart Grid areas – Security Architecture, Privacy and Advanced Metering Infrastructure (AMI) requirements.
• Update NISTIR 7628: As the seminal Smart Grid cybersecurity document, it is imperative that the guide contains new high-level requirements designed to help mitigate new identified threats, privacy recommendations added to reflect new areas like third party data usage, and the security architecture that is being refined as the Smart Grid matures and the architecture is more defined.
• Lead in the areas of AMI: Finalize NISTIR 7823, Draft Advanced Metering Infrastructure Smart Meter Upgradeability Test Framework, continue collaboration with the Department of Energy (DOE) to utilize their equipment and facilities to implement the NISTIR 7823 test framework, work with the American National Standards Institute (ANSI) to integrate the NISTIR 7823 test framework into the proposed standard on meter upgradeability, and collaborate with DOE National Electric Sector Cyber Security Organization Resource (NESCOR)[2]and the Electric Power Research Institute (EPRI)[3]on the development of an AMI encryption key management guide.

Additionally, areas of potential new work for FY14 through FY17 include:

• Secure Content Automation Protocol (SCAP) extension to cover cyber-physical systems: SCAP provides a standardized, measurable, automated method of continuous monitoring for Smart Grid components, increasing efficiency and accuracy, reducing costs of secure implementations, and improving capability and interoperability in implementations. 
• Research in lightweight, low-power cryptography: Enabling encryption for millions of smart meters and other devices for the Smart Grid with limited computational power.
• Identity management: Helping to ensure the security of customer information when dealing with utilities and third parties, as well as enabling remote authentication on anonymous devices. 

[1] The National Institute of Standards and Technology (NIST) established the Smart Grid Interoperability Panel (SGIP) CSWG in support of the Energy Independence and Security Act of 2007 to address the cross-cutting issue of cybersecurity.  The primary goal of the CSWG is to develop a cybersecurity risk management strategy for the Smart Grid to enable secure interoperability of solutions across different domains and components.

[2] NESCOR Is intended to strengthen the cybersecurity posture of the electric sector by establishing a broad-based public-private partnership with the Department of Energy (DOE) for collaboration and cooperation.

[3] EPRI is an independent, non-profit company performing research, development and demonstration in the electricity sector for the benefit of the public.

Recent Results: Recent accomplishments of the NIST Smart Grid Cybersecurity Program and CSWG include:

Output: Formal liaisons identified for each of the 14 Smart Grid Interoperability Panel (SGIP) Priority Action Plans (PAPs).

Outcome: Work products that include cybersecurity "baked in" during the development process rather than "bolted on" after. 

Output: NISTIR 7823, Draft Advanced Metering Infrastructure Smart Meter Upgradeability Test Framework.  

Output: Outreach initiatives.

Outcome: Cybersecurity workshops in 8 states, including 4 Public Utility Commissions (PUCs), reaching over 1,000 participants across a variety of Smart Grid stakeholder groups.  Brochure about the CSWG, its efforts, and how to get involved.  "Train the Trainer" privacy briefings for utilities, consumers, and PUCs. 

Output: Electricity Sector Risk Management Process Guideline (May 2012) developed in collaboration with DOE and the North American Electric Reliability Corporation (NERC).

Outcome: Provides utilities a flexible, fundamental approach to managing cybersecurity risks through a three-tiered approach, addressing risks at the: (i) organization level; (ii) mission/ business process level; and (iii) information system level.  This process will allow a utility to better understand its risks, assess the severity, and allocate resources more efficiently to manage them.

Output: Technical white papers: 1) Smart Energy Profile (SEP) 1.x Summary and Analysis developed with the National Electric Sector Cybersecurity Organization Resource (NESCOR); 2) Automating Smart Grid Security.

Outcome: Help stakeholders understand the vulnerabilities in SEP 1.x and provide them with actionable advice on how to mitigate or minimize these vulnerabilities and extending the Security Content Automation Protocol (SCAP) to the Smart Grid.

Output: Cybersecurity reviews completed.

Outcome: Recommendations provided on over 60 standards or PAP deliverable requirements. 

Standards and Codes:  Each standard listed in the SGIP Catalog of Standards will contain a cybersecurity assessment performed by the CSWG Standards subgroup supported by this project.