Mariana Hentea - Building an Effective Security Program for Distributed Energy Resources and Systems

Data‐intensive computing and real‐time processing of massive data streams are required by more applications. The North American electric power grid operations generate 15 terabytes of raw data per year, and estimates for analytic results from control, market, maintenance, and business operations exceed 45 Tbytes/day. As developers add new high‐resolution sensors to the grid, this data volume is increasing rapidly. Data‐intensive problems challenge conventional computing architectures with demanding CPU, memory, and I/O requirements.

Network changes and adoption of new services are determined by the increasing amounts of data collected from sensors, home devices, and power devices that demands reliable and faster communication networks. Profound changes are beginning to occur in public networks, data centers, and enterprise networks such as upgrades of major carrier backbones to higher data rates and the replacement of infrastructure based on old technologies for core networking/transport. Adoption of new services is facilitated by the migration to new protocols (e.g. IPv6, SIP, MIP (MIPv4, MIPv6)) and the emergence of Web services.

Home networking in a step toward the next‐generation unified home networking technology enables operation over all types of in‐home wiring (phone line, power line, coaxial cable, and Cat‐5 cable) using a single transceiver with few programmable parameters to connect home devices. Thus, new threats and vulnerabilities may occur to smart meters and DER devices installed for customer energy management.

Virtualization is being adopted as a standard for businesses, but the tools and technologies for addressing the security issues are relatively immature or not consolidated to offer sound security solutions. Although the advantages of virtualization are not disputed (examples include reductions in energy costs that are causing more organizations to consider virtual environments), the protection of a virtual computer hardware platform, OS, storage device, or computer network resources requires attention.

Virtual organization entity is formed whenever a developer creates an application or a workflow that features autonomous services owned by multiple organizations, each of which shares some proprietary services and part of its own knowledge. However, virtual organization introduces security concerns. For example, traditional access control methods based on the identity of each user in a virtual organization do not scale as the number of users and services increase, especially when the population of users and services is highly dynamic as in the Smart Grid environment.

Deperimeterization is a process that causes the boundaries between systems, which means the disappearing of boundaries between systems and organizations, to disappear; in this process, they become connected and fragmented at the same time. The most obvious problem is how to reorganize the security. Deperimeterization implies not only that the border of the organization's IT infrastructure becomes blurred but also that the border of the organization' accountability fades.

Global challenges influence the nature of the organization, and scope of information processing has evolved; managing information security is not just enforcing restrictions to maintain information security services such as confidentiality, integrity, availability, and non‐repudiation. In the new millennium, there are demands for more responsibility, integrity of people, trustworthiness, and ethicality [Dhillon 2001]. The most relevant global challenges include poor software quality, weaknesses of protocols, and services.

Internet has become a critical infrastructure because societies and economies are converging on the Internet, and the distinction between physical and virtual worlds is blurring.

The increased use of information systems is generating many benefits, but it has created an ever larger gap between the need to protect systems and the degree of protection. Society, including business, public services, and individuals, has become very dependent on technologies that are not yet sufficiently dependable. Often, information systems are vulnerable to attacks upon or failures of information systems. Certain information systems, both public and private, such as those used in power grid, military or defense installations, nuclear power plants, hospitals, transport systems, and securities exchanges, offer fertile ground for antisocial behavior or terrorism. However, users need to have confidence that information systems will operate as intended without unanticipated failures or problems to personal security and privacy.

The right to security of the person is guaranteed by Article 3 of the Universal Declaration of Human Rights [UN 1948] that reads:

Everyone has the right to life, liberty and security of person.

The Article 12 of this document reads:

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

With the proliferation of computers, the right to privacy of the individual is threatened by the use of information due to the new technology and the Internet. As a result, privacy policies (such as those described in [OECD 1980]) have been adopted in many countries around the world. Other publications assess the impact of technology on the private lives of people (e.g. [Britz 1996]).

In 2010, the OECD celebrated the 30th anniversary of the guidelines for protection of privacy and flows of personal data [OECD 1980] through a series of events and papers such as [OECD 2011]. This report presents an overview of other documents that were published after the guidelines (e.g. [OECD 2002], [OECD 1999]). Also, it provides an analysis of the importance of the privacy guidelines document of 1980. The report shows that there were still privacy risks for organizations, individuals, and society even 30 years after the publication of the guidelines in 1980. Examples of risks and issues include the following [OECD 2011]:

Certain risks associated with privacy have increased as a result of the shift in scale and volume of personal data flows and the ability to store data indefinitely.

Definition of personal data in the guidelines is broad (any information related to an identified or identifiable individual). Given the current power of analytics and the apparent limitations of anonymization techniques, this means vast amounts of data potentially now fall under the scope of privacy regimes.

An increasing economic value of personal data gives rise to concerns related to the security of personal data, unanticipated uses, monitoring, and trust.

Organizations often retain large amounts of personal data for various purposes.

High‐profile data breaches have shone a light on the challenges of safeguarding personal data; concepts of data controller and data processor raise new concerns.

An increasing concern that the long‐standing territorial/regional approaches to data protection may no longer be sufficient as the world increasingly moves online and data is available everywhere, at any time.

Uncertainty over questions of applicable law, jurisdiction, and oversight on the global nature of data flows; some organizations may not always be able or willing to tailor their services to meet the specific needs of each jurisdiction.

Differences that remain among various national and regional approaches to data protection, which are more noticeable when applied to global data flows.