Mariana Hentea - Building an Effective Security Program for Distributed Energy Resources and Systems

Figure 2.14 Interdependencies across the economy.

Source: [DHS 2010]. Public Domain.

Over the past two decades, the roles of the electricity sector stakeholders have shifted: generation, transmission, and delivery functions have been separated into distinct markets; customers have become generators using distributed generation technologies; and vendors have assumed new responsibilities to provide advanced technologies and improve security. These changes have created new responsibilities for all stakeholders in ensuring the continued security and resilience of the electric power grid.

In the United States, the Federal Energy Regulatory Commission (FERC) defines polices for Smart Grid cybersecurity. Cybersecurity is briefly understood as encompassing measures to ensure the confidentiality, integrity, and availability of the electronic information communication systems and the control systems necessary for the management, operation, and protection of the Smart Grid's energy, IT, and telecommunication infrastructures [FERC 2009]. DOE supports the administration's strategic comprehensive approach to cybersecurity for the power grid. Also, DOE works closely with the DHS, industry, and other government agencies on an ongoing basis to reduce the risk of energy disruptions due to cyber attacks.

The DOE envisions a robust, resilient energy infrastructure in which continuity of business and services is maintained through secure and reliable information sharing, effective risk management programs, coordinated response capabilities, and trusted relationships between public and private security partners at all levels of industry and government [DOE 2010]. While the DOE cybersecurity roadmap provides a foundation for the development and adoption of interoperability and cybersecurity standards, the updated roadmap of 2011 [DOE 2011] goes on to recognize the advances in cybersecurity and other technology including the evolving needs of the energy sector such as the following:

Providing a broader focus on energy delivery systems, including control systems, Smart Grid technologies, and the interface of cyber and physical security – where physical access to system components can impact cybersecurity.

Building on successes and addressing gaps require new priorities to be identified such as enhancing vulnerability disclosure between government, researchers, and industry; addressing gaps to further advance technologies.

Advancing threat capabilities by implementing enhanced security capabilities to protect energy delivery systems against threats that are becoming increasingly innovative, complex, and sophisticated.

Emphasizing a culture of security that includes training people for developing and implementing the best available security policies, procedures, and technologies tailored to the energy delivery systems operational environment.

In its broadest sense, cybersecurity for the power industry covers all issues involving automation and communications that affect the operation of electric power systems, the functioning of the utilities that manage them, and the business processes that support the customer base.

Actions to develop the Smart Grid architecture include the coordinated advancement of standards across the electric power system, including device characteristics, communication requirements, security, and other system aspects [DOE 2015a].

Implementation of cybersecurity can occur through a variety of mechanisms, including use of standards and recommendations, enforcement of regulations, and voluntary compliance in response to business incentives. The energy sector, specifically electrical sector organizations, can use several mechanisms for designing and implementation of security and protection of energy systems. In addition, utilities, vendors, consultants, national laboratories, higher education institutions, governmental entities, and other organizations continuously contribute and participate in the standards and guidance of the electricity sector.

Also, energy systems and networks cross the national borders, making international collaboration a necessary component of the sector's efforts to develop standards to secure the energy infrastructure.

A global survey was conducted on security governance, specifically on how boards of directors and senior management are governing the security of their organizations' information, applications, and networks. The survey respondents included 75% participants from critical infrastructure companies and represented [Westby 2012]:

Energy and utilities companies.

Financial sector.

Healthcare.

Industrials.

IT and telecommunication companies.

The survey reveals issues related to security pasture of compared industries as follows:

Boards still are not undertaking key oversight activities related to cyber risks, such as reviewing budgets, security program assessments, and top‐level policies; assigning roles and responsibilities for privacy and security; and receiving regular reports on breaches and IT risks.

Utilities are one of the least prepared organizations when it comes to risk management [Westby 2012].

Utilities/energy sector and the industrial sector came in last in numerous areas – surprising is that these companies are part of critical infrastructure.

All industry sectors surveyed are not properly assigning privacy responsibilities.

Energy/utilities and IT/telecom respondents indicated that their organizations never (0%) rely upon insurance brokers to provide outside risk expertise, while the industrials sector relies upon them 100%.

Another report [GAO 2011] reveals that several security issues are missing including:

An effective mechanism for sharing information on cybersecurity and other issues.

Cybersecurity awareness.

Security features built into Smart Grid systems.

Metrics to measure cybersecurity.

In addition, the vulnerability of the power system is not mainly a matter of electric system or physical system, but is also a matter of cybersecurity. Attacks (such as attacks upon the power system, attacks by the power system, and attacks through power system) to the Smart Grid infrastructures could bring huge damages on the economy and public safety.

Smart Grid technologies and applications like smart meters, smart appliances, or customer energy management systems create new privacy risks and concerns in unexpected ways. Concerns of privacy of consumers and people are of vital importance in the energy sector. If there is any compromise of the personal data or security of the power service, it can undermine many services and applications. An incident would not only create a breach of privacy or confidentiality, integrity, or availability of the information, but it might also compromise the potential future markets the technology might have been able to create if it the service had been secure. Therefore, information security management principles, processes, and security architecture need to be applied to smart power grid systems without exception. All these objectives need to be included in the security program.

Cybersecurity implies the implementation of security measures (safeguards) to ensure protection of an organization assets (tangible and intangible), people, and safety. Tangible assets are physical assets that include power equipment, computers, devices, facilities, and supplies. Intangible assets include data, information, reputation, intellectual property, copyrights, trade secrets, business strategies, and any other information valuable to an organization.