Mariana Hentea - Building an Effective Security Program for Distributed Energy Resources and Systems

The destruction of power grid systems and assets would have a debilitating impact on energy security, economic security, public health, or safety. With a system that handles power generation, transmission, and distribution, security responsibility extends beyond the traditional walls of the data center. An intruder can, intentionally or unintentionally, cause a power line to be energized that would endanger lives. Similarly, a power line may be de‐energized in such a way as to cause damage to transmission and control systems and possibly endanger the safety of employees and the public. Therefore, each organization should develop its own policy to protect assets, employees, and general public who are at risk when human (intentional or unintentional) threats or natural disasters occur. Each organization should develop its own cybersecurity strategy for the implementation of a security program. Cybersecurity must address not only deliberate attacks launched by disgruntled employees, agents of industrial espionage, and terrorists but also inadvertent compromises of the information infrastructure due to user errors, equipment failures, and natural disasters [NISTIR 7628].

Security program is a plan or outline that must cover security governance, planning, prevention, operations, incident response, and business continuity. Variants of Smart Grid implementations have already been rolled out in various jurisdictions across the United States as well as the rest of the world for several years. The window of opportunity to integrate security into the Smart Grid from the beginning is shrinking fast. However, it is also necessary to understand the interdependency and mutual vulnerability of the wholesale electric grid and the wholesale electric market in maintaining the security and stability of the smart power grid. Market participants require to ensure protection of their critical cyber assets and to support an appropriate security program.

A security program needs to be built using the security engineering approach. This requires focus on building systems to remain dependable in the face of malice, error, or mischance [Anderson 2008]. Also, the successful implementation of a security program requires certain basic functions that should be included in any budget allocation [Whitman 2014].

As new capabilities are included in the Smart Grid, potential new privacy concerns will emerge for which no legal mitigation currently exists. A significant number of privacy breaches occur not because of an attack but through noncompliance with privacy policy or having no policy. For example, a laptop that has a copy of PII data becomes a privacy breach if the laptop is improperly disposed of, lost, or stolen. Hence, measures for protection of privacy have to be designed and implemented too. Thus, a privacy program should be planned, designed, implemented, and maintained. Factors that should be considered in design of a security program include the following:

Privacy rights continue to evolve by legislation, litigation, and regulation, and the data gathered will be subject to the relevant jurisdiction(s).

AnonymizationIf private information is not properly anonymized, even data like electrical appliance usage or electric vehicle charging schedules may constitute a privacy violation. In electrical sector, the ownership and rights associated with PII varies by jurisdiction. In some jurisdictions, the person owns their data, while in other jurisdictions, ownership is less clear. For example, a utility that gathers contact and other information for billing purposes may be restricted in use of the PII for any other purposes without consent of the customer – possession of the data is not the same as ownership.

Technologies and capabilitiesThe advancing of technologies such as data mining and pattern recognition can be used on identifying the identity of persons when customer data and energy data is analyzed. Recognizing electric signatures of smart appliances and developing detailed, time‐stamped activity reports, utilities, or third‐party service providers can determine lifestyle details that could be legitimately characterized as PII in most jurisdictions.

Dedicated privacy group with its own managementAlthough in many organizations, security group is supporting the privacy requirements, the future commands for more responsibility and accountability for the implementation of data privacy specifically in smaller‐size enterprises, and need for establishment of a dedicated privacy group with its own management [Shei 2013]. The organizations have to understand that security is only one aspect of privacy and privacy protection implies organization and business decisions.

Ensuring privacy requires a bundle of technologies, policies, culture, regulations, and harmony between many business units from security to legal to human resources to employees [Shei 2013]. Examples of guidelines and recommendations for the protection of privacy data and harmonization of disparities in national privacy regulations are documented in [OECD 2013].

Currently, many countries, organizations, and associations support efforts to empower and educate people to protect their privacy, control their digital footprint, and make the protection of privacy and data a great priority in their lives. In the United States, National Cyber Security Alliance mandates that [NCSA 2014]:

Everyone – from home computer users to multinational corporations – needs to be aware of the personal data others have entrusted to them and remain vigilant and proactive about protecting it.

This document [NISTIR 7628r1] provides definitions, requirements, safeguards, and use case impacts of privacy breaches. Privacy considerations with respect to the Smart Grid include four aspects: privacy of personal information, privacy of the person, privacy of personal behavior, and privacy of personal communications.

A privacy policy framework for the Smart Grid and for smart homes is suggested in [GridWise 2011]. This framework is limited and addresses only consumer privacy issues that arise from the collection, use, and retention of such data no matter from what source it is collected.

In this book, we do not focus on engineering a privacy program, although some approaches used in engineering the security program could be used for building a privacy program.

A revised NIST document [NISTIR 7628r1] promotes a new cybersecurity framework to protect the Smart Grid. A current list of standards is available. Many accelerated standards and guidelines are focused on topics such as:

Metering

Data usage information

Electric vehicles

Pricing

Demand response

Substation communication

Energy storage

Renewables.

In the United States, the DOE envisions a robust, resilient energy infrastructure in which continuity of business and services is maintained through secure and reliable information sharing, effective risk management programs, coordinated response capabilities, and trusted relationships between public and private security partners at all levels of industry and government [DOE 2015c].

Within the electricity subsector, the FERC is focused on the development of key standards to achieve interoperability and functionality of Smart Grid systems and devices [FERC 2009]. FERC certified the North American Electric Reliability Corporation (NERC) as the Electric Reliability Organization that is responsible for developing reliability standards, subject to FERC oversight, review, and approval.

NERC developed the critical infrastructure protection (CIP) standards [NERC CIP], which FERC approved in 2008. The NERC CIP standards suite is composed of a whole family of standards that are continuously revised and changed. These standards were originally devised and implemented to prevent big blackouts – so they are considered both rigorous and heavily enforced only for bulk power systems (generation and transmission).