Mariana Hentea - Building an Effective Security Program for Distributed Energy Resources and Systems

Analysis of power system characteristics (e.g. stability, partial stability), analysis of DER impacts, addressing issues (e.g. cybersecurity, reliability, resiliency, cyber‐physical systems), Smart Grid interoperability dimensions, interoperability framework, and addressing cross‐cutting issues.

Distributed energy systems, DER technologies and security challenges, establishing information security governance, and examples of Smart Grid applications and cybersecurity expectations.

Security management as a broad field of management, security management components and tasks, security program definition and functions, security management process, asset management, physical security and safety, security versus safety, information security management infrastructure, models and frameworks for information security management, privacy program functions, and approaches for building a security program and privacy program.

Security management for Smart Grid systems – strategic, tactical, and operational views, unified view of security management based on risk management for both IT systems and control systems, systemic security management – comparison and discussion of models, efficient and effective management solutions, security models for electrical sector – electricity subsector cybersecurity capability maturity model (ES‐CM2), NIST framework, etc., implementation challenges on achieving security governance, and ensuring information assurance, certification, and accreditation.

The topics discussed in this book help to educate the Security Professionals, Power Control Engineers, management, regulators, service providers, and inform the public at large about the Smart Grid paradigm, DERs, and needs for Security and Privacy protection. Also, the book may be used to educate future graduates (e.g. engineers, computer science, IT graduates, business, and law) to gain skills and more knowledge on understanding and managing the security and privacy risks of Smart Grid and DERs as well as approaches for defining and maintaining a security and privacy program. For example, Law students can use the material from the book to understand the cybersecurity issues for critical infrastructure problems. Also, they can learn about the current regulations, the power and consumers' needs for new regulations in the future.

Research and academia communities could use the book to have a broader view of the cybersecurity problems for Smart Grid, critical infrastructure and energy sector.

Although I am the sole author of this book, the content is the product of my work experience and learning from discussions with colleagues and friends about various topics and projects at work, interactions with researchers at conferences and workshops, meetings and presentations provided by professional societies, my published research works, presentations and talks at conferences, teaching courses in the university, leading research projects with students, meetings with IEEE members, etc.

Besides these, I have been inspired by Dr. Martha Evens' strength and dedication to seek new work and educate others. Dr. Martha Evens encouraged me to pursue a doctoral degree in Artificial Intelligence, after I accomplished an MS in computer science at Illinois Institute of Technology, Chicago, IL, USA. Still after several decades, Dr. Evens (now emeritus professor) provided advice on how to manage the writing of this book. She always encouraged me to pursue my own research interests.

The chosen topic – cybersecurity for the Smart Grid and distributed energy resources – is the result of my own decision, after I learned about threats to power grid and the need for providing more information on security matters to engineers.

I thank Dr. Simone Taylor for reading my book proposal and offering the opportunity to publish this book. My thanks also go to reviewers, Antony Sami, Brett Kurzman, Kari Capone, Sarah Lemore, and the team of editors and managers from Wiley. Their support and advice in completing the writing task are very much appreciated.

Mariana Hentea 28 November 2019

Over a short period of time, people and businesses have come to depend greatly upon computer technology and automation in many different aspects of their lives. Computers are involved in managing and operating public utilities, banking, e‐commerce and other financial institutions, medical equipment and healthcare services, government offices, military defense systems, and almost every possible business and day‐to‐day activities of the people. This level of dependence and the extent of Internet technology integration made security necessary discipline as stated by the Organisation for Economic Cooperation and Development (OECD) in [OECD 2006]:

Security must become an integral part of the daily routine of individuals, businesses and governments in their use of Internet Communication Technologies (ICTs) and conduct of online activities.

Security is the condition of being protected against danger and loss. In general usage, security is similar to safety. Security means that something is not only secure but also it has been secured.

There are various definitions of security provided by different dictionaries (e.g. security is freedom from danger; safety) (see more definitions in Appendix A), but all of them basically agree on some components, and they miss this point: they do not translate readily into information technology (IT) terms. In the IT sector, there is an acceptance that there is no pure risk‐free state, whatever it is done (or not done), but it carries a risk.

Therefore, the definitions should not be considered as absolute descriptions of the word security in the real world because they individually describe a practically impossible goal. In order to describe security in a more realistic way, by combining the definitions provided by two dictionaries, new definitions are suggested (e.g. [Fragkos 2005]).

Thus, the definition of security is understood as the capability of a system to protect its resources and to perform to its design goals. However, definitions may differ among users, standards organizations, and industries. Also, several concepts and definitions for security and many related terms have evolved in time to reflect emerging trends. Some other terms are used such as information security and cybersecurity. In a computing context, the term security implies cybersecurity [TechTarget]. Information security was first brought to the public’s attention by the release of the first guidelines to protect the security of information systems in 1992 [OECD 1992].

Ten years later, the OECD reviewed the guidelines to take into account the generalized adoption of Internet technologies, which enabled the openness and interconnection of formerly closed and isolated information systems. The need to develop a culture of security and greater awareness was initiated in 2002 by OECD [OECD 2002] for OECD members and nonmembers alike; it was adopted by United Nations in 2002 [UN 2002]. The OECD document [OECD 2002] emphasizes the need to take into account the emergence of the open Internet and the generalization of interconnectivity. These guidelines apply to all participants in the new information society.

Security is, therefore, currently a widespread and growing concern that covers all areas of society: business, domestic, financial, government, and so on. Often security has different meanings to different people. There are several definitions and terms that sometimes make the security an ambiguous field. For example, in the energy sector, energy security refers to the uninterrupted availability of energy sources at an affordable price [IEA 2016]. To a power engineer, security means that power flows between utilities are open. Another view of security is a three‐legged stool consisting of physical security, information technology (IT) security, and industrial control systems (ICS) security [Weiss 2010].