I took the challenge to wade through 300 pages of NIST’s (National Institute of Standards and Technology) second draft of NIST IR 7628, Smart Grid Cyber Security Strategy and Requirements. My head is still ringing.
What is it?
The nation’s electric power infrastructure is called the grid. It is believed the grid will not be able to generate sufficient power for all citizens in the future. Therefore the government wants to enable more efficient distribution of energy and use of natural resources by the utilities and consumers. And the way to do this is by modernizing the electric utility distribution model using information technology. Hence the Smart Grid.
Smart Grid Vision
The NIST plan lays out a complex web of intelligent consumer devices from washing machines, water heaters and electric car batteries, connected to a computer network within the house or building; which is then connected to intelligent meter type devices; connected to a network of utilities and service providers (solar, wind, coal, nuclear, natural gas, hydroelectric); which are then connected to financial trading houses which set market prices that affect energy rates.
Imagine a network of millions of intelligent devices, homes, buildings, utilities, distributors, financial markets and service providers all connected. The Internet redux.
Except in this situation there is the massive ability to control, shut off and turn on devices central to daily living, school, industry and work. Both consumers and service providers using Smart Grid technology will be able to regulate the use of energy by individual devices within the home and also local storage of power. Storage options can range from an electric car battery to batteries which store energy generated from solar panels or wind turbines. You will also be able to regulate usage and energy storage based on real-time market prices.
So as a result of Smart Grids the public can conserve energy, lower energy costs, lower carbon emissions, and have less reliance on foreign oil (automobiles). Yet while the goals are worthy, after watching movies like the Terminator and The Matrix, I couldn’t stop thinking this massive network will lead to a Doomsday scenario. Computers taking over the world.
However, this is not what keeps NIST and others up at night. The fear is that this massive network based on off-the-shelf computer technology, presents a frightening cyber security challenge. And the threats could be from terrorists, natural disasters, internal malcontents as well as consumers themselves.
Difference in security for Smart Grids vs. corporate IT
A traditional IT-focused understanding of cyber security is that protection is required to ensure confidentiality, integrity, and availability of the network and data. The priority is confidentiality first, then integrity and availability.
For industrial control systems, including power systems, the priorities of the security objectives are availability first, integrity second, and then confidentiality (consumer data). Cyber security in the Smart Grid includes both power and cyber system technologies, processes in IT and power system operations and governance.
Because the Smart Grid includes systems from the IT, telecommunications, and energy sectors, the risk assessment process is applied to all three sectors as they interact in the Smart Grid. It is an enormous undertaking. But once the Smart Grid is secure, it will be the harbinger of daily life in the future.