Secure the smart grid or face 'serious consequences,' Chu says
Administration wants cybersecurity on front burner of interoperable electric grid
The administration has released a strategy to help provide unity and coherence to the modernization of the nation’s electric power grid.
The strategy, outlined in a report released June 13, “A Policy Framework for the 21st Century Grid,” is part of the administration’s Blueprint for a Secure Energy Future, in which development of an interoperable smart grid is a priority.
Cybersecurity is one of the four primary goals of the strategy.
“If this is not designed in, there could be serious consequences,” both for consumers and for power generation, transmission and distribution systems, Energy Secretary Steven Chu said in releasing the report. “This is not something being put on the back burner.”
Panel adds future-proofing, wireless pieces to smart grid plan
First set of Smart Grid standards submitted to energy regulators
Securing a smart grid will require shifting from a traditional industry focus on physical security to include a broad range of cybersecurity issues as well.
“Cybersecurity practices must address not only the threats and vulnerabilities of traditional information systems, but also issues unique to electric grid technology,” the report states. “These include the lengthy life expectancy of energy control systems, low-latency communications needed for real-time control, and differing requirements and regulatory frameworks among grid stakeholders.”
As with other administration policies for security critical infrastructures, an emphasis is being placed on cooperation between government and industry rather than on regulation. The electric grid is owned and operated by the private sector, which bristles at government regulation, Chu said. “But we can facilitate solutions.”
In addition to continuing efforts at the National Institute of Standards and Technology to develop standards and best practices for smart-grid security, the strategy calls for giving grid operators access to actionable threat information, supporting cybersecurity research and development, and working with private-sector stakeholders to establish accountability for meeting cybersecurity standards.
The report was produced by the Smart Grid subcommittee of the cabinet-level National Science and Technology Council (NSTC).
Smart-grid development is being driven on the consumer side by availability of new products such as hybrid and electrically powered autos and smart-meter technology, and on the generation and transmission side by the introduction of nontraditional energy sources such as solar and wind generation.
To date, the grid has changed little since its introduction more than 100 years ago, said John P. Holden, director of the White House Office of Science and Technology Policy. Modernization of the nation’s electric grid was incorporated as a national policy in the Energy Independence and Security Act of 2007. And $4.5 billion has been provided for Smart Grid efforts under the American Recovery and Reinvestment Act investment, matched by $5.5 billion in private funding.
First-generation consumer smart technology such as smart meters and remote programmable thermostats already is being implemented, and to date, 25 states already have adopted smart-grid technology policies, creating what the NSTC called “a lot of difference smart grids,” and demonstrating the need for an overarching national policy.
“While there is no one-size-fits-all set of smart-grid solutions, there are important unifying policy strategies that can advance U.S. leadership in the 21st century clean-energy economy,” the report states. “This report outlines such policies and details efforts by the federal government and others to advance them.”
The goals or pillars of the strategy, in addition to security, are enabling cost-effective smart-grid investments, leveraging private-sector development and empowering consumers.
“Ultimately, smart-grid technologies will involve integrated suites of open standards, specifications, and requirements to assure the interoperability, privacy, and security that will enable operations, ensure resilience, and provide consumer benefits,” the report states. But, these enhancements can create new threats as well. “Notably, a smarter grid includes more devices and connections that may become avenues for intrusions, error-caused disruptions, malicious attacks, destruction, and other threats.”
The report describes the administration’s approach to grid security as a “thoughtful, cost-effective strategy that ensures the largest improvement in security and the greatest return on investment,” and that emphasizes collaboration. A critical element is the identification and prioritization of risks and the creation of standards and guidelines for mitigating them. This will include leveraging the capabilities of current threat-sharing activities, including the electricity sector’s Information Sharing and Analysis Center and the U.S. Computer Emergency Readiness Team (US-CERT), as well as developing new capabilities.
The strategy also includes shifting to a performance-based culture of risk management, performance evaluations and ongoing monitoring in the industry.
“The overall goal of the effort is to develop policy and regulatory frameworks that ensure that effective and feasible security is appropriately implemented and that all stakeholders contribute to the security and reliability of the grid as a whole,” the report states.
To help facilitate government-industry cooperation, the Energy Department’s fiscal 2012 budget request includes funding for a smart grid innovation hub to bring together government and private-sector researchers and representatives from utilities to support research, development, and deployment of smart-grid technologies.
The strategy also includes creation of Grid 21 to promote consumer-friendly innovations. Grid 21 is a nonprofit organization formed by the GridWise Alliance industry group that will provide programs, tools and information for consumers to help them take advantage of smart-grid capabilities.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.