Second draft of Smart Grid security architecture released for public comment

A revised draft of a Smart Grid security architecture has been released for public comment, outlining how security requirements will be incorporated into the design of the nation’s next generation power distribution system.

“Smart Grid technologies will introduce millions of new intelligent components to the electric grid that communicate in a much more advanced ways (two-way, with open protocols) than in the past,” the interagency report released by the National Institute of Standards and Technology says. “Because of this, two areas that are critically important to get correct are Cyber Security and Privacy.”


NIST IR 7628, “Smart Grid Cyber Security Strategy and Requirements"

Smart Grid Interoperability Framework

CyberEye: A call for critical thinking about securing our power grid

NIST completes first release of Smart Grid framework


The second draft of NIST IR 7628, “Smart Grid Cyber Security Strategy and Requirements,” updates the overall Smart Grid security strategy and includes expanded sections on privacy, bottom-up analysis, and vulnerability class analysis sections. There also are new chapters on research and development themes and standards assessment as well as an overall functional logical Smart Grid architecture. NIST released the initial version of the report in September, and it quickly garnered more than 350 comments that the agency has addressed.

Comments on the current draft should be sent to cswgdraft2comments@nist.gov by April 2. A template for making comments is available online at NISTIR7628_comments_template_Feb-02-2010.doc.

The security plan is a critical part of the Smart Grid interoperability effort being spearheaded by the National Institute of Standards and Technology. It is being developed in conjunction with the Smart Grid Interoperability framework. NIST published the initial release of that in January. The 305-page security document, which includes a comprehensive set of security requirements, remains a work in progress and NIST expects to issue a completed report by early summer.

Development of cyber security strategy and requirements began with the establishment of a Cyber Security Coordination Task Group led by NIST and now contains more than 350 participants from the private sector (including vendors and service providers), academia, regulatory organizations, and federal agencies.

The Energy Independence and Security Act of 2007 established the Smart Grid program. The law also mandated that security be built into the system that would use intelligent networking and automation to better control the flow and delivery of electricity to consumers. This would require a two-way flow of electricity and information between the power plant and the end user, and to points in between. Security requirements are being developed using a high-level risk assessment process and are recognized as critical in all of the priority action plans discussed in the “Framework and Roadmap for Smart Grid Interoperability Standards, Release 1.0,” (NIST Special Publication 1108).

NIST will develop Smart Grid security requirements for specific domains, business and mission functions and interfaces, as well as for the overall grid. But they are being developed at a high level and will not be spelled out for specific systems or components because of the impossible complexity of that job. The security requirements and architecture will address not only deliberate attacks, but errors, failures and natural disasters that also could destabilize the grid.

The security architecture being developed will identify interfaces between functional domains of the new grid, and categorize them according to the criticality of their data accuracy and availability. The constraints, issues and impacts of breaches at these interfaces will be considered for each category, and security requirements will be developed. The current report identifies more than 120 interfaces that will link diverse devices, systems, and organizations that will be engaged in two-way flows of electricity and information and classifies these connections according to the risks posed by a potential security breach.

Key updates in the current draft of IR 7628 include:

  • Functional Architecture Development. The functional logical architecture represents the initial set of use cases and requirements from workshops and the initial NIST Smart Grid Interoperability Roadmap. This functional logical architecture focuses on a short-term view of one to five years.
  • Bottom-up Assessment. This includes additional cybersecurity problems, a new section on design considerations, and moved and revised some subsections previously in "Non-Specific Cyber Security Issues" to the new "Design Considerations" section.
  • Privacy. The focus of the Privacy sub-group has been on what data might be collected or created that could include personal information, how this information might be exploited, and policies and practices to identify and mitigate risks.
  • Standards. The new Standards sub-group added a chapter on standards and characteristics that apply to cybersecurity for the Smart Grid. The DHS catalogue was used as an initial source to develop these tables.
  • Research and Development. The R & D sub-group is another new sub-group that added a chapter on “Research and Development Themes for Cyber Security in the Smart Grid.” The chapter identifies five issues requiring immediate research and development: device level, novel mechanisms, systems level, networking issues, and other security issues in the Smart Grid context.
  • Vulnerability Class Analysis. An introduction was added to each of the major categories with clarifying descriptions for the section, and a brief discussion of the intent of the section.

“This is very important, transformational work for the electric industry,” the report states, “and it is critically important for all stakeholders to be actively engaged to ensure we get interoperability standards that achieve the most potential from Smart Grid technologies without negatively impacting the reliability of the proven technologies we depend on today.”

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • contemplating the future (SFIO CRACHO/Shutterstock.com)

    Governors prep for disruptive technology

Reader Comments

Thu, Feb 4, 2010 n3td3v United Kingdom

It's likely these utilities have been infiltrated the old fashioned way through human assets bringing in embedded malware in chip sets and circuit boards which can all be command lined back at the adversaries command and control cyber headquarters in some rogue state somewhere.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group