A smart, networked energy grid offers a host of energy- and money saving benefits, but it presents an enticing target to all sorts of miscreants. How to reap the good while avoiding the bad?
A smarter energy grid holds both promise and peril. Advantages range from more sophisticated energy management to significant savings. But the threats also are numerous, as a networked electrical grid almost certainly would entice all sorts of miscreants.
The Energy Department and National Institute of Standards and Technology are leading a coalition of government and industry organizations in building a cybersecurity framework that would protect the nation’s electrical grid.
The group has an aggressive schedule, with plans to produce guidelines for consistent risk management processes across the electric supply system by this fall.
“The goal is to begin moving the electricity sector stakeholders out of the compliance mindset and into a continuous monitoring mindset,” said Bill Hunteman, senior cybersecurity adviser at DOE’s Office of Electricity Delivery and Energy Reliability (OE).
In addition to OE and NIST, coalition participants include the Federal Energy Regulatory Commission, the North American Electric Reliability Corp., the Homeland Security Department and a number of utility companies.
The program is part of a broader effort to develop cybersecurity standards for an intelligent energy grid, often called the smart grid, toward which the electrical industry is moving. A risk management framework for the smart grid is urgently needed, Hunteman said.
“All of the participants have acknowledged the need to get this going,” he said.
The American Recovery and Reinvestment Act has provided money for developing and fielding new electric grid technology, and the industry now needs standards to develop and deploy the technology. “You need to get security built in and not added on later," Hunteman said. "Everybody is supportive of the aggressive schedule.”
However, the process is not yet complete, and the Government Accountability Office said in a recent study that federal overseers lack the authority to require industry compliance.
The smart grid is part of the Obama administration’s economic recovery program, and it carries the promise of creating jobs, contributing to energy independence and curbing greenhouse gas emissions.
An electrical industry group, the Working Group for Investment in Reliable and Economic Electric Systems (Wires), in a January report on smart transmission technology, said “major new investment in a stronger high-voltage transmission system is key” to meeting growing demands for electrical power and enabling more environmentally friendly energy sources.
“A strong transmission system must also be an intelligent system that employs the best available technologies and materials,” the report states. “It must be animated by advanced digital technologies in order to integrate those resources into the electric system in an economically and operationally efficient way.”
The high-voltage transmission system already is using smart networks to balance the flow of electricity from hundreds of power plants across multiple systems, Wires said in the report. The smart grid would use intelligent networking and automation to better control the flow and delivery of electricity to consumers, enabling a two-way flow of power and information between power plants and customers, in addition to all points in between. That could enable the more efficient generation, transmission and use of energy across a national grid.
An attractive target
However, those anticipated benefits are accompanied by the risk that increasingly intelligent, interconnected networks would be vulnerable to attacks that could interrupt power transmission and operations and result in widespread loss of electrical services. Potential problems include:
- Increasing the number of entry points and paths that attackers could exploit.
- Introducing new, unknown vulnerabilities.
- Expanding the amount of customer information collected and transmitted.
Breaches of electrical supply systems already have been reported, and the emergence of the Stuxnet worm has illustrated the ability of a cyber threat to affect the control processes of physical systems.
DOE is leading the smart-grid program through the Energy Independence and Security Act of 2007, and NIST is developing standards for the smart grid. EISA also directs FERC to adopt standards for smart-grid security and interoperability.
“While EISA gives FERC authority to adopt smart-grid standards, it does not provide FERC with specific enforcement authority,” GAO said in the report on electricity grid modernization. “As a result, any standards identified and developed through the NIST-led process are voluntary unless regulators use other authorities to indirectly compel utilities and manufacturers to follow them.”
Regulation of the electrical power industry and system is divided among various regulators at the federal, state and local level, and FERC has no plans to monitor industry compliance with voluntary standards.
One system, 3,000 utilities
The electricity grid has historically relied on proprietary technology, which has helped isolate and protect individual systems. But that protection is not complete. “One of the big issues is that the grid is so tightly interconnected for reliability that we have to do the best we can to develop a consistent process across the more than 3,000 utilities,” Hunteman said.
The number of parties involved complicates the process of developing a security framework. “There are a lot of moving parts” in the standards and rule-making effort, said Erich Gunther, chairman and chief technology officer of EnerNex.
In addition to government regulators and private utilities, there are standards bodies such as IEEE, for which Gunther is chairman of the Intelligent Grid Coordinating Committee of the Power and Energy Society. “All of these entities have a role to play.”
The lack of a complete, coherent security framework is not because of a failure of that effort, he said. Instead, it is the result of the rapid evolution of the energy grid. IT security has been part of the grid for a long time, he said. “What’s new with the smart grid is its pervasive application in the power infrastructure.”
As a result, a lot of cybersecurity experts work separately on the effort without understanding the overall infrastructure they are trying to protect, Gunther said.
“Cybersecurity is a systematic problem," he said. "You’ve got to be aware of the business objective of what you’re trying to protect. A lot of the security folks don’t yet understand how all of the parts of the power infrastructure fit together.”
Within IEEE, several working groups are working to identify and craft standards for the power industry, including the organization's Power and Energy Society, Computer Society and Communications Society. Despite the complexity, the overall smart-grid security effort is working well, Gunther said.
“We’ve got the right people working on the right stuff, and there is a surprising amount of coordination,” he said. There is no obvious need for more centralized control of the process, he added. “You need a large community of experts freely exchanging ideas. That seems to be working.”
In upgrading to a smart grid, utilities want systems that easily work with technologies from different vendors. But there are no generally accepted security standards for the equipment. EISA directs NIST to coordinate development of a standards framework. The agency is identifying existing standards for interoperability and cybersecurity that can be applied to the smart grid, and it's also identifying gaps where it needs to develop new standards.
NIST published an initial framework for interoperability and security in January 2010, Special Publication 1108, “A Framework and Roadmap for Smart Grid Interoperability Standards, Release 1.0” In August, the agency released the first version of security guidelines, the three volume Interagency Report 7628, “Guidelines for Smart Grid Cyber Security.”
In its report, GAO said the guidelines include important elements, including a high-level strategy for developing an approach to securing smart-grid systems and identifying appropriate security requirements. FERC is reviewing the initial guidelines for adoption as voluntary standards, including five existing cybersecurity standards identified by NIST as ready for adoption.
The DOE/NIST and industry initiative aims to lay a foundation for those standards by establishing processes for risk management, which is the science of identifying and assessing risks so that they can be eliminated, mitigated or accepted. Within government, there has been an evolution toward continuous monitoring for risk management rather than using one-time or periodic snapshots that become out-of-date before appropriate security guidelines and controls are put into place.
“We are moving now to start implementing an effective cybersecurity program into the grid,” Hunteman said.
The initiative will build on existing risk management models, and the core development group will select models that apply to the utilities industry to provide an initial set of guidelines, possibly as early as this month. Iterations of the guidelines will be offered for public comment “until we have exhausted everyone’s comments,” Hunteman said. There is no firm deadline for completion, but a final version is expected by fall.
Regardless of how well received the guidelines are, they still will be voluntary. But Hunteman said that will be a strength.
“Voluntary guidelines will be effective in elevating the level of security in the electric grid,” he said. They will provide a common model but can be applied as appropriate by each user. Large multistate utilities have different needs than those of small rural cooperatives.
One indication of industry acceptance of the program is the level of interest in participation, Hunteman said. “One of the challenges has been keeping the core development team small enough so that we can quickly turn out the document.”
Despite the aggressive schedule for producing the risk management framework, there is no immediate endpoint for the broader security effort, Gunther said. “There is a lot to do. It will never be complete.”