NIST's revised guidance for Smart Grid cybersecurity reflects changes in power grid technology, which will put a lot of personal information on the grid.
Guidelines for securing the nation’s next-generation power grid are being updated by the National Institute of Standards and Technology to reflect advances in grid technology and IT security over the last three years.
This guidance marks the first update of the interagency report, originally released in 2010. It was developed by the Smart Grid Cybersecurity Committee (formerly the Cyber Security Working Group) of the Smart Grid Interoperability Panel, a public-private initiative launched by NIST in 2009 NIST with American Recovery and Reinvestment Act funding from the Energy Department. The report is a companion document to the NIST Framework and Roadmap for Smart Grid Interoperability Standards, release 2.0 (Special Publication 1108), and expands on it. The framework “lays out a plan for transforming the nation's aging electric power system into an interoperable Smart Grid.”
Release 2 of the framework, published in 2012, added 22 standards, specifications and guidelines to the 75 standards initially recommended as applicable to the Smart Grid. The cybersecurity guidelines in IR 7628 will continue to be updated as the framework is updated and new standards are identified.
The 621-page report is divided into three volumes, the first defining a cybersecurity architecture, the second addressing privacy concerns and the third providing supporting analyses and references.
The most significant changes, contained in the draft revision of NIST Interagency Report 7628, Guidelines for Smart Grid Cybersecurity, concern the privacy of data generated in a two-way electrical system. References to technical standards recently identified as applicable to Smart Grid security also are incorporated.
NIST is accepting comments on the revision through Dec. 24.
“The United States has embarked on a major transformation of its electric power infrastructure” to achieve greater efficiency and reliability, enable use of alternative and renewable energy sources, reduce pollution and support a more sustainable economy,” the interagency report says.
But with the new intelligent infrastructure comes new security challenges. “While integrating information technologies is essential to building the Smart Grid and realizing its benefits, the same networked technologies add complexity and also introduce new interdependencies and vulnerabilities.”
Addressing these vulnerabilities has become a matter of national security, as the nation’s economy and well-being depend on an infrastructure increasingly interconnected with global networks.
The report provides guidance for assessing risk and identifying and applying appropriate security requirements. “This approach recognizes that the electric grid is changing from a relatively closed system to a complex, highly interconnected environment,” with two-way power flow and communications.
Although reliability has long been a primary requirement for the power grid, privacy also has become an issue with the creation, collection and transmission of data about customers. “The Smart Grid will greatly expand the amount of data that can be monitored, collected, aggregated and analyzed,” the report says.
Personal information such as name, address and account number, along with financial information could be found on the grid, as well as information about when a home is unoccupied, when occupants are awake and asleep and what appliances are being used. An Internet-addressable meter also could be identified and possibly accessed.
The expanded discussion of privacy in Volume 2 of the report addresses residences only. Recommendations for privacy include:
- Transparency in plans for use of new technologies.
- Privacy impact assessments for new technologies.
- Documenting privacy policies and practices spelling out individual responsibilities.
- Privacy training for employees and education for consumers about privacy risk.
- Tracking the flow of data with personal information to address risks.
- Removing identifiable information from aggregated energy usage data.
- Controlling access and usage of personal information by third parties.
- Protecting wireless data transmissions.
- Sharing information across the Smart Grid user environment.
Mitigations for these privacy issues will need to be explored as technology solutions are deployed. In the meantime, system and infrastructure architects should be aware of these potential concerns.
Comments on the revised interagency report should be sent to NISTIR.7628.Rev1@nist.gov using the comment templates available with the report.