NIST Revising Smart-Grid Guidance
Updates to Address New Vulnerabilities, Privacy ThreatsThe National Institute of Standards and Technology is revising its smart-grid guidance to address technological and policy changes over the past three years that have made the grid more susceptible to vulnerabilities and threatened utility customers' privacy.
See Also: Managing Shadow IT Across Your Enterprise
NIST published Interagency Report 7628, Guidelines for Smart Grid Cybersecurity, in September 2010. Late last month, it issued a draft of its first revisions to the cybersecurity guidance.
The nation's power grid remains years away from becoming a true smart grid, which NIST defines as an advanced, digital infrastructure with two-way capabilities for communicating information, controlling equipment and distributing energy.
Still, NIST says, utilities now need to devise effective strategies for protecting the privacy of smart grid-related data and for securing the computing and communication networks that will be central to the performance and availability of the envisioned electric power infrastructure.
"While integrating information technologies is essential to building the smart grid and realizing its benefits, the same networked technologies add complexity and also introduce new interdependencies and vulnerabilities," NIST says in the introduction to the draft of its updated smart-grid guidance. "Approaches to secure these technologies and to protect privacy must be designed and implemented early in the transition to the smart grid."
Smart Meter Use Rising
Victoria Pillitterri, NIST's smart-grid cybersecurity engineer, says the IR 7628 Revision 1 draft reflects the basic principles of the original report but provides guidance to address advances over the past three years in technologies and processes. Those include the increased use of smart meters that continuously record power use in utility customers' homes and businesses as well as charging stations for electrically powered vehicles.
The percentage of U.S. customers using smart meters soared to nearly 23 percent in 2012 from 0.7 percent in 2006, according to a report from the Federal Energy Regulatory Commission.
Pillitterri points out that utilities pull information dozens of times a day from smart meters, a sharp contrast from the once-a-month readings culled by meter readers showing up at homes and businesses to manually record electrical use. In this era of big data, smart meter readings, when combined with information from other sources, could disclose information heretofore unknown, such as the number of people inside a residence at a given time or the types of medical devices being used. "Because of that," Pillitterri says, "there are a lot of potential privacy concerns."
Similarly, she says, the smart grid could track the travel habits of drivers, collecting real-time data from charging stations that not only includes location of a specific vehicle but billing information of customers paying for the charge.
A report on AutoBlogGreen, a blog affiliated with the news site Autoblog, says the number of U.S. public charging stations increased by 9 percent in the first quarter of this year. The website Green Car Reports says the number of public charging stations in the United States could rise to 50,000 within a year, a five-fold increase from the beginning of 2013.
Unlike Other Digital Networks
The smart grid is unlike other critical information infrastructures in that millions of nodes located in businesses, government installations and residences connect to the grid - a collection of networks that use technology to analyze supplier and consumer behaviors to efficiently distribute electricity. And each node introduces a point for hackers to exploit to attack the grid.
"For this reason, specific risk assessment methodologies have to be developed," says Konstantinos Moulinos, a network and information security and critical information infrastructure protection expert for the European Network and Information Security Agency, which, like NIST is developing smart-grid guidance for the European Union (see Smart Grid's Unique Security Challenge).
NIST's issuance of the smart-grid guidance draft revision comes at a time when political leaders questions the security of the electric grid.
A report issued in May from Democratic members of the House Energy and Commerce Committee contends America's electric utilities are under constant attack, with some providers reporting in excess of 10,000 digital assaults a day (see Judging Cyberthreat Against Power Grid). Though industry leaders say attacks on the electric grid aren't much different than assaults experienced by other industries, the Democratic report maintains the grid is vulnerable because utilities don't always adopt voluntary security guidelines from an industry group, the North American Electric Reliability Corp.
"We need to push electric utilities to enlist all of the measures they can now," says Sen. Ed Markey, D-Mass., who served on the House panel when the Democrats issued the report.
Many of those security measures appear in NIST guidance. But NIST is not a regulatory agency and cannot impose its best practices on the private sector. Regulators such as the Federal Energy Regulatory Commission, however, could require regulated businesses to adopt them. President Obama's executive order on creating a cybersecurity framework of IT security best practices, which critical infrastructure operators could voluntarily adopt, calls on regulators to consider framework security and privacy recommendations for inclusion in the rules they impose on regulated businesses (see Obama, CEOs Meet on Cybersecurity Framework).
Changes in the Guidance
What's new in the latest smart grid guidance? The draft report includes:
- A new chapter on the roles of the Smart Grid Interoperability Panel, a NIST-affiliated industry association that engages stakeholders in developing standards for the smart grid;
- An expanded view of the architecture of the smart grid;
- A number of developments related to ensuring cybersecurity for the Smart Grid, including a risk management framework to provide guidance on security practices;
- A new framework for testing the conformity of devices and systems to be connected to the smart grid;
- Information on efforts to coordinate the smart-grid standards effort for the United States with similar efforts in other parts of the world; and
- An overview of future areas of work, including electromagnetic disturbance and interference and improvements to Smart Grid Interoperability Panel processes.
NIST is seeking comments from stakeholders on the revision draft. Public comments are being accepted until Dec. 23 at NISTIR.7628.Rev1@nist.gov.