Bob Saint, MultiSpeak Initiative and Barry Lawson, NRECA
With passage of the Energy Information and Security Act (EISA) in 2007, Congress aimed to promote the transition to a smarter grid and, at the same time, set in motion a process for creating interoperability and cybersecurity standards necessary for the success of that effort. At this point, however, the accelerated push to smarten the grid, helped along by new federal money for investments and research, threatens to outpace the standards-setting process.
In other words, we may have a smart grid before we’re truly ready for it.
Evolving Standards for Interoperability and Cybersecurity
Policymakers understand that, just as in other industries such as finance and health care, the benefits of computerization and automation bring potential risks. The communication and automation software applications that enable more reliable demand response, integration of renewable resources and better outage management also introduce new risks that must be actively managed.
In response to Congressional inquiries, the National Rural Electric Cooperative Association and other industry groups have testified that the electric industry has decades of experience in assessing a wide variety of threats to critical infrastructure assets. Electric utilities have focused on cyber threats increasingly over time, in proportion to the increasing use of automated components in generation and transmission of electricity. In the federal policy arena, NRECA is working with industry partners to strengthen and revise the current NERC reliability and cybersecurity standards, which must be approved by the Federal Regulatory Energy Commission (FERC) in order to become mandatory and enforceable.
The good news is that a new research project funded by a matching grant from the Department of Energy is providing timely, targeted assistance to cooperatives, which are moving full-throttle to deploy advanced technologies that can help them keep costs down for consumers and increase their efficiency.
The EISA also instructed the National Institute of Standards and Technology (NIST) to coordinate the development of standards for smart grid interoperability and cybersecurity. To expedite the process, NIST compiled an initial list of interoperability standards. The interoperability standards include NRECA’s MultiSpeak specification, which has enabled the integration of automation software by electric distribution co-ops (there are more than 800) and reduces the need for costly custom code writing. While the federal agency is working on a framework for the longer-term evolution of standards, the expedited initial list will allow ongoing deployment of smart meters and other communications infrastructure to proceed.
Cooperatives and MultiSpeak
These simultaneous if not parallel efforts, however, will take time; approved national or federal standards for mitigating cybersecurity risks of the smart grid are almost certainly years away. Many of these regulatory changes will then be duplicated at the state level. In the meantime, utilities and software developers need to find a path forward. And for many co-ops, small staffs and limited resources make the challenge of mitigating risk in the absence of national standards particularly difficult.
Cooperatives are standing on the frontlines. They lead the industry with nearly 50 percent penetration of smart meters. The great majority of cooperatives with smart meters have also begun to integrate their AMI and other distribution automation technology with other systems. For example, approximately 79 percent of cooperatives with AMI/AMR have at least begun to integrate their AMI/AMR systems with their customer information systems (CIS), 26 percent with their geographic information systems (GIS) and 23 percent with their outage management systems (OMS).
Thus, electric cooperatives face a range of information security risks that need to be addressed, from disgruntled customers manipulating new smart grid equipment to computer criminals seeking social security numbers on corporate networks to adversaries targeting the power grid. Efficiently defending against these risks means building a cost-effective cyber-security program that mitigates risks, addresses compliance and regulatory requirements, and results in streamlined operations and increased productivity. The launch of a research project that includes development of workable, sustainable cyber security plans for cooperatives deploying smart grid components could not come at a better time.
NRECA’s Cooperative Research Network (CRN) is moving ahead on a regional smart grid demonstration project involving 23 cooperatives of varying sizes and territories in ten states. The project will deploy an array of smart grid technologies (more than 150,000 components) in order to help electric cooperatives find and use new technologies to keep costs down for consumers, become more efficient and achieve sustainability. At the same time, the project brings the MultiSpeak Initiative, cooperatives and vendors together with cybersecurity experts to develop a robust plan to ensure the security of smart grid communications.
For electric utilities, cyber security is a cyclic risk management process protecting information systems in four dimensions: confidentiality, integrity, availability and nonrepudiation. A robust security program integrates technical, operational, and managerial controls to create layered defenses for an information system.
At the application level, databases, messaging programs, Web servers, transaction systems and e-mail systems demand their own specific security solutions. Supervisory control and data acquisition (SCADA) systems, which provide real-time control and monitoring of electric distribution systems, create special security challenges. Their time and mission criticality make SCADA systems attractive targets for cyber adversaries. SCADA security calls for protecting external connections through strong authentication, engaging application-level access controls, and implementing routine patch management.
Across the board, the need to design, create, and deploy secure software will be key to long-term success. This approach will not only improve software quality and robustness, but will result in products that are better able to withstand attack. Embedding these goals into software development processes may require process changes for some vendors.
The research project will leverage the success of MultiSpeak to develop cybersecurity protections. Since 2000, MultiSpeak has provided integration solutions for operations systems, including smart meters, SCADA and GIS. Over 500 utilities, including electric cooperatives, municipal utilities and investor-owned utilities in the Unites States, as well as a number of utilities in the Americas and Europe, are using interfaces developed in consultation with the 50 vendors who make up the MultiSpeak Initiative.
As part of this project, applications deployed by participating co-ops will be responsive to the security strategy and requirements under development at NIST. Working with cooperatives at the ground level, this research project aims to provide models not only for other cooperatives, but for the rest of the industry. The end result will be a set of defined security best practices and a checklist for implementation. The MultiSpeak Initiative will ensure that underlying protocols can support the recommendations.
Technical controls must be supported by operational controls such as patch management and vulnerability scans to be effective. Managerial controls such as separation of duty policies and training programs support both–and thus ensure that systems and procedures are implemented systematically. Physical security is critical as well. Video cameras, security guards, access controls, and fire-suppression systems are vital components of a security plan that keeps assets out of the wrong hands.
Cooperatives understand that a robust cybersecurity program is more than a collection of techniques and technologies thrown together in defense of a network. A sustainable program must bind these into a cohesive framework driven by risk and compliance, and supported by assessment and training. Ultimately, a security program is built on a culture supported by training and education. NRECA has already begun this effort and expects to enlarge it significantly in the coming years.
Cooperatives have an obligation to provide power that is reliable, affordable and safe. As the electric power distribution and transmission infrastructure evolve incorporating new technologies and meeting our changing needs and priorities, co-ops will continue to honor this obligation.
Bob Saint is program manager with the MultiSpeak Initiative, and Barry Lawson is manager of power distribution at the National Rural Electric Cooperative Association (NRECA).