Talk smart grid and cybersecurity will be sure to be part of the conversation, such is the significance of the threat and the importance of addressing it in this increasingly interconnected era.
Because of this cybersecurity has been identified as a key focus area for the US Smart Grid Interoperability Panel (SGIP), as it works towards its vision of improving individual quality of life by integrating energy resources securely, intelligently and efficiently.
“When I joined SGIP I reached out to utilities to understand the key focus areas as they continue their grid modernization,” explains the recently appointed president and CEO, Sharon Allan. “Cybersecurity as a focus area makes sense. Cybersecurity is now front and centre in all industries across the world, as with more and more connected devices there are more and more point of entry for potential attacks.”
SGIP, established as a public-private partnership by the US National Institute of Standards and Technology (NIST) in 2009, is a consortium that securely accelerates and advances grid modernization through interoperability.
SGIP advances cybersecurity
Allan says that SGIP has a history of activity on cybersecurity, with one of its earliest activities its collaboration with NIST on the development of NISTIR 7628 – a three-volume set of guidelines for smart grid cybersecurity, which have been widely used by utilities around the world in developing their cybersecurity frameworks.
SGIP is now reinvigorating this activity and building on it specifically in two ways. One is in providing a “trusted knowledge exchange environment” for utilities to share knowledge and information about their cybersecurity activities. “Purposely nothing is documented and no output will be published in order to keep it confidential,” Allan says of the first workshop, which was held in Phoenix in early March.
The second, which emerged from the workshop, is to develop a use case highlighting how different utilities have implemented the various voluntary cybersecurity frameworks. The focus will include the scope in which the frameworks were implemented, goals, methodology, organizational process, results and benefits and key lessons learned.
“We are defining the scope as different projects are being kicked off in utilities,” Allan says. “For example, senior executive teams are asking how to measure if risk is being mitigated and if cybersecurity is being improved. Another area of interest is the measurements and dashboards that can be utilized to communicate to management.”
Allan says that cybersecurity challenges that have emerged in the first discussions pertain principally to the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) version 5 cybersecurity requirements that are required to be in place in the US by May 2016. These include new cybersecurity controls and extend the scope of the systems protected under the current CIP version 3 requirements.
“Utilities are finding that from the workforce standpoint these are requiring a lot of effort, as a lot of work needs to be accomplished to be ready.”
Other challenges pertain to putting in cybersecurity frameworks and issues such as risk control and processes.
Utilities have also shown much interest in the US Department of Energy’s (DOE) newly developed Cybersecurity Capability Maturity Model (C2M2), which is aimed at helping organizations evaluate and improve their cybersecurity programmes. To this end SGIP is planning a C2M2 webinar to provide further information.
Vendors and cybersecurity
Allan comments that since security is considered fundamental in connected systems, most vendors have now implemented a layer of cybersecurity within their products – and with multiple systems in place, the complexity of managing all these connections increases exponentially.
However, she adds that the vendors have asked to be kept informed of new cybersecurity developments and best practices from the utilities and independent power producers, so that they can continue to ensure the robustness of their products. “At this point how this dialogue flows will vary between entities but it will be an ongoing thing as cybersecurity continues to evolve and new systems are interfaced.”
Interoperability of devices is obviously a concern for utilities but at the security level this shouldn’t present an issue, Allan notes. “One needs to look at the type of security, whether it is encryption or authentication, and there are protocols and tools for those.”
New focus for SGIP
Allan comments that this focus on cybersecurity marks a changing approach for SGIP, which is to be become more project focused to better align with the needs of utilities and independent power producers.
“I want to move the organization from not merely coordinating standards but driving action around key focus areas that help the end customers advance and accelerate their grid modernization projects,” she explains. “A Priority Action Plan (PAP) kicks off when a gap or issue with a standard needs resolving. The SGIP cybersecurity working group is addressing issues such as knowledge exchange and defining metrics, and while this isn’t a gap in a standard it is something that helps improve the cybersecurity focus.
“We see part of our mission as connecting parties and driving information and knowledge exchange, then taking the necessary actions to accelerate grid modernization. As the need for cybersecurity evolves across the networked grid, SGIP will continue to advance cybersecurity initiatives to serve the industry.”