Should security requirements just include the "what" and not the "how"?
As I perused Energy Central Professional yesterday morning with my morning cup of caffeinated and carbonated joe [i.e., pop (or soda)], I noticed an article from Public Power Weekly entitled "Smart grid cyber standards must work for all utilities, APPA tells NIST." The article discusses the American Public Power Association's (APPA) comments on a draft report by the National Institute of Standards and Technology (NIST). APPA said that NIST "needs to build sufficient flexibility into its cyber security requirements to accommodate the sizes and business models of consumer-owned systems." The statement reminded me that, when moving toward a smarter grid and more intelligent utility, company size -- and other factors -- impacts the shape and scope of smart initiatives for each utility. At the same time, however, minimum levels of security and functionality need to be in place to ensure that these smart efforts are effective and secure. Industry requirements are moving forward to dictate the "what" of security requirements, but do they need to dictate the "how" of accomplishing those requirements? And what impact does the "how" have on various utilities' abilities to move forward with building smarter grids and more intelligent utilities?
In Intelligent Utility magazine, we have talked about how utilities of all sizes and structures can learn from one another about various smart initiatives, from smart meters to smart substations to smart transmission systems. Whatever specific project a utility is tackling, the project ultimately feeds into a more universal goal of delivering information-enabled energy. What smart initiative a utility chooses to tackle first and how it accomplishes that initiative can vary depending on the utility. As Jim Greer, senior vice president of asset management and engineering at Oncor, pointed out to me in a recent conversation, "It's OK to have multiple definitions for smart grid because each utility, each jurisdiction, is going to have different priorities. What they're going to need is different and therefore our systems will be different. We're moving forward on the areas that make the most sense for us." Things such as different business drivers, utility company structures, regulatory requirements and public policies fuel the different approaches.
OK, so there are different approaches to building out the "smarts." At the same time, even though there are different approaches to building smarter grids and ultimately more intelligent utilities, there are certain requirements that need to be put into place to ensure not just a smarter grid, but also a more efficient and secure grid. Cyber security is obviously one of those requirements. Is it enough though to say what cyber security requirements are, but not prescribe how to best meet those requirements? And should the requirements themselves even be the same for different types of utilities? For example, APPA argues in the article that "while all utilities should implement appropriate safeguards for [personal information], those safeguards do not necessarily have to be at the same level to be effective." APPA also goes on to say that NIST should "avoid requirements that dictate 'how' to comply with a standard or requirement since that can stifle innovative, least-cost options." Do you agree?
We look forward to discussing this and other issues with all the players in the emerging intelligent utility. If you have thoughts you'd like to share, please contact me by e-mail at email@example.com or by telephone at 303-228-4762.