Security, Part III: cyber security demands end-to-end thinking
EPRI expert offers guidance on issues, how to proceed
In the past two columns, Annabelle Lee, a technical executive for cyber security at the Electric Power Research Institute (EPRI) and formerly a senior cyber security strategist at the National Institute of Standards and Technology (NIST), has discussed several cyber security issues. Today, we'll tie off the series with a few observations about how to prioritize efforts at your utility. (Here's "Security, Part I," and "Security, Part II.")
In the initial column of the series, Lee pointed out that effective security includes components such as physical security, personnel and administrative security, operations security, communications security, and computer security. She also pointed out the efficacy of thinking in terms of system-wide, end-to-end measures.
"When we interconnect these systems, if there's an entry point that's not protected, that's a great way to access a critical system," Lee told me.
"That means that we need to look at the security of all systems," she said. "That doesn't mean you spend millions and millions. The priorities should be set based on an impact level. I like NIST's low-moderate-high approach to impact assessment where one can take a qualitative approach. In contrast, using a quantitative approach, I've observed people argue whether we're at 6.1 or 6.2 and I don't understand the difference between 6 and 7, let alone 6.1 and 6.2."
But, you may be asking, how does one begin taking actual steps?
Don't reinvent the wheel, Lee suggested.
"Begin with your existing risk management framework and an overall security strategy," she said. "Take that as the starting point and begin tailoring that for control systems. Does your risk management framework make sense? Does your security strategy make sense? Then put together a risk assessment. (NIST has a document that explain this process. (See "NIST Special Publication (SP) 800-30.") Inventory your assets. Weigh the risk of a compromise of confidentiality, integrity and availability. Determine which of those that need to be addressed first."
Once a utility has determined its high-priority risks, it can review and apply the "requirements" in the NISTIR 7628, "Guidelines for Smart Grid Cyber Security."
"Requirements" offer guidance to effectively address certain vulnerabilities on a system-wide basis, Lee explained. The individual utility assesses its risks and prioritizes them. To mitigate those risks, the utility selects the applicable requirements from the NISTIR 7628 and tailors them to the specific system, in order to effectively address the risk.
"When examining the 'requirements,' assess the 'requirements' for a system," Lee said. "That's important, because risk from a system perspective may have certain requirements that need to be implemented in some components and not in others. If one implements every requirement in every component in a system it won't function, performance will drop. For instance, if a firewall is required, it is typically installed at the boundary, not between every single device. Intrusion detection is also typically installed at the boundary which is why risk must be assessed from a system perspective."
Returning to the theme that required standards may be inflexible and, therefore, less effective than guidelines, Lee said:
"Standardization is important to ensure interoperability. But each utility must decide how it's going to address cyber security. In part, the approach depends on a utility's system architecture, the types of protocols that are being used, and the communications medium they use. The answers are specific to the technologies you're using."
Finally, Lee touched on the privacy issue regarding customer data.
"Utilities have had to deal with privacy for decades," she said. "They have customer information. The difference, moving forward with smart meters, is the granularity and frequency of the information being collected. What will utilities do with that data? Third-party organizations want to get involved, particularly from an energy management perspective. How is information shared with those vendors? Who will be responsible for the integrity of that information? Most states have privacy-breach laws. How are those addressed by a utility? Ownership of energy use data depends on the state. It is a vexing issue that at some point will have to be dealt with," Lee concluded.
Cyber security will be on the agenda this fall at Energy Central's Knowledge2011 conference in Amelia Island, Florida, Nov. 7-9.
Readers may be interested in more of our cyber security coverage:
"Stuxnet's Lessons Learned"
"CIP: Creating a 'Culture of Compliance'?"
"How to Think About Cyber Security"
Intelligent Utility Daily