The second draft of the Smart Grid Cyber Security Strategy and Requirements released last week provides more detail about the Herculean task of securing the nation's modernized electrical infrastructure.
The draft looks at anything that could threaten the Smart Grid from terrorists to simple but potentially disastrous errors.
In a sense, this draft and its parent document, the Framework and Roadmap for Smart Grid Interoperability Standards, Release 1.0 are to our electricity grid what Health Insurance Portability and Accountability Act of 1996 (HIPAA) was to electronic health records and patient privacy. It sets the foundation for the secure application of IT, open standards, wireless communications and the Internet to a critical national infrastructure.
However, when HIPAA was formulated in 1996 and implemented in the three stages more than 5-7 years ago, cybersecurity was just beginning to show up as a serious multi-level threat. Given constant attacks for several years now on global banking systems and the December appointment of cybersecurity czar Howard Schmidt, the topic is top of mind for utility planners as they spend billions in government grants and their own money to build out the Smart Grid.
If you're wondering how difficult and complex securing the Smart Grid is, consider this: the first draft at 236 pages and released last September was described by grid security analyst Jack Danahy as "a dense, but readable tome." Well, the second draft has expanded to 300 pages as comments from stakeholders are incorporated. Did you think it would get smaller?
To understand the essence of the second draft, it might be helpful to briefly review the first draft. Danahy did a nice job of summarizing it:
"The draft document categorizes 15 areas of likely risk; their impacts on confidentiality, integrity, and availability; and their levels (high, medium, and low)," Danahy wrote in his blog last September.
The second draft gets down to the technical nitty gritty and will morph into a final report by early summer following 60 days of open comment from stakeholders. The draft identifies 120 software interfaces that include but apply to far more than just the most visible smart grid component: smart meters that supply data electricity consumption for managing fixtures and appliances.
These interfaces include everything from mobile crews taping into the grid diagnostics with laptops to customer information system specialists examining meter data. All are points of vulnerability and control "electric transportation, electric storage, advanced metering infrastructure, distribution grid management, energy management in homes and businesses, and grid management," according to the National Institute of Standards and Technology (NIST) Cyber Security Working Group (CSWG) which is overseeing the drafting process.
NIST is also driving the creation of the overall Smart Grid interoperability framework.
The first chapter of the second draft summarizes the threats as defined by the 350 utilities, vendors, academics, regulators and other stakeholders in the CSWG.
"Cyber security must address not only deliberate attacks, such as from disgruntled employees, industrial espionage, and terrorists, but also inadvertent compromises of the information infrastructure due to user errors, equipment failures, and natural disasters. Vulnerabilities might allow an attacker to penetrate a network, gain access to control software, and alter load conditions to destabilize the grid in unpredictable ways," the draft says.
The stakes are huge. While no one would disagree that the grid needs to take advantage of the vast leaps in communication technology and become much more efficient, a sizable meltdown could cripple the economy and threaten public safety.
At the federal level, NIST, which is part of the Dept. of Commerce, is working with the Dept. of Energy and the Federal Energy Regulation Commission to drive the creation of the interoperability standards, cybersecurity and reliability safeguards.
Follow me on Twitter.