Building an Effective Security Program for Distributed Energy Resources and Systems. Mariana Hentea
and privacy risks of Smart Grid and DERs as well as approaches for defining and maintaining a security and privacy program. For example, Law students can use the material from the book to understand the cybersecurity issues for critical infrastructure problems. Also, they can learn about the current regulations, the power and consumers' needs for new regulations in the future.
Research and academia communities could use the book to have a broader view of the cybersecurity problems for Smart Grid, critical infrastructure and energy sector.
Acknowledgments
Although I am the sole author of this book, the content is the product of my work experience and learning from discussions with colleagues and friends about various topics and projects at work, interactions with researchers at conferences and workshops, meetings and presentations provided by professional societies, my published research works, presentations and talks at conferences, teaching courses in the university, leading research projects with students, meetings with IEEE members, etc.
Besides these, I have been inspired by Dr. Martha Evens' strength and dedication to seek new work and educate others. Dr. Martha Evens encouraged me to pursue a doctoral degree in Artificial Intelligence, after I accomplished an MS in computer science at Illinois Institute of Technology, Chicago, IL, USA. Still after several decades, Dr. Evens (now emeritus professor) provided advice on how to manage the writing of this book. She always encouraged me to pursue my own research interests.
The chosen topic – cybersecurity for the Smart Grid and distributed energy resources – is the result of my own decision, after I learned about threats to power grid and the need for providing more information on security matters to engineers.
I thank Dr. Simone Taylor for reading my book proposal and offering the opportunity to publish this book. My thanks also go to reviewers, Antony Sami, Brett Kurzman, Kari Capone, Sarah Lemore, and the team of editors and managers from Wiley. Their support and advice in completing the writing task are very much appreciated.
Mariana Hentea 28 November 2019
1 Security
1.1 Introduction
Over a short period of time, people and businesses have come to depend greatly upon computer technology and automation in many different aspects of their lives. Computers are involved in managing and operating public utilities, banking, e‐commerce and other financial institutions, medical equipment and healthcare services, government offices, military defense systems, and almost every possible business and day‐to‐day activities of the people. This level of dependence and the extent of Internet technology integration made security necessary discipline as stated by the Organisation for Economic Cooperation and Development (OECD) in [OECD 2006]:
Security must become an integral part of the daily routine of individuals, businesses and governments in their use of Internet Communication Technologies (ICTs) and conduct of online activities.
Security is the condition of being protected against danger and loss. In general usage, security is similar to safety. Security means that something is not only secure but also it has been secured.
There are various definitions of security provided by different dictionaries (e.g. security is freedom from danger; safety) (see more definitions in Appendix A), but all of them basically agree on some components, and they miss this point: they do not translate readily into information technology (IT) terms. In the IT sector, there is an acceptance that there is no pure risk‐free state, whatever it is done (or not done), but it carries a risk.
Therefore, the definitions should not be considered as absolute descriptions of the word security in the real world because they individually describe a practically impossible goal. In order to describe security in a more realistic way, by combining the definitions provided by two dictionaries, new definitions are suggested (e.g. [Fragkos 2005]).
Thus, the definition of security is understood as the capability of a system to protect its resources and to perform to its design goals. However, definitions may differ among users, standards organizations, and industries. Also, several concepts and definitions for security and many related terms have evolved in time to reflect emerging trends. Some other terms are used such as information security and cybersecurity. In a computing context, the term security implies cybersecurity [TechTarget]. Information security was first brought to the public’s attention by the release of the first guidelines to protect the security of information systems in 1992 [OECD 1992].
Ten years later, the OECD reviewed the guidelines to take into account the generalized adoption of Internet technologies, which enabled the openness and interconnection of formerly closed and isolated information systems. The need to develop a culture of security and greater awareness was initiated in 2002 by OECD [OECD 2002] for OECD members and nonmembers alike; it was adopted by United Nations in 2002 [UN 2002]. The OECD document [OECD 2002] emphasizes the need to take into account the emergence of the open Internet and the generalization of interconnectivity. These guidelines apply to all participants in the new information society.
Security is, therefore, currently a widespread and growing concern that covers all areas of society: business, domestic, financial, government, and so on. Often security has different meanings to different people. There are several definitions and terms that sometimes make the security an ambiguous field. For example, in the energy sector, energy security refers to the uninterrupted availability of energy sources at an affordable price [IEA 2016]. To a power engineer, security means that power flows between utilities are open. Another view of security is a three‐legged stool consisting of physical security, information technology (IT) security, and industrial control systems (ICS) security [Weiss 2010].
Security has a wide base and addresses specific issues regarding computers, networks, communication devices, data, information, people, organizations, and governments. Users must have confidence that information systems operate as intended without unanticipated failures or problems. Also, users must have confidence that information is handled timely, accurately, confidentially, and reliably.
Following this document [OECD 2002], OECD published more technical guidelines and recommendations for the implementation and management of security [OECD 2003], [USCIB 2004], [OECD 2005], [OECD 2008] including privacy [OECD 2016]. Revisions of the guidelines are reported in [OECD 2012a], [OECD 2012c].
On 17 September 2015 the OECD Council adopted the Recommendation on Digital Security Risk Management [OECD 2015], which replaces the 2002 guidelines. The [OECD 2015] document provides guidance for a new generation of national strategies on the management of digital security risk aimed to optimize the economic and social benefits expected from digital openness. The recommendation calls on governments, public, and private organizations to adopt an approach to digital security risk management that builds trust and takes advantage of the open digital environment for economic and social prosperity. As described in this document, digital security implies that security is approached from at least four different perspectives, each stemming from a different culture and background, recognized practices, and objectives:
Technology that is focusing on the functioning of the digital environment (often called information security, computer security, or network security by experts).
Law enforcement and, more generally, legal aspects (e.g. cybercrime).
National and international security, including aspects such as the role of information and communication technologies (ICTs) with respect to intelligence, conflict prevention, warfare, etc.
Economic and social prosperity, encompassing wealth creation, innovation, growth, competitiveness, and employment across all