Building an Effective Security Program for Distributed Energy Resources and Systems. Mariana Hentea
generation, and storage.
Once there is, in the judgment of the FERC, sufficient consensus concerning the standards developed under NIST’s oversight, FERC is directed to adopt such standards and protocols as may be necessary to ensure Smart Grid functionality and interoperability in interstate transmission of electric power and regional and wholesale electricity markets [EISA 2007]. The law delegates to the FERC the responsibility of defining what sufficient consensus and adopts means in the context of the standards.
Recognizing the needs of the energy sector, FERC identified four functional priorities for the development of key interoperability standards for the following areas:
Demand and response.
Wide area situational awareness.
Energy storage.
Electric transportation.
Also, FERC identifies two crosscutting priorities, system security (cybersecurity and physical security) and intersystem communication, a common semantic framework (e.g. agreement as to meaning and software models) for enabling effective communication and coordination across inter‐system interfaces.
On 22 November 2013, FERC approved Version 5 of the critical infrastructure protection standards (CIP Version 5), which represents significant progress in mitigating cyber risks to the bulk power system. In 2014, NERC initiated a program to help industry transition directly from the currently enforceable CIP Version 3 standards to CIP Version 5. The goal of the transition program is to improve industry’s understanding of the technical security requirements for CIP Version 5, as well as the expectations for compliance and enforcement.
While NERC‐CIP Version 5 of standards was released on 22 November 2013, organizations must transition all high‐ and medium‐impact BES to NERC‐CIP v5 on 1 April 2016. Low‐impact BES systems can wait until 1 April 2017. However, there is no clear cybersecurity strategy as many CIP standards were made inactive and many standards are pending enforcement. It is recommended to visit [NERC CIP] portal for the most current standards and recent activities.
1.8.3.2 How to Use Standards
One of the predominant topics of the emerging Smart Grid is standardization [Uslar 2013]. Education on how to use standards is rarely the focus of curricula in colleges and universities. Guidelines and books may be useful in getting help for using the standards. A comprehensive introduction to Smart Grid standards and their applications for developers, consumers, and service providers is provided in [Sato 2015]. The authors consider the need for standards interoperability and integration in the Smart Grid. The authors claim a methodology for understanding and identification of the fundamental standards needed by developers for DER, electric storage, and E‐mobility/plug‐in vehicles. However, many standards may not be applicable forever, but they could become obsolete in a short period of time or could change continuously, or new standards could emerge. Therefore, the methodology to select a new standard is needed.
An introductory textbook for people trying to get firsthand and condensed knowledge on Smart Grid standardization with a focus on ICT as well as to have a reference textbook dealing with the various standards to be applied in Smart Grids is a motivation for the authors of this book [Uslar 2013].
Other criteria may be useful too. For example, it is better to use a mature standard. A mature standard is a standard that has been in use for sufficient time that most of its initial faults and inherent problems have been identified and removed or reduced by further development [NIST SP1108r3].
1.8.4 Cybersecurity Standards
Cybersecurity standards enable organizations to practice safe security techniques and to reduce the number of successful cybersecurity attacks. In general, the standards provide outlines as well as specific techniques for implementing cybersecurity functions. Appendix J includes a list of most common acronyms used in the book.
Cybersecurity guidance is provided by national and international organizations. Standards are continuously developed and revised by different organizations, forums, and associations that are:
International – e.g. IEC, ISA, ISO, ITU, IETF, IEEE.
Consortium – e.g. SAE, OGC, ZigBee Alliance, HomePlug Alliance, Wi‐Fi Alliance, HomeGrid Forum, OASIS, ISF.
Regional and National – e.g. NIST, ANSI, NEMA, ASHRAE, NAISB.
DOE is working with NIST to enable manufacturers of products to use current cybersecurity guidance. In 2012, the DOE published a guideline for risk management process [DOE 2012]. In the United States, NIST published standards that are mandatory for federal agencies as well as special publications that provide guidance for information system security for private industries. Examples of alliances include:
ZigBee.
Wi‐Fi.
HomePlug.
Powerline.
Z‐Wave.
Current activities in ICS security are supported by many standards, programs, organizations, forum, and associations such as:
American Gas Association (AGA) Standard 12, Cryptographic Protection of SCADA
Communications.
American Petroleum Institute (API) Standard 1164, Pipeline SCADA Security.
Center for Control System Security at Sandia National Laboratories (SNL).
Chemical Sector Cyber Security Program.
Chemical Industry Data Exchange (CIDX).
DHS Control Systems Security Program (CSSP).
DHS CSSP Recommended Practices.
DHS Process Control Systems Forum (PCSF).
Electric Power Research Institute (EPRI).
Institute of Electrical and Electronics Engineers (IEEE).
Institute for Information Infrastructure Protection (I3P).
International Electrotechnical Commission (IEC) Technical Committees 65 and 57.
ISA99 Industrial Automation and Control Systems Security Standards.
ISA100 Wireless Systems for Automation.
International Council on Large Electric Systems (CIGRE).
LOGI2C – Linking the Oil and Gas Industry to Improve Cyber Security.
National SCADA Test Bed (NSTB).
NIST 800 Series Security Guidelines.
NIST Industrial Control System Security Project.
NIST Industrial Control Security Testbed.
North American Electric Reliability Council (NERC).
SCADA and Control Systems Procurement Project.
US‐CERT Control Systems Security Center (CSSC).
2 Advancing Security
2.1 Emerging Technologies
While the term security (or cybersecurity) is broadly defined and understood, there is a trend about the multidisciplinary aspects of the concept and more specifically about the need to advance technical security. While the technical view about is unilateral, we consider that advancing security for Smart Grid is also needed because of the emerging technologies. Although the world of emerging technologies in Smart Grid is almost incomprehensible,