Building an Effective Security Program for Distributed Energy Resources and Systems. Mariana Hentea
or ambiguity in communication that undermines the successful implementation of security and privacy programs.
The assets may have vulnerabilities that may be exploited by a threat agent leading to risk that can damage the asset. The owner of the assets wants to minimize the risk and uses countermeasures (controls or safeguards). Applying the right countermeasure can eliminate the vulnerability and exposure and thus reduce the risk. One issue is that eliminating the threat agent may not be possible, but it is possible to protect the asset and prevent the threat agent from exploiting vulnerabilities within the asset's environment.
These terms and definitions of security terms continue to change and evolve with technology developments, emerging new technologies, and research trends. This work [Von Solms 2013] discusses the similarities and differences between these terms: cybersecurity, information security, and communications security. The authors argue that cybersecurity goes beyond the boundaries of traditional information security to include not only the protection of information resources but also that of other assets, including the reference to the human factor. Figure 2.12 illustrates graphically the relationships among these concepts.
Figure 2.12 Information security and cybersecurity relationship.
Source: [Von Solms 2013]. © 2013, Elsevier.
This work [Craigen 2014] is another attempt to provide a new definition for the term cybersecurity from a multidisciplinary perspective as follows:
Cybersecurity is the organization and collection of resources, processes, and structures used to protect cyberspace and cyberspace‐enabled systems from occurrences
that misalign de jure from de facto property rights.
However, the definition is missing the point that cybersecurity is a field of research, an industry, and a societal issue. There are many different theoretical and interpretational aspects that could or even should be considered when discussing cybersecurity as a concept and a term.
Appendix A includes several definitions promoted by organizations and glossaries including DOE. Although there is no universally accepted nor straightforward definition of cybersecurity and other related terms, we need to understand these definitions and views.
2.2.3 Cybersecurity Evolution
In the past, before Internet technologies became the mainstream technology, there were few risks and limited definitions for security and security expertise. Security evolved from protecting a file, an application, or a computer to protecting a larger area that comprises many computers, networks, organizations, and people.
The security field evolved from an obscure term known initially only to military and governments to include organizations of all kinds, the public, and the globe. For some time, few professionals were involved in security matters. Today organizations and governments are continuously searching for better security professionals to protect their information and their other resources. A review of the terms and definitions for cybersecurity is well documented in [Bay 2016].
Security definitions evolved from simple terms like computer security, IT security, and information security to more recent terms identified as cyber security or cybersecurity, the last term winning, although the cyber security term is still used in some publications [Franscella 2013].
As we observed earlier, security terms are differently defined in many books and guidances; therefore we use the terms security, cybersecurity, and information security in this book based on the well‐known standards. We acknowledge that there are subtleties in these definitions. NIST guidelines for the Smart Grid use the term cybersecurity (e.g. [NISTIR 7628], [NISTIR 7628r1]). However, we discuss the information security based on definitions included in standards. The ISO/IEC definition is as preservation of information attributes such as confidentiality, integrity, availability, authenticity, accountability, non‐repudiation, and reliability [ISO/IEC 27000]. Another defines security as a property of a system by which confidentiality, integrity, availability, accountability, authenticity, and reliability are achieved [ISO 15443].
We also discuss security in the context of an environment determining the setting and circumstances of all interactions and influences with the system of interest [ISO/IEC 42010]. Other issues that need to be understood and managed include the interdependence of cybersecurity and reliability of the power grid.
A cyber attack on devices that protect and control the power grid could result in power disruption or damaged equipment. Similarly, physical attacks on power equipment or cyber infrastructure may impact the information, energy system, and energy services. Security is a system condition that results from the establishment and maintenance of measures to protect the system [RFC 4949]. Therefore, the installation of security controls should avoid interfering with critical energy delivery functions.
Although safety is defined as freedom from risk that is not tolerable [ISO/IEC 51] and safety issues are being the objective of dedicated departments within an organization, we need to discuss it in the context of cybersecurity. Safety is the condition of the system operating without causing unacceptable risk of physical injury or damage to the health of people, either directly or indirectly as a result of damage to property or to the environment [IIC 2015]. For example, inappropriate security controls (e.g. electronic locks to computer facilities without capabilities to open doors or windows) may harm people (working in these facilities) that need to escape when there is a natural disaster, a power down, or a fire.
Smart Grid cybersecurity must address not only deliberate attacks, such as from disgruntled employees, industrial espionage, and terrorists, but also inadvertent compromises of the information infrastructure due to user errors, equipment failures, and natural disasters.
2.3 Advancing Cybersecurity
Security problems for Smart Grid and DER systems require solutions and developments that go beyond all practices (e.g. focused on vulnerability management, reactive strategies, obfuscation, depth of defense, perimeter security, etc.) that proved unsuccessful in the face of new threats. Therefore, it is imperative to focus on more advanced methods and more research to find solutions to unsolved problems [Wulf 2001].
The availability and reliability of computing and information systems for business and power grid applications are dependent on the secure operations of industrial control systems (ICSs) and other infrastructures.
2.3.1 Contributing Factors to Cybersecurity Success
Recently, industry experts and researchers have participated more often in international forums and standards organizations that promote security techniques, security technologies, and standards. One need is a new security model for IT [Wang 2011]. Therefore, securing the Smart Grid and its applications requires the development of more comprehensive definitions and cybersecurity models.
As more technologies penetrate the power grid and help integrate more variable renewable sources of electricity and facilitate the greater use of electric vehicles and energy storage, there are challenges to implementing cybersecurity to ensure the safety and reliability of the Smart Grid.
Although standards and guidelines have been identified to support the implementation of minimum security measures that set a baseline for cybersecurity across the energy sector, many security challenges require solutions such as:
Advancing cybersecurity and privacy design.
Understanding interdependencies.
Open systems view.
2.3.2 Advancing Cybersecurity