The Latest Cybersecurity “Lessons Learned” from U.S. Smart Grid Rollouts
Hank Kenchington Deputy Assistant Secretary for R&D
U.S. Department of Energy
Office of Electricity Delivery and Energy Reliability
December 1, 2011
3
2009: No cybersecurity standards for distribution system or home area networks
2005: Mandated cybersecurity standards for bulk power system
Smart Grid Requires Seamless, SECURE Communications Across Multiple Interconnected Domains and Platforms
Generic Smart Grid
Communications
Architectures
4
DOE’s Comprehensive $4.5 Billion Investment to Jumpstart Smart Grid Implementation Nationwide
Office of Electricity Delivery and Energy Reliability $ Millions
Smart Grid Investment Grant Program (SGIG); ≤3 years $3,400
Smart Grid Demonstrations (SGDP); 3-5 years $615
Standards Development $12
Transmission System Planning $80
Support for State Electricity Regulators to Facilitate
Deployments $50
State-Level Planning to Enhance Energy Recovery and
Resiliency $55
Smart Grid Workforce Development $100
6
Exam
ple
The Big Payoff: Building the Business Case through Sound Metrics and Analysis
Functions Mechanisms (Impacts)
Benefits
What does the
Smart Grid do?
How does it
do that?
What “goodness”
results?
Monetary Value
What is the
goodness worth?
Improves feeder voltage regulation to reduce line losses
Reduced feeder losses worth $60 per MWh
$6,000
What are Smart Grid
technologies?
Automatic Voltage and VAR Control
• Capacitor controls • Distribution
Management System
Assets
Correlating technology, enhanced grid function and capability, costs, and benefits
US Investment Needed for Fully Functioning Smart Grid
$0 $100 $200 $300 $400 $500 $600 $700 $800 $900
Brattle Group Estimate thru 2030
EPRI Estimate thru 2030
SG Investment thru 2015 ~$9B $338B $476B
$880B
$ Billion USD
7
$2,332
$732
$130
~$4,500
~$2,500
~$1,000
$0
$500
$1,000
$1,500
$2,000
$2,500
$3,000
$3,500
$4,000
$4,500
$5,000
AMI and Customer SystemAssets
Distribution Assets Transmission Assets
To
tal In
ve
stm
en
ts (
Mil
lio
ns
$)
Total Investments as of Nov 11, 2011
Reported to date Estimated at completion
Distribution automation equipment on 1,000 out of 6,500
circuits
Source: www.smartgrid.gov
7.4 of 15.5 million residential and commercial smart meters
120 out of over 800 networked phasor measurement units
Nearly 50% of Total Smart Grid Investments Are Deployed
9
• Supports the research, design, development, and implementation of cybersecurity measures for smart grid technologies by:
– Defining the smart grid architecture and high-level security requirements
– Guiding users to specific existing standards and best practices to secure smart grid architecture components
– Identifying gaps where additional standards are needed
• Does NOT prescribe particular solutions, but provides a guideline to evaluate the overall cyber risks to a smart grid system
The Framework: NIST Guidelines for Smart Grid Cyber Security
11
Actionable Guidance: Cybersecurity Profiles for Smart Grid Domains thru ASAP-SG initiative
What It Is: Industry-government collaboration to accelerate security standards development for specific smart grid domains - Advanced Security Acceleration Project - Smart Grid (ASAP-SG)
How It is Used: Utilities and vendors are using Profiles for Advanced Metering Infrastructure (AMI), 3rd Party Data Access, Distribution Automation, and Wide-Area Monitoring Systems to design and secure smart grid technology implementation
Created by: DOE partnered with UCA
Int’l Users Group, EPRI and utilities: – American Electric Power – Con Edison – Consumers Energy – Florida Power & Light – Southern California Edison – Oncor – BC Hydro, et al
12
Actionable Guidance: How to Mitigate Vulnerabilities in ZigBee Smart Energy Profile (SEP) Versions 1.0 and 1.1
What It Is: The SEP provide specifications to exchange information and implement load control capabilities in Home Area Networks (HANs); this analysis reviews the security gaps and potential vulnerabilities in the specifications and provides mitigation strategies and representative system architectures
How It is Used: Utilities use the mitigations and best practices to implement the Zigbee Smart Energy Profile with cybersecurity controls
Created by: DOE working with industry experts and NIST – Cyber Security Working Group (SGIP-CSWG)
Who Is Using It: Utilities using ZigBee devices to create a HAN or to communicate from the HAN to the smart meter
13
Actionable Guidance: Guide to Developing a Cyber Security and Risk Mitigation Plan
What It Is: An easy-to-navigate guide, risk mitigation checklist, and step-by-step template
How It is Used: To help electric utilities assess and build an improved cybersecurity plan for their smart grid technologies
Created by: National Rural Electric Cooperative Association (NRECA) with $33.9 million in Recovery Act stimulus funds
Who Is Using It: Already in use at the 23 electric co-ops participating in the NRECA’s regional smart grid demonstration project; available to all electric utilities
Seven Touch Points for Software Security
1. From Gary McGraw, Software; Building Security In
1
14
Develop Cybersecurity Plans
for All Projects
Provide Resource Guide and Tools
Implement, Refine, and Manage Plans
Develop Key Principles for Smart Grid Cybersecurity
Share Lessons Learned/Identify
Gaps at Workshop
Improve Cybersecurity
Posture
DOE Cybersecurity Strategy for Smart Grid Investment Grants
Conduct Site Visits to Validate Plans
Conduct Cybersecurity
Webinars
Create ARRA Smart Grid Cyber Website
Utilities’ Role
U.S
. Go
vt. A
ctio
ns
U.S
. G
ovt.
Acti
on
s
15
Mitigate risks at each stage of the development lifecycle
Develop cybersecurity criteria for vendor and device selection
Follow relevant cybersecurity standards and best practices
Support emerging smart grid cybersecurity standards
Maintain an organizational chain of accountability to senior management
Apply appropriate methodology to assess cybersecurity risks
Key Principles for Smart Grid Cybersecurity
16
Assess the impact on other grid control functions
Evaluate policy, procedural and technical mitigation approaches and controls
Use logging, monitoring, alarming, and notification
Develop procedures to use when logical and physical security are not under the project’s jurisdiction
Regularly update, upgrade, and patch components or systems
Test, demonstrate, validate, and document the effectiveness of the security
Cybersecurity plan signed by corporate officer
Key Principles for Smart Grid Cybersecurity (continued)
17
Organizational
Accountability
Situational Awareness
Protection, Response, and
Recovery
Site Visits: Smart Grid Cybersecurity Best Practices
18
SG Cybersecurity Information Exchange: Lessons Learned
Targeted outreach campaigns effectively
reduce consumer privacy concerns
A systems approach is best when integrating
smart grid systems with legacy systems
End user demand for specific cybersecurity
specifications and engagement in security
testing creates more secure products
Partnering with other utilities, researchers, and
3rd party assessors increases the resources
and knowledge for cybersecurity
implementation
Leverage examples to develop a specific, concise
cybersecurity plan that extends beyond
regulatory compliance to encompass the entire
organization
Change the company culture to value
cybersecurity and use quantitative metrics to
show the consequences of doing little or nothing
1 2 3
4 5 6
19
SG Cybersecurity Information Exchange: Continuing Gaps and Needs
Advanced Measurement and
Control for Transmission
• Testing tools • Systems management tools • Common security requirements
Demand Response/
End-User Interface
• Trusted, secure communications standards for devices
• Certified vendor lists with accreditation
• Online forum on the cybersecurity of smart grid programs, systems, and equipment
AMI Deployment
• Adequate budget for cybersecurity • Independent, 3rd party evaluations of
vendor products • Increased vendor understanding of
utility cybersecurity requirements • Tool kit for AMI key management
Distributed Automation
• Staff engagement and clear priorities • Consistent message to vendors • Validation tools for wireless
technology • Secure development and deployment
lifecycle and best practices
21
Path Forward
• ASAP-SG profiles continuing to be developed
• Developing vulnerability assessment and testing guidelines
• Develop tools to facilitate testing
• Develop secure architecture and equipment for wide area monitoring
• Workforce development through National Board of Information Security Examiners
• R&D to develop next-generation systems with
“security built in”
22
Sources and Links
NERC 2009. Long-Term Reliability Assessment
http://www.nerc.com/files/2009_LTRA.pdf
Smartgrid.gov – Tracking Deployment 2011 http://www.smartgrid.gov/recovery_act/tracking_deployment
Brattle Group 2008. Transforming
America’s Power Industry: The Investment Challenge 2010 – 2030
http://www.eei.org/ourissues/finance/Documents/Transforming_Ameri
cas_Power_Industry.pdf
EPRI 2011. Estimating the Costs and Benefits of the Smart Grid
http://www.smartgridinformation.info/pdf/3272_doc_1.pdf
NIST 2010. Guidelines for Smart Grid
Cyber Security: Vol. 1, Smart Grid Cyber
Security Strategy, Architecture, and High-Level Requirements
http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol1.pdf
NIST 2010. NIST Framework and
Roadmap for
Smart Grid Interoperability Standards, Release 1.0
http://www.nist.gov/public_affairs/releases/upload/smartgrid_interoper
ability_final.pdf
Advanced Security Acceleration Project - Smart Grid (ASAP-SG)
http://www.smartgridipedia.org/index.php/ASAP-SG
NESCOR, SGIP-CSWG 2011. Smart
Energy Profile (SEP) 1.x Summary and Analysis
http://collaborate.nist.gov/twiki-
sggrid/pub/SmartGrid/CSCTGStandards/SEP20120x2010-31-1120fina11.doc
NRECA 2011. Guide to Developing a Cyber Security and Risk Mitigation Plan
https://groups.cooperative.com/smartgriddemo/public/CyberSecurity/Documents/CyberSecurityGuideforanElectricCooperativeV11-2.pdf
23
Hank Kenchington
Visit DOE at:
www.oe.energy.gov
For more information on DOE’s smart grid efforts, visit:
www.smartgrid.gov
Contact Us