Cybersecurity#
Key Message - Cybersecurity
New technologies, changing resources, and expanding stakeholder participation carry with them a growing cybersecurity risk. To realize the benefits of an interoperable smart grid, security practices will have to evolve beyond strategies of physical isolation or other overly restrictive access regimes.
Understanding and mapping institutional cybersecurity capabilities and processes to the outcomes we seek in a smart grid will help an organization position itself to manage cybersecurity requirements at the device or interface level. The Cybersecurity Risk Profile for the Smart Grid presented in this section provides a structured approach to assessing organizational readiness for cybersecurity.
Cybersecurity protections at the device or system level need not be newly invented even as new technologies and interfaces are introduced to the system. New interface characteristics can be mapped to the existing set of logical interface categories, thereby facilitating protection through known standards and best practices likely already employed for other legacy system interfaces.
In the traditional electrical grid power flows in one direction — from centralized generation facilities, through transmission lines, and finally to the customer via distribution utilities. As electric utilities incorporate new technologies and accommodate changing customer expectations, the basic structure of the grid remains broadly consistent with the first electric systems built more than a century ago. The centralized design has historically brought efficiencies in facilities and operations, but the criticality of centralized assets has also made the grid vulnerable to both malicious actions and natural disasters.
Securing Organizations#
The Cybersecurity Framework consists of three main components that are used to manage and reduce cybersecurity risks:
- Cybersecurity Framework Core - Provides a catalog of desired cybersecurity activities and outcomes using common language. The Core guides organizations in managing and reducing their cybersecurity risks.
- Framework Implementation Tiers - Provide context on how to view cybersecurity risk management, and help organizations assess the functionality and repeatability of their risk management process.
- Framework Profiles - Used to identify and prioritize opportunities for improving cybersecurity at an organization through customization of Core outcomes.
NIST cybersecurity framework core function#
The Cybersecurity Framework Core is built around five concurrent and continuous Functions used to analyze an organization’s entire risk management portfolio. When considered together, these five Functions provide a high-level, strategic view of the organization’s cybersecurity risk management approach. The five cybersecurity functions are:
- Identify - Develop the organizational understanding to manage cybersecurity risk of its systems, assets, data, and capabilities. The activities in the Identify Function are foundational to an organization’s assessment of cybersecurity risks and allow organizations to focus and prioritize their cybersecurity efforts consistent with its risk management strategy and business needs.
- Protect - Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. The activities in the Protect Function support the ability to defend against a potential cybersecurity event and limit or contain its impact.
- Detect - Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The activities in the Detect Function enable timely discovery of cybersecurity events.
- Respond - Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The activities in the Respond Function support the ability to limit and contain the impact of a potential cybersecurity event.
- Recover - Develop and implement the appropriate activities/plans to maintain resilience and restore any capabilities or services that were impaired due to a cybersecurity event. The activities in the Recover Function support timely recovery to normal operations to reduce the impact from a cybersecurity event.
NIST cybersecurity framework core categories and subcategories#
The Cybersecurity Framework organizes the five cybersecurity Functions (Identify, Protect, Detect, Respond, and Recover) into subdivisions, or Categories, that can be used to group similar cybersecurity activities that support a particular Function.
- ID - Identify
- Asset Management
- Business Environment
- Governance
- Risk Assessment
- Risk Management Strategy
- Supply Chain Risk Management
- PR - Protect
- Access Control
- Awareness and Training
- Data Security
- Information Protection Processes and Procedures
- Maintenance
- Protective Technology
- DE - Detect
- Anomalies and Events
- Security Continuous Monitoring
- Detection Processes
- RS - Respond
- Response Planning
- Communications
- Analysis
- Mitigation
- Improvement
- RC - Recover
- Recovery Planning
- Improvements
- Communications
The Cybersecurity Framework provides an additional level of granularity by further dividing the 23 Categories of cybersecurity activities into 108 Subcategories, each defining a desired outcome. The Cybersecurity Framework Core is available online in an easily accessible spreadsheet format.
The MITRE ATT&CK framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
Cybersecurity profiles#
Creating a Cybersecurity Profile translates the outcomes of the Cybersecurity Framework Core into a prioritized set of actions an organization can use to better position itself against cyber threats. This process aligns the Cybersecurity Framework Functions, Categories, and Subcategories with the organization’s business requirements, risk tolerance, and resources. The prioritization of the Subcategory outcomes will vary from one organization to the next because each organization has unique requirements including risk tolerance and budge.
Cybersecurity framework profile for the smart grid#
To facilitate development of a common cybersecurity language and methodology for the power sector, NIST created a cybersecurity risk Profile for the smart grid (Smart Grid Profile) based upon the Cybersecurity Framework. In the Smart Grid Profile, the five cybersecurity functions are examined through the lens of power system owner/operators, and cybersecurity outcomes are evaluated for relevance against the following four high-level business objectives:
- Maintain safety: Safety is an overarching concern of power system management seeking to minimize the impact to human life, equipment, and the environment from cybersecurity risks.
- Maintain power system reliability: Reliability is the ability to deliver stable and predictable power in expected conditions or, in case of power system failure, the ability to restore normal operational service.
- Maintain power system resilience: Resilience is the ability of power systems to withstand instability, unexpected conditions or faults, and gracefully return to predictable, but possibly degraded, performance.
- Support grid modernization: This requirement supports integration of smart technologies with the traditional grid by managing cybersecurity risks to power systems, including integrity and timeliness of data and control commands.
Securing Information Exchange#
Information cybersecurity is primarily associated with information exchange interactions between entities and is a critical aspect of power system operations and security. The impacts of cybersecurity breaches — whether deliberate or inadvertent — may affect both physical and cyber operations of the grid.
Known system interfaces and categories#
Identifying the entities involved with information exchanges in power systems operations is the first step towards understanding cybersecurity issues for the grid. To facilitate this understanding, the 2014 NIST publication Guidelines for Smart Grid Cybersecurity included a composite diagram of grid entities that exchange information within and across each of the seven smart grid Conceptual Model domains.
Because many of the individual logical interfaces have similar security-related characteristics, grouping interfaces into Logical Interface Categories (LICs) with similar characteristics is a means to simplify the identification of appropriate security requirements. In that way, the hundreds of individual interfaces drawn in Figure 1 above can be grouped into 22 representative LICs, from which broadly applicable cybersecurity requirements can be derived
New system interfaces#
The modern grid will be more heavily dependent on information exchange than the legacy grid. As DERs and other innovations are used more extensively across the grid, the set of entities involved with information exchanges in power system operations will expand and new communications interfaces will evolve.
To explore the cybersecurity implications of introducing new technologies and architectures to the grid, we updated the logical interface diagram to include examples of the new equipment and information exchanges that could be expected for future High-DER grids. A representation of the new power system entities and logical interfaces for a High-DER architecture is shown in Figure 2 below, where Uxx-labeled blue interface arrows are the same as those originally shown in the logical interface diagram above and Dxx-labeled red interface arrows are newly introduced interfaces for the High-DER example.
From Figure 2 above, we understand that a modernized grid would likely have to accommodate at least three new types of communications interfaces, including:
- New interfaces for new entities: As new entities are introduced to the grid the number of communications interfaces and pathways will increase dramatically. For example, extensive penetration of distributed resources requires introduction of a Distributed Energy Resource Management System (DERMS) into the grid operations domain (Box 25). This DERMS would likely have different data and communications requirements than legacy systems, and new communications linkages are required throughout the rest of the system.
- New interfaces between subsystems: As the physical capabilities of grid-connected systems advance, logical interface requirements between equipment subsystems will evolve. The customer-sited DER asset, electric vehicle asset, and the utility-scale DER or cogeneration asset have been split to reflect the different logical interface requirements between asset controllers (Boxes 4a, 4c, and 6a) and the equipment (Boxes 4b, 4d, and 6b) connected to the grid physically consuming or supplying electrons.
- New interfaces for legacy systems: As new capabilities are introduced to conventional grid assets, information will have to be exchanged with and between legacy systems. Both the utility-scale DER or cogeneration asset and the facility energy management system interface directly with the utility supervisory control and data acquisition (SCADA) system via a new logical interface (Red lines D03 and D04). Additionally, where Aggregator interfaces were constrained to energy providers and markets (Previously box 41b and blue lines U20 and Uaa??), Aggregators interact with new actors in the High-DER scenario and the logical interfaces increase accordingly (Red lines D08, D52, and D92).
Assessing security requirements of new interfaces#
New or changed logical interfaces may require new cybersecurity precautions. The High-DER example identifies nearly a dozen new interfaces, and the changing characteristics of the system itself may alter the communications and cybersecurity requirements for previously established interfaces. To assess the cybersecurity requirements for the High-DER example, the new and updated interfaces were evaluated against the LICs. Each of the new interfaces for High-DER example could be mapped to an existing LIC
Additional cybersecurity considerations#
- Cybersecurity requirements for the Nation’s high-voltage transmission system: Current and future standards subject to enforcement
- The Commission does not have authority to directly impose cybersecurity obligations on entities outside FERC’s BES jurisdiction
- The National Electric Sector Cybersecurity Organization Resource, led by the Electric Power Research Institute (EPRI) with funding from DOE, has defined a set of cybersecurity failure scenarios that span each of the NIST Smart Grid Conceptual Model domains and is a useful complement to requirements and standards-driven cybersecurity processes.
- The Cybersecurity Framework and NISTIR 7628 have been recognized as useful tools for characterizing and reducing cybersecurity risk, but no single document or organization can provide a comprehensive understanding of the cybersecurity risks and best practices that must be addressed throughout the power system.
- NIST and collaborators have developed numerous analyses to help clarify and map the alignment between these and other cybersecurity guidance documents and standards. Of particular interest has been alignment between the Cybersecurity Framework and NERC CIP, and mappings between the two have been published for two versions of the CIP standards.
- Effective cybersecurity guidance must be regularly updated, and both the NIST
- Cybersecurity Framework and the NERC CIP standards have been updated since the initial mapping effort in 2014. NIST and NERC have collaborated on an updated mapping of the Cybersecurity Framework v1.1 to the latest CIP standards. This mapping will soon be posted to a NERC website (and linked to from a NIST website) and published in a forthcoming NIST report. NIST has also completed a mapping of the Cybersecurity Framework v1.1 to the EPRI failure scenarios for advanced metering infrastructure, distributed energy resources, and distribution grid management, which will be published in the same NIST report.
Conclusions and Future Work#
The smart grid brings new information technology capabilities to electric infrastructure, and as this occurs the number of communications interfaces will grow substantially. No single mitigation method can guarantee security and organizations will be best served by taking complementary approaches to assess and manage risk at multiple levels within the system.
Even as the number of communication interfaces grows, the fundamental cybersecurity requirements for each interface - and the attendant obligations on their managing organizations - are likely to be consistent with known requirements. This Framework describes two complementary approaches to risk management, one at the organizational level and the other at the device interface level.
Creation of a Cybersecurity Risk Profile for the Smart Grid (see Section Cybersecurity framework profile for the smart grid) provides a structured methodology and common reference language for evaluating organizational cybersecurity posture while facilitating communication across organizational boundaries and smart grid domains. The description of grid-specific subcategory considerations allows utilities or other grid organizations to assess their own security posture and prioritize cybersecurity outcomes that best match their organizational need.
But complex infrastructures with multiple actors like the power system are difficult to fully characterize in a single Cybersecurity Profile. Utilities and other grid stakeholders may therefore choose to create multiple profiles to characterize cybersecurity outcomes for specific interactions, functions, or other organizing principles within the system. Multiple profiles can also be developed to examine differences between present and desired cybersecurity states, where the identified gaps can provide a foundation for an organization’s cybersecurity roadmap
Examining the emerging set of logical interfaces as new technologies take root in the power system (see Section New system interfaces ) provides some confidence that the basic cybersecurity requirements described by existing LICs will be relevant for new interfaces as well. However, it is similarly likely that cybersecurity response guidance may require updating to capture emerging functionality and system criticality of these technologies (see Section Assessing security requirements of new interfaces). Mapping new interfaces to existing LICs should therefore facilitate the effective application of category-driven protection schemes to the evolving grid, and also identify gaps in this approach where updated cybersecurity guidelines and/or protection schemes would be useful.
Interoperability in the system will only be achieved if openly available standards are used across many utilities and vendors. The use of open standards to achieve interoperability also means significant numbers of devices and systems will likely be more visible and potentially accessible to malicious actors than in the past. Interoperability requirements and standards must therefore include security requirements, including data protection and attack detection, and an ability to respond to the threat and recover from disruption