Cyber Security and the Smart Grid

George W. Arnold, Eng.Sc.D.National Institute of Standards and Technology (NIST)

U.S. Department of Commercegeorge.arnold@nist.gov

2Addressing security challenges on a global scale Geneva, 6-7 December 2010

The Electric Grid

3

One of the largest, most complex infrastructures ever builtOne of the largest, most complex infrastructures ever built

“The supreme engineering achievement of the 20th century”

- National Academy of Engineering

Electric Grid in the U.S.

• 3,200 electric utility companies

• 17,000 power plants• 800 gigawatt peak

demand• 266,000 km of high-

voltage lines• 10 million km of

distribution lines• 140 million meters• $1 trillion in assets• $350 billion annual

revenues

4

The Electric Grid Today

Markets and Operations

GenerationTransmission Distribution Customer Use

One-way flow of electricity

•Centralized, bulk generation, mainly coal and natural gas•Responsible for 40% of human-caused CO2 production•Controllable generation and predictable loads•Limited automation and situational awareness•Lots of customized proprietary systems•Lack of customer-side data to manage and reduce energy use

Smart Grid Goals

• Enable customers to reduce energy use

• Increase use of renewable sources

• Improve reliability and security

• Facilitate infrastructure for electric vehicles

6

What Will the Smart Grid Look Like?

7

High use of variable renewables

Distributed generation and microgrids

Ubiquitous networked sensors

Smart meters and real time usage

data

Dynamic pricingEnergy management systems

Smart appliances

Distributed storage

Bidirectional metering

Electric vehicles

Smart Grid: The “Energy Internet”

Graphics courtesy of EPRI

2-way flow of electricity and information

Standards Provide a Critical Foundation

9

Current Grid Environment• Legacy SCADA systems• Limited cyber security controls currently in

place– Specified for specific domains – bulk power

distribution, metering• Vulnerabilities might allow an attacker to

– Penetrate a network, – Gain access to control software, or– Alter load conditions to destabilize the grid in

unpredictable ways• Even unintentional errors could result in

destabilization of the grid

10

Threats to the Grid

• Deliberate attacks– Disgruntled employees– Industrial espionage– Unfriendly states– Organized crime

• Inadvertent threats– Equipment failures– User/Administrator errors

• Natural phenomena– Weather – hurricanes, earthquakes– Solar activity

11

New Risks

• Greater complexity increases exposure to potential attackers and unintentional errors

• Linked networks introduce common vulnerabilities

• “Denial of Service” – type attacks• Increased number of entry points and paths• Compromise of data confidentiality or

customer privacy

Ensuring Security and Privacy

12

1313

Smart Grid – an Opportunity

• Modernization provides an opportunity to improve security of the Grid

• Integration of new IT and networking technologies – Brings new risks as well as an array of security

standards, processes, and tools• Architecture is key

– Security must be designed in – it cannot be added on later

14

Cyber Security Working Group• Building cyber security in from the start

has been a paramount concern• Permanent Working Group

– Over 460 public and private sector participants

• August 2010 NIST publishes: Guidelines for Smart Grid Cyber Security– Reflects Comments on Sept 2009 and

Feb 2010 Draft Smart Grid Cyber Security Strategy and Requirements

• Guideline includes: – Risk assessment guidance for

implementers– Recommended security requirements– Privacy recommendations

15

Guidelines for Smart Grid Cyber Security

• NIST Interagency Report 7628 - August 2010– Development of the document lead by NIST– Represents significant coordination among

• Federal agencies• Private sector• Regulators• Academics

– Document includes material that will be used in selecting and modifying security requirements

15

1616

NISTIR 7628 – What it IS and IS NOT

What it IS• A tool for organizations that are researching, designing, developing, and

implementing Smart Grid technologies • May be used as a guideline to evaluate the overall cyber risks to a Smart

Grid system during the design phase and during system implementation and maintenance

• Guidance for organizations– Each organization must develop its own cyber security strategy (including a

risk assessment methodology) for the Smart Grid.

What it IS NOT• It does not prescribe particular solutions• It is not mandatory

17

NISTIR 7628 Content

The NISTIR includes the following• Executive Summary• Chapter 1 - Overall cyber security strategy for the

Smart Grid• Chapter 2 – High level and logical security

architecture• Chapter 3 – High level security requirements• Chapter 4 – Cryptography and key management

17

18

NISTIR 7628 Content (Continued)

• Chapter 5 - Privacy and the Smart Grid

• Chapter 6 Bottom-up security analysis of the Smart Grid

• Chapter 7 – R&D themes for cyber security in the Smart Grid

• Chapter 8 – Overview of the standards review

• Chapter 9 – Key power system use cases for security requirements

• Appendices A - J

18

Further Information

• Web portal: http://www.nist.gov/smartgrid• Contact:

– George Arnold, National Coordinator– Email: george.arnold@nist.gov– Telephone: +1.301.975.2232

19