Nist Security 2nd Draft
Nist Security 2nd Draft
Nist Security 2nd Draft
February 2010
DRAFT NISTIR 7628
February 2010
U. S. Department of Commerce
Gary Locke, Secretary
Another group has also been instrumental in the development of a previous version of this
document. The Advanced Security Acceleration Project – Smart Grid (ASAP-SG) developed the
security profile for Advanced Metering Infrastructure (AMI) for the SGIP - CSWG and The
UtiliSec Working Group (UCAIug). Many of the members of the ASAP-SG also participate in
the SGIP-CSWG.
Table of Contents
EXECUTIVE SUMMARY ................................................................................................................................. 1
CHAPTER ONE CYBER SECURITY STRATEGY ............................................................................................ 8
1.1 Cyber Security and the Electric Sector................................................................................................................. 9
1.2 Scope and Definitions .......................................................................................................................................... 9
1.3 Document Overview .......................................................................................................................................... 10
1.4 Smart Grid Cyber Security Strategy................................................................................................................... 12
1.5 Time Line........................................................................................................................................................... 18
CHAPTER TWO LOGICAL ARCHITECTURE AND INTERFACES OF THE SMART GRID ............................. 19
2.1 Advanced Metering Infrastructure (AMI).......................................................................................................... 28
2.2 Distribution Grid Management (DGM) ............................................................................................................. 32
2.3 Electric Storage (ES).......................................................................................................................................... 36
2.4 Electric Transportation (ET) .............................................................................................................................. 40
2.5 Home Area Network/Business Area Network (HAN/BAN).............................................................................. 44
2.6 Wide Area Situational Awareness (WASA) ...................................................................................................... 48
CHAPTER THREE HIGH LEVEL SECURITY REQUIREMENTS................................................................... 53
3.1 Cyber Security Objectives.................................................................................................................................. 53
3.2 Logical Interface Categories .............................................................................................................................. 54
3.3 Confidentiality, Integrity, and Availability (C, I, and A) Impact Levels ........................................................... 76
3.4 Impact Levels for the Categories ....................................................................................................................... 77
3.5 Recommended Security Requirements .............................................................................................................. 80
3.6 Technical Requirements Allocated to Logical Interface Categories .................................................................. 93
3.7 Additional Considerations.................................................................................................................................. 96
3.8 Areas to be Covered in the Next Draft of this Document .................................................................................. 98
CHAPTER FOUR PRIVACY AND THE SMART GRID ................................................................................. 100
4.1 High-Level Smart Grid Consumer-to-Utility Privacy Impact Assessment (PIA) Report ................................ 103
4.2 Personal Information in the Smart Grid ........................................................................................................... 110
4.3 Privacy Concerns ............................................................................................................................................. 111
4.4 Some New Privacy Considerations for the Smart Grid.................................................................................... 114
4.5 Smart Grid Privacy Summary .......................................................................................................................... 115
CHAPTER FIVE STANDARDS REVIEW ...................................................................................................... 116
5.1 Standards Document Characteristics................................................................................................................ 117
CHAPTER SIX RESEARCH AND DEVELOPMENT THEMES FOR CYBER SECURITY IN
THE SMART GRID............................................................................................................ 142
6.1 Introduction...................................................................................................................................................... 142
6.2 Device Level Topics ........................................................................................................................................ 143
6.3 Novel Mechanisms........................................................................................................................................... 144
6.4 Systems Level Topics (Security and Survivability Architecture of the Smart Grid) ....................................... 145
6.5 Networking Topics........................................................................................................................................... 148
6.6 Other Security Issues in the Smart Grid Context ............................................................................................. 149
APPENDIX A KEY POWER SYSTEM USE CASES FOR SECURITY REQUIREMENTS ......................... A-1
APPENDIX B CROSSWALK OF CYBER SECURITY DOCUMENTS ......................................................... B-1
APPENDIX C VULNERABILITY CLASSES .............................................................................................C-1
C.1 Introduction...................................................................................................................................................... C-1
C.2 People, Policy & Procedure ............................................................................................................................. C-1
C.3 Platform Software/Firmware Vulnerabilities ................................................................................................... C-5
C.4 Platform Vulnerabilities ..................................................................................................................................C-20
C.5 Network...........................................................................................................................................................C-23
APPENDIX D BOTTOM-UP SECURITY ANALYSIS OF THE SMART GRID ............................................D-1
D.1 Scope of This Effort......................................................................................................................................... D-1
D.2 Device Class Definitions.................................................................................................................................. D-1
D.3 Evident and Specific Cyber Security Problems................................................................................................ D-2
D.4 Non-Specific Cyber Security Issues............................................................................................................... D-12
D.5 Design Considerations ................................................................................................................................... D-24
APPENDIX E STATE LAWS – SMART GRID AND ELECTRICITY DELIVERY REGULATIONS ............. E-1
APPENDIX F GLOSSARY AND ACRONYMS .......................................................................................... F-1
APPENDIX G SGIP-CSWG MEMBERSHIP ..........................................................................................G-1
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
EXECUTIVE SUMMARY
Smart Grid technologies will introduce millions of new intelligent components to the electric
grid that communicate in a much more advanced ways (two-way, with open protocols) than in
the past. Because of this, two areas that are critically important to get correct are Cyber Security
and Privacy. The Cyber Security Strategy and Requirements began with the establishment of a
Cyber Security Coordination Task Group (CSCTG) led by the National Institute of Standards
and Technology (NIST) that now contains more than 350 participants from the private sector
(including vendors and service providers), academia, regulatory organizations, and federal
agencies. This group has been renamed under the Smart Grid Interoperability Panel (SGIP) to
Cyber Security Working Group (SGIP–CSWG). Cyber security is being addressed using a
thorough process that will result in a comprehensive set of cyber security requirements. As
explained more fully in the first chapter, these requirements are being developed using a high-
level risk assessment process that is defined in the cyber security strategy for the Smart Grid.
Cyber security requirements are implicitly recognized as critical in all of the priority action plans
discussed in the NIST Framework and Roadmap for Smart Grid Interoperability Standards,
Release 1.0 (NIST Special Publication 1108)1 document that was published in January 2010.
1
Available at http://www.nist.gov/public_affairs/releases/smartgrid_interoperability_final.pdf
1
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
as input to their risk assessment processes. The information serves as baseline guidance to the
various organizations for assessing risk and selecting appropriate security requirements. In
addition, each organization should develop its own cyber security strategy for the Smart Grid.
Figure 1.1 illustrates the tasks defined for the Smart Grid cyber security strategy. The tasks are
defined after the figure.
1. Use Case
Analysis
Top‐down analysis
(inter‐component/
domain)
2. Risk Assessment
Vulnerabilities
Threats
Impacts
Bottom up analysis
(vulnerability Privacy
classes) Assessment
3. High Level
Security
Requirements
Existing
4b. Smart Grid
4a. Security Standards
Standards
Architecture (CIP, IEEE,
Assessment
IEC, etc.)
5. Conformity
Assessment
2
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
The risk assessment, including identifying vulnerabilities, impacts, and threats, has been
undertaken from a high-level overall functional perspective. The output will be the basis for the
selection of security requirements and the identification of security requirements gaps.
Vulnerability classes: the initial draft list of vulnerability classes 3 was developed using
information from several existing documents and Web sites, e.g., NIST SP 800-82 and the Open
Web Application Security Project (OWASP) vulnerabilities list. These vulnerability classes will
ensure that the security controls address the identified vulnerabilities. The vulnerability classes
may also be used by Smart Grid implementers, e.g., vendors and utilities, in assessing their
systems.
Overall Analysis: both top-down and bottom-up approaches were used in implementing the risk
assessment as specified earlier. The top-down approach focuses on the use cases and the overall
Smart Grid functionality.
Bottom-up analysis: the bottom-up approach focuses on well-understood problems that
need to be addressed, such as authenticating and authorizing users to substation
intelligent electronic devices (IEDs), key management for meters, and intrusion detection
for power equipment. Also, interdependencies among Smart Grid domains/systems were
considered when evaluating the impacts of a cyber or physical security incident. An
incident in one infrastructure can cascade to failures in other domains/systems. The
bottom-up analysis is included in Appendix D of this document.
Top-down analysis: in the top-down approach, logical interface diagrams were
developed for the six functional priority areas that were the focus of the initial draft of
NISTIR 7628—Electric Transportation, Electric Storage, Wide Area Situational
Awareness, Demand Response, Advanced Metering Infrastructure, and Distribution Grid
Management. In this draft, a functional architecture for the overall Smart Grid is
included, with logical interfaces identified for the additional grid areas (this will be used
in the development of the security architecture). Because there are hundreds of
interfaces, each logical interface is allocated to one of eighteen logical interface
categories. Some examples of the logical interface categories are: control systems with
high data accuracy and high availability, as well as media and computer constraints; B2B
(Business to Business) connections, interfaces between sensor networks and controls
systems; and interface to the customer site. A set of attributes, e.g., immature or
proprietary protocols, insecure locations, integrity requirements, was defined, and the
attributes allocated to the interface categories, as appropriate. This logical interface
category/attributes matrix is used in assessing the impact of a security compromise on
confidentiality, integrity and availability. The level of impact is denoted as low,
moderate, or high 4 . This assessment is performed for each logical interface category.
The output from this process is used in the selection of security requirements (Task 3).
As with any assessment, a realistic analysis of the threats is critical to the overall outcome. The
Smart Grid is no different. It is recommended that all organizations take a realistic view of the
3
A vulnerability is a weakness in an information system, system security procedures, internal controls, or
implementation that could be exploited or triggered by a threat source. A vulnerability class is a grouping of
common vulnerabilities.
4
The definitions of low, moderate, and high impact are found in FIPS 199.
3
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
threats, and work with national authorities as needed to glean the required information, which, it
is anticipated, no single utility or other Smart Grid participant would be able to assess on their
own. Potential threats range from script-kiddies to disgruntled current or former employees, to
nation-state adversaries. A realistic assessment of these threats, and the applicability to
subsequent risk-mitigation strategies, is critical to the overall security of the Smart Grid.
4
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
common requirements will be listed in a separate table, rather than being assigned to each logical
interface category. As noted above, these requirements lists are provided as guidance, and are not
mandatory. Each organization will need to perform a risk assessment to determine the
applicability of the recommended requirements.
In addition, organizations may find it necessary to identify compensating security requirements.
A compensating security requirement is implemented by an organization in lieu of a
recommended security requirement to provide an equivalent or comparable level of protection
for the information/control system and the information processed, stored, or transmitted by that
system. More than one compensating requirement may be required to provide the equivalent or
comparable protection for a particular security requirement. For example, an organization with
significant staff limitations may compensate for the recommended separation of duty security
requirement by strengthening the audit, accountability, and personnel security requirements
within the information/control system.
Finally, for decades, power system operations have been managing the reliability of the power
grid in which power availability has been a major requirement, with information integrity as a
secondary but increasingly critical requirement. Confidentiality of customer information is also
important in the normal revenue billing processes. Although focused on accidental/inadvertent
security problems, such as equipment failures, employee errors, and natural disasters, existing
power system management technologies can be used and expanded to provide additional security
measures.
Privacy Impact Assessment: because the evolving Smart Grid presents potential privacy risks, a
privacy impact assessment was performed. Several general privacy principles were used to
assess the Smart Grid and findings and recommendations were developed. The results will be
used in the identification and tailoring of security requirements.
5
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
In Task 4b, standards that have been identified as relevant to the Smart Grid by the Priority
Action Plan (PAP) teams and the SGIP will be assessed to determine if the security requirements
are addressed. In this process, security requirement gaps will be identified and recommendations
will be made for addressing the gaps. Also, conflicting standards and standards with security
requirements not consistent with the security requirements included in NISTIR 7628 will be
identified with recommendations.
Bottom-up Assessment
The Bottom-up Security Analysis sub-group added additional Evident and Specific Cyber
Security problems, additional Non-Specific Cyber Security Issues, a new section Design
Considerations, and moved and revised some subsections previously in "Non-Specific Cyber
Security Issues" to the new "Design Considerations" section. These design considerations
discuss important cyber security issues that arise in the design, deployment, and use of smart grid
systems, and should be considered by system designers, implementers, purchasers, integrators,
and users of smart grid technologies.
Privacy
The focus of the Privacy sub-group has been on what data may be collected or created that can
reveal information about individuals or activities within specific premises (both residential and
commercial), how these different types of information may be exploited, and policies and
practices to identify and mitigate risks. The group conducted a privacy impact assessment (PIA)
for the consumer-to-utility portion of the Smart Grid. In the months following the PIA, the
group additionally considered the privacy impacts and risks throughout the entire Smart Grid
6
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
structure, and also began to conduct an overview of the laws, regulations and standards relevant
to the privacy of energy consumption data.
Standards
The Standards sub-group is a new sub-group that added Chapter 5, titled Standards
Review. This chapter includes a tabularized view of standards and characteristics that apply to
Cyber Security for the Smart Grid. The DHS catalogue was used as an initial source to develop
these tables. Currently this chapter presents: an overview of each of the standards currently
under review, identification of the security families that are addressed by each standard,
identification of the applicable OSI layers addressed by each standard, and a list of
notes/comments pertaining to each standard. Additional standards, as found to apply, will be
included and reviewed in future versions of this document.
7
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
CHAPTER ONE
CYBER SECURITY STRATEGY
With the implementation of the Smart Grid, the information technology (IT) and
telecommunications infrastructures have become more important to ensure the reliability and
security of the electric sector. Therefore, the security of systems and information in the IT and
telecommunications infrastructures must also be addressed by an increasingly diverse electric
sector. Security must be included at the design phase to ensure adequate protection.
Cyber security must address not only deliberate attacks, such as from disgruntled employees,
industrial espionage, and terrorists, but also inadvertent compromises of the information
infrastructure due to user errors, equipment failures, and natural disasters. Vulnerabilities might
allow an attacker to penetrate a network, gain access to control software, and alter load
conditions to destabilize the grid in unpredictable ways. The need to address potential
vulnerabilities has been acknowledged across the federal government, including the National
Institute of Standards and Technology (NIST) 5 , the Department of Homeland Security (DHS), 6
the Department of Energy (DOE), 7 and the Federal Energy Regulatory Commission (FERC). 8
Additional risks to the grid include:
• Increasing the complexity of the grid could introduce vulnerabilities and increase
exposure to potential attackers and unintentional errors;
• Interconnected networks can introduce common vulnerabilities;
• Increasing vulnerabilities to communication disruptions and introduction of malicious
software could result in denial of service or compromise the integrity of software and
systems;
• Increased number of entry points and paths for potential adversaries to exploit; and
• Potential for compromise of data confidentiality, including the breach of customer
privacy.
With the ongoing transition to the Smart Grid, the IT and telecommunication sectors will be
more directly involved. These sectors have existing cyber security standards to address
vulnerabilities and assessment programs to identify known vulnerabilities in their systems. These
same vulnerabilities need to be assessed in the context of the Smart Grid infrastructure. In
5
Testimony of Cita M. Furlani, Director, Information Technology Laboratory, NIST, before the United States
House of Representatives Homeland Security Subcommittee on Emerging Threats, Cyber security, and Science
and Technology, March 24, 2009.
6
Statement for the Record, Sean P. McGurk, Director, Control Systems Security Program, National Cyber Security
Division, National Protection and Programs Directorate, Department of Homeland Security, before the U.S. House
of Representatives Homeland Security Subcommittee on Emerging Threats, Cyber security, and Science and
Technology, March 24, 2009.
7
U.S. Department of Energy, Office of Electricity Delivery and Energy Reliability, Smart Grid investment Grant
Program, Funding Opportunity: DE-FOA-0000058, Electricity Delivery and Energy Reliability Research,
Development and Analysis, June 25, 2009.
8
Federal Energy Regulatory Commission, Smart Grid Policy, 128 FERC ¶ 61,060 [Docket No. PL09-4-000] July
16, 2009.
8
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
addition, the Smart Grid will have additional vulnerabilities due to its complexity, large number
of stakeholders, and highly time-sensitive operational requirements.
NIST leads a Smart Grid Interoperability Panel–Cyber Security Working Group (SGIP–CSWG)
which now has more than 300 volunteer members from the public and private sectors, academia,
regulatory organizations, and federal agencies. Cyber security is being addressed using a
thorough process that will result in a comprehensive set of cyber security requirements. As
explained more fully later in this chapter, these requirements are being developed (or augmented,
where standards/guidelines already exist) using a high-level risk assessment process that is
defined in the cyber security strategy for the Smart Grid. Cyber security requirements are
implicitly recognized as critical in all of the priority action plans discussed in the NIST
Framework and Roadmap for Smart Grid Interoperability Standards, Release 1.0 (NIST Special
Publication 1108) document that was published January 2010. 9
9
Available at http://www.nist.gov/public_affairs/releases/smartgrid_interoperability_final.pdf.
10
Department of Energy, Energy, Critical Infrastructure and Key Resources, Sector-Specific Plan as input to the
National Infrastructure Protection Plan, May 2007
9
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
communications systems and services are composed of all hardware and software that
process, store, and communicate information, or any combination of all of these
elements. Processing includes the creation, access, modification, and destruction of
information. Storage includes paper, magnetic, electronic, and all other media types.
Communications include sharing and distribution of information. For example: computer
systems; control systems (e.g., supervisory control and data acquisition–SCADA);
networks, such as the Internet; and cyber services (e.g., managed security services) are
part of cyber infrastructure.
11
The document is available at: http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-7628. Comments may
be submitted to: cswgdraft2comments@nist.gov.
10
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
1.3.1 Audience
This document is intended for individuals and organizations who will be addressing cyber
security for Smart Grid systems. This includes, for example, vendors, utilities, system operators,
researchers and network specialists; and individuals and organizations representing all three
sectors –IT, telecommunications, and electric. Individuals reading this document are expected to
have a basic knowledge of the electric sector and a basic understanding of cyber security.
12
This was previously named Demand Response.
11
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
• Chapter 6 – Research and Development (R&D): includes R&D themes that identify
where the state of the art falls short of meeting the envisioned functional, reliability, and
scalability requirements of the Smart Grid.
Also included in this document are several appendixes:
• Appendix A: key power system use cases with security applicability used in the risk
assessment process
• Appendix B: crosswalk of cyber security documents used in developing the security
requirements
• Appendix C: vulnerability classes used in the risk assessment process
• Appendix D: bottom-up security analysis of the Smart Grid used in the risk assessment
process
• Appendix E: state laws – Smart Grid and electricity delivery regulations
• Appendix F: acronyms and glossary
• Appendix G: SGIP-CSWG membership.
The requirements included in this NIST report will form the basis for the standards and
guidelines developed with coordination by NIST and the SGIP.
12
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
• FIPS 199, Standards for Security Categorization of Federal Information and Information
Systems, NIST, February 2004;
• Security Guidelines for the Electricity Sector: Vulnerability and Risk Assessment, North
American Electric Reliability Corporation (NERC), 2002;
• The National Infrastructure Protection Plan, Partnering to enhance protection and
resiliency, Department of Homeland Security, 2009;
• The IT, telecommunications, and energy sectors sector-specific plans (SSPs), initially
published in 2007 and updated annually;
• ANSI/ISA-99.00.01-2007, Security for Industrial Automation and Control Systems:
Concepts, Terminology and Models, International Society of Automation (ISA), 2007;
and
• ANSI/ISA-99.02.01-2009, Security for Industrial Automation and Control Systems:
Establishing an Industrial Automation and Control Systems Security Program, ISA,
January 2009.
Following the risk assessment, the next step in the Smart Grid cyber security strategy is to select
and tailor (as necessary) the security requirements. The documents used in this step are listed
under Task 3 below.
The security requirements and the supporting analysis that are included in this NIST report may
be used by implementers of the Smart Grid, e.g., utilities, equipment manufacturers, regulators,
as input to their risk assessment processes. The information serves as baseline guidance to the
various organizations for assessing risk and selecting appropriate security requirements. In
addition, each organization should develop its own cyber security strategy for the Smart Grid.
The tasks within the cyber security strategy for the Smart Grid are undertaken by participants in
the SGIP-CSWG 13 . In addition, the SGIP-CSWG is coordinating activities with the Advanced
Security Acceleration Project – Smart Grid (ASAP-SG). The ASAP-SG is a collaborative effort
between EnerNex Corporation, multiple major North American utilities, NIST, and DOE,
including resources from Oak Ridge National Laboratory and the Software Engineering Institute
of Carnegie Mellon University. Following are the tasks that are being performed by the SGIP-
CSWG in the implementation of the cyber security strategy. Also included are the deliverables
for each task. Because of the time frame for developing the document, the tasks listed below are
occurring in parallel, with significant interactions among the groups addressing the tasks.
Figure 1.1 illustrates the tasks defined for the Smart Grid cyber security strategy. The tasks are
defined after the figure.
13
The SGIP–CSWG was formerly known as the Cyber Security Coordination Task Group (CSCTG). The CSWG
was established as a permanent working group within the SGIP.
13
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
1. Use Case
Analysis
Top‐down analysis
(inter‐component/
domain)
2. Risk Assessment
Vulnerabilities
Threats
Impacts
Bottom up analysis
(vulnerability Privacy
classes) Assessment
3. High Level
Security
Requirements
Existing
4b. Smart Grid
4a. Security Standards
Standards
Architecture (CIP, IEEE,
Assessment
IEC, etc.)
5. Conformity
Assessment
14
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Web Application Security Project (OWASP) vulnerabilities list. These vulnerability classes will
ensure that the security controls address the identified vulnerabilities. The vulnerability classes
may also be used by Smart Grid implementers, e.g., vendors and utilities, in assessing their
systems.
Overall Analysis: both top-down and bottom-up approaches were used in implementing the risk
assessment as specified earlier. The top-down approach focuses on the use cases and the overall
Smart Grid functionality.
Bottom-up analysis: the bottom-up approach focuses on well-understood problems that
need to be addressed, such as authenticating and authorizing users to substation
intelligent electronic devices (IEDs), key management for meters, and intrusion detection
for power equipment. Also, interdependencies among Smart Grid domains/systems were
considered when evaluating the impacts of a cyber or physical security incident. An
incident in one infrastructure can cascade to failures in other domains/systems. The
bottom-up analysis is included in Appendix D of this document.
Top-down analysis: in the top-down approach, logical interface diagrams were
developed for the six functional priority areas that were the focus of the initial draft of
NISTIR 7628—Electric Transportation, Electric Storage, Wide Area Situational
Awareness, Demand Response, Advanced Metering Infrastructure, and Distribution Grid
Management. In this draft, a functional architecture for the overall Smart Grid is
included, with logical interfaces identified for the additional grid areas (this will be used
in the development of the security architecture). Because there are hundreds of
interfaces, each logical interface is allocated to one of eighteen logical interface
categories. Some examples of the logical interface categories are: control systems with
high data accuracy and high availability, as well as media and computer constraints; B2B
(Business to Business) connections; interfaces between sensor networks and controls
systems; and interface to the customer site. A set of attributes (e.g., immature or
proprietary protocols, insecure locations, integrity requirements) was defined, and the
attributes allocated to the interface categories, as appropriate. This logical interface
category/attributes matrix is used in assessing the impact of a security compromise on
confidentiality, integrity and availability. The level of impact is denoted as low,
moderate, or high 16 . This assessment is performed for each logical interface category.
The output from this process is used in the selection of security requirements (Task 3).
As with any assessment, a realistic analysis of the threats is critical to the overall outcome. The
Smart Grid is no different. It is recommended that all organizations take a realistic view of the
threats, and work with national authorities as needed to glean the required information, which, it
is anticipated, no single utility or other Smart Grid participant would be able to assess on its
own. Potential threats range from script-kiddies to disgruntled current or former employees, to
nation-state adversaries. A realistic assessment of these threats, and the applicability to
subsequent risk-mitigation strategies, is critical to the overall security of the Smart Grid.
15
A vulnerability is a weakness in an information system, system security procedures, internal controls, or
implementation that could be exploited or triggered by a threat source. A vulnerability class is a grouping of
common vulnerabilities.
16
The definitions of low, moderate, and high impact are found in FIPS 199.
15
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
16
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
17
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
requirements not consistent with the security requirements included in NISTIR 7628 will be
identified with recommendations.
17
Comments may be submitted to: cswgdraft2comments@nist.gov
18
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
CHAPTER TWO
LOGICAL ARCHITECTURE AND INTERFACES OF THE SMART
GRID
This chapter includes an overall functional logical architecture of the Smart Grid – including all
the major domains: service providers, customer, transmission, distribution, bulk generation,
markets and operations that are part of the NIST conceptual model. Figure 2.1 is this high level
functional architecture and represents a composite high level view of Smart Grid domains and
actors. A Smart Grid domain is a high-level grouping of organizations, buildings, individuals,
systems, devices or other actors with similar objectives and relying on – or participating in –
similar types of applications. Communications among actors in the same domain may have
similar characteristics and requirements. Domains may contain sub-domains. Moreover,
domains have much overlapping functionality, as in the case of the transmission and distribution
domains. An actor is a device, computer system, software program, or the individual or
organization that participates in the Smart Grid. Actors have the capability to make decisions
and to exchange information with other actors. Organizations may have actors in more than one
domain. The actors illustrated here are representative examples, and are not all the actors in the
Smart Grid. Each of the actors may exist in several different varieties, and may contain many
other actors within them.
The functional logical architecture represents a blending of the initial set of use cases and
requirements that came from the workshops and the initial NIST Smart Grid Interoperability
Roadmap, including the individual logical interface diagrams for the six application areas:
electric transportation, electric storage, advanced metering infrastructure (AMI), wide area
situational awareness (WASA), distribution grid management, and home area network/business
area network (HAN/BAN) 18 . These six areas are depicted in individual diagrams, Figures 2.2
through 2.7. These lower level diagrams were originally produced at the NIST Smart Grid
workshops and then revised for this NIST report. They provide a more granular view of the
Smart Grid functional areas.
To develop the high level functional logical architecture, the six lower level diagrams were
aggregated and consolidated into a single logical architecture. All of the logical interfaces
included in the six diagrams are included in the overall functional architecture. The format for
the reference number for each logical interface is U99 – where U stands for universal and 99 is
the interface number. The reference number is the same on the individual logical diagrams and
the functional logical architecture. This functional architecture focuses on a short-term view (1-3
years) of the proposed Smart Grid.
The functional logical architecture is a work in progress and will be subject to revision and
further development. Additional underlying detail as well as additional Smart Grid functions
will be needed to enable more detailed analysis of required security functions. The graphic
18
This was previously named Demand Response.
19
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
illustrates, at a high level, the diversity of systems as well as a first representation of associations
between systems and components of the Smart Grid.
20
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
21
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Table 2.1 Actor Descriptions for the Unified Logical Architecture for the Smart Grid
Actor Domain Actor Acronym Description
Number
1. Bulk Generation Plant Control System - DCS A local control system at a bulk generation plant. This is
Distributed Control System sometimes called a Distributed Control System (DCS).
2. Customer Customer An entity that pays for electrical goods or services. A customer
of a utility, including customers who provide more power than
they consume.
3. Customer Customer Appliances and A device or instrument designed to perform a specific function,
Equipment especially an electrical device, such as a toaster, for household
use. An electric appliance or machinery that may have the
ability to be monitored, controlled and/or displayed.
4. Customer Customer Distributed DER Energy generation resources, such as solar or wind, used to
Energy Resources: generate and store energy (located on a customer site) to
Generation and Storage interface to the controller (HAN/BAN) to perform an energy
related activity.
5. Customer Customer Energy EMS An application service that communicates with devices in the
Management System home. The application service may have interfaces to the meter
to report usage or to the operations domain to get pricing or
other information to make automated or manual decisions to
control energy consumption more efficiently. The EMS may be
a utility subscription service, a consumer written application, or
a manual control by the utility or consumer.
6. Customer Electric Vehicle Service A vehicle driven entirely by an electric motor powered by a
Element/Plug-in Electric EVSE/PEV rechargeable battery that may be recharged by plugging into the
Vehicle grid or by recharging from a gasoline-driven alternator
7. Customer Energy Services HAN An interface between the distribution, operations, and customer
Interface/Home Area domains and the devices within the customer domain.
Network Gateway
8. Customer Meter Utility owned point of sale device used for the transfer of
product and measuring usage from one domain/system to
another.
22
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
23
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
20. Marketing Independent System ISO/RTO An ISO/RTO control center that participates in the market and
Operator/Regional does not run the market.
Transmission Organization
Wholesale Market From the EPSA web site, “The electric wholesale market is open
to anyone who, after securing the necessary approvals, can
generate power, connect to the grid and find a counterparty
willing to buy their output. These include competitive suppliers
and marketers that are affiliated with utilities, independent
power producers (IPPs) not affiliated with a utility, as well as
some excess generation sold by traditional vertically integrated
utilities. All these market participants compete with each other
on the wholesale market.” 19
21. Operations Advanced Metering AMI This system manages the information exchanges between third
Infrastructure Headend party systems or systems not considered headend, such as the
MDMS system and the AMI network.
22. Operations Bulk Storage Management Energy storage connected to the bulk power system
23. Operations Customer Information CIS Enterprise-wide software applications that allow companies to
System manage aspects of their relationship with a customer.
24. Operations Customer Service CSR Customer service provided by a person (e.g., sales and service
Representative representative), or by automated means called self-service (e.g.,
Interactive Voice Response (IVR)).
19
http://www.epsa.org/industry/primer/?fa=wholesaleMarket
24
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
25
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
26
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
40. Operations Work Management System WMS A system that provides project details and schedules for work
crews to construct and maintain the power system infrastructure.
41. Service Provider Aggregator Any marketer, broker, public agency, city, county, or special
district that combines the loads of multiple end-use customers in
facilitating the sale and purchase of electric energy,
transmission, and other services on behalf of these customers.
42. Service Provider Billing Process of generating an invoice to recover sales price from the
customer.
43. Service Provider Energy Service Providers ESP Provides retail electricity, natural gas and clean energy options,
along with energy efficiency products and services.
44. Service Provider Third Party A third party providing a critical business function outside of the
utility.
45. Transmission Phasor Measurement Unit PMU Measures the electrical waves on an electricity grid to determine
the health of the system.
46. Transmission Transmission IED IEDs receive data from sensors and power equipment, and can
issue control commands, such as tripping circuit breakers if they
sense voltage, current, or frequency anomalies, or raise/lower
voltage levels in order to maintain the desired level. A device
that sends data to a data concentrator for potential reformatting.
27
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
The following diagrams include detailed logical interfaces. Following each diagram is a table that allocates the logical interfaces to
one of the logical interface categories. These logical interface categories are discussed fully in Chapter Three.
28
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
29
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
30
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
31
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
32
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
33
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
34
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
3b. Interface between back office systems not under common None
management authority, for example:
• Between a third party billing system and a utility meter data
management system
6. Interface with B2B connections between systems usually U20, U58, U97
involving financial or market transactions, for example:
• Between a Retail aggregator and an Energy Clearinghouse
7. Interface between control systems and non-control/corporate U33, U106,
systems, for example: U113, U114,
• Between a Work Management System and a Geographic U131
Information System
8. Interface between sensors and sensor networks for measuring U111
environmental parameters, usually simple sensor devices with
possibly analog measurements, for example:
• Between a temperature sensor on a transformer and its
receiver
9. Interface between sensor networks and control systems, for U108, U112
example:
• Between a sensor receiver and the substation master
10a. Interface between systems that use the AMI network, for
example:
• Between MDMS and meters
• Between LMS/DRMS and Customer EMS
10b. Interface between systems that use the AMI network with high U95, U119
availability, for example:
• Between MDMS and meters
• Between LMS/DRMS and Customer EMS
• Between DMS Applications and Customer DER
• Between DMS Applications and DA Field Equipment
11. Interface between systems that use customer (residential, U44, U120
commercial, and industrial) site networks such as HANs and
BANs, for example:
• Between Customer EMS and Customer Appliances
• Between Customer EMS and Customer DER
• Between Energy Service Interface and PEV
35
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
12. Interface between external systems and the customer site, for U88, U92,
example: U100, U101
• Between Third Party and HAN Gateway
• Between ESP and DER
• Between Customer and CIS Web site
13. Interface between systems and mobile field crew U99, U104,
laptops/equipment, for example: U105
• Between field crews and GIS
• Between field crews and substation equipment
14. Interface between metering equipment, for example: U24, U41
• Between sub-meter to meter
• Between PEV meter and Energy Service Provider
15. Interface between operations decision support systems, for None
example:
• Between WAMS and ISO/RTO
16. Interface between engineering/maintenance systems and U109
control equipment, for example:
• Between engineering and substation relaying equipment for
relay settings
• Between engineering and pole-top equipment for
maintenance
• Within power plants
17. Interface between control systems and their vendors for None
standard maintenance and service, for example:
• Between SCADA system and its vendor
18. Interface between security/network/system management None
consoles and all networks and systems, for example:
• Between a security console and network routers, firewalls,
computer systems, and network nodes
36
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
37
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
38
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
3b. Interface between back office systems not under common U52
management authority, for example:
• Between a third party billing system and a utility meter data
management system
6. Interface with B2B connections between systems usually U4, U20, U51,
involving financial or market transactions, for example: U57, U58
• Between a Retail aggregator and an Energy Clearinghouse
7. Interface between control systems and non-control/corporate U59
systems, for example:
• Between a Work Management System and a Geographic
Information System
8. Interface between sensors and sensor networks for measuring None
environmental parameters, usually simple sensor devices with
possibly analog measurements, for example:
• Between a temperature sensor on a transformer and its
receiver
9. Interface between sensor networks and control systems, for None
example:
• Between a sensor receiver and the substation master
10a. Interface between systems that use the AMI network, for
example:
• Between MDMS and meters
• Between LMS/DRMS and Customer EMS
10b. Interface between systems that use the AMI network with high U60
availability, for example:
• Between MDMS and meters
• Between LMS/DRMS and Customer EMS
• Between DMS Applications and Customer DER
• Between DMS Applications and DA Field Equipment
11. Interface between systems that use customer (residential, U42, U45, U62
commercial, and industrial) site networks such as HANs and
BANs, for example:
• Between Customer EMS and Customer Appliances
• Between Customer EMS and Customer DER
• Between Energy Service Interface and PEV
39
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
12. Interface between external systems and the customer site, for U19
example:
• Between Third Party and HAN Gateway
• Between ESP and DER
• Between Customer and CIS Web site
13. Interface between systems and mobile field crew None
laptops/equipment, for example:
• Between field crews and GIS
• Between field crews and substation equipment
14. Interface between metering equipment, for example: U41, U46, U47,
• Between sub-meter to meter U48, U50, U64
• Between PEV meter and Energy Service Provider
15. Interface between operations decision support systems, for None
example:
• Between WAMS and ISO/RTO
16. Interface between engineering/maintenance systems and None
control equipment, for example:
• Between engineering and substation relaying equipment for
relay settings
• Between engineering and pole-top equipment for
maintenance
• Within power plants
17. Interface between control systems and their vendors for None
standard maintenance and service, for example:
• Between SCADA system and its vendor
18. Interface between security/network/system management None
consoles and all networks and systems, for example:
• Between a security console and network routers, firewalls,
computer systems, and network nodes
40
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
41
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
42
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
3b. Interface between back office systems not under common U55
management authority, for example:
• Between a third party billing system and a utility meter data
management system
6. Interface with B2B connections between systems usually U9, U20, U51,
involving financial or market transactions, for example: U52, U53, U57,
• Between a Retail aggregator and an Energy Clearinghouse U58
7. Interface between control systems and non-control/corporate U59
systems, for example:
• Between a Work Management System and a Geographic
Information System
8. Interface between sensors and sensor networks for measuring None
environmental parameters, usually simple sensor devices with
possibly analog measurements, for example:
• Between a temperature sensor on a transformer and its
receiver
9. Interface between sensor networks and control systems, for None
example:
• Between a sensor receiver and the substation master
10a. Interface between systems that use the AMI network, for
example:
• Between MDMS and meters
• Between LMS/DRMS and Customer EMS
10b. Interface between systems that use the AMI network with high None
availability, for example:
• Between MDMS and meters
• Between LMS/DRMS and Customer EMS
• Between DMS Applications and Customer DER
• Between DMS Applications and DA Field Equipment
11. Interface between systems that use customer (residential, U62
commercial, and industrial) site networks such as HANs and
BANs, for example:
• Between Customer EMS and Customer Appliances
• Between Customer EMS and Customer DER
• Between Energy Service Interface and PEV
43
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
12. Interface between external systems and the customer site, for U18, U19, U42
example:
• Between Third Party and HAN Gateway
• Between ESP and DER
• Between Customer and CIS Web site
13. Interface between systems and mobile field crew None
laptops/equipment, for example:
• Between field crews and GIS
• Between field crews and substation equipment
14. Interface between metering equipment, for example: U46, U47, U50,
• Between sub-meter to meter U53, U54, U60
• Between PEV meter and Energy Service Provider
15. Interface between operations decision support systems, for None
example:
• Between WAMS and ISO/RTO
16. Interface between engineering/maintenance systems and None
control equipment, for example:
• Between engineering and substation relaying equipment for
relay settings
• Between engineering and pole-top equipment for
maintenance
• Within power plants
17. Interface between control systems and their vendors for None
standard maintenance and service, for example:
• Between SCADA system and its vendor
18. Interface between security/network/system management None
consoles and all networks and systems, for example:
• Between a security console and network routers, firewalls,
computer systems, and network nodes
20
HAN/BAN Network is demand response (DR) in the NIST Framework.
44
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
45
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
46
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
47
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
12. Interface between external systems and the customer site, for U18, U19, U42,
example: U125
• Between Third Party and HAN Gateway
• Between ESP and DER
• Between Customer and CIS Web site
13. Interface between systems and mobile field crew U14, U29, U35
laptops/equipment, for example:
• Between field crews and GIS
• Between field crews and substation equipment
14. Interface between metering equipment, for example: U19, U24, U41,
• Between sub-meter to meter U46, U47, U48,
• Between PEV meter and Energy Service Provider U50, U128,
U129
15. Interface between operations decision support systems, for None
example:
• Between WAMS and ISO/RTO
16. Interface between engineering/maintenance systems and None
control equipment, for example:
• Between engineering and substation relaying equipment for
relay settings
• Between engineering and pole-top equipment for
maintenance
• Within power plants
17. Interface between control systems and their vendors for None
standard maintenance and service, for example:
• Between SCADA system and its vendor
18. Interface between security/network/system management Not assessed
consoles and all networks and systems, for example: in this draft
• Between a security console and network routers, firewalls,
computer systems, and network nodes
48
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
49
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
50
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
3b. Interface between back office systems not under common None
management authority, for example:
• Between a third party billing system and a utility meter data
management system
6. Interface with B2B connections between systems usually U69, U72, U93
involving financial or market transactions, for example:
• Between a Retail aggregator and an Energy Clearinghouse
7. Interface between control systems and non-control/corporate U52, U68, U75,
systems, for example: U91
• Between a Work Management System and a Geographic
Information System
8. Interface between sensors and sensor networks for measuring None
environmental parameters, usually simple sensor devices with
possibly analog measurements, for example:
• Between a temperature sensor on a transformer and its
receiver
9. Interface between sensor networks and control systems, for None
example:
• Between a sensor receiver and the substation master
10a. Interface between systems that use the AMI network, for
example:
• Between MDMS and meters
• Between LMS/DRMS and Customer EMS
10b. Interface between systems that use the AMI network with high None
availability, for example:
• Between MDMS and meters
• Between LMS/DRMS and Customer EMS
• Between DMS Applications and Customer DER
• Between DMS Applications and DA Field Equipment
11. Interface between systems that use customer (residential, None
commercial, and industrial) site networks such as HANs and
BANs, for example:
• Between Customer EMS and Customer Appliances
• Between Customer EMS and Customer DER
• Between Energy Service Interface and PEV
51
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
12. Interface between external systems and the customer site, for U88, U92
example:
• Between Third Party and HAN Gateway
• Between ESP and DER
• Between Customer and CIS Web site
13. Interface between systems and mobile field crew None
laptops/equipment, for example:
• Between field crews and GIS
• Between field crews and substation equipment
14. Interface between metering equipment, for example: None
• Between sub-meter to meter
• Between PEV meter and Energy Service Provider
15. Interface between operations decision support systems, for U76, U77, U78
example:
• Between WAMS and ISO/RTO
16. Interface between engineering/maintenance systems and None
control equipment, for example:
• Between engineering and substation relaying equipment for
relay settings
• Between engineering and pole-top equipment for
maintenance
• Within power plants
17. Interface between control systems and their vendors for None
standard maintenance and service, for example:
• Between SCADA system and its vendor
18. Interface between security/network/system management None
consoles and all networks and systems, for example:
• Between a security console and network routers, firewalls,
computer systems, and network nodes
52
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
CHAPTER THREE
HIGH LEVEL SECURITY REQUIREMENTS
Some of the security requirements for the information infrastructure of the Smart Grid are similar
to corporate information security requirements. For example, the security requirements of back
office and corporate systems can be identified through assessments similar to those described in
Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of
Federal Information and Information Systems. There are some differences, specifically, power
system operations of the Smart Grid are more closely aligned with Industrial Control Systems as
described in NIST Special Publication (SP) 800-82, DRAFT Guide to Industrial Control Systems
(ICS) Security. With the implementation of the Smart Grid, IT and electric sector systems will be
more closely associated. For example, customer interactions with utilities and third parties may
include mixtures of power system operational information with high reliability and availability
requirements and sensitive personal information with high confidentiality requirements.
This chapter includes the source documents and analysis results that were used to select the
security requirements for the logical interface categories. The analysis was performed in the
following steps:
1. Additional description of the logical interface categories. Identification and allocation of
attributes to the logical interface categories (Table 3.1)
2. Determination of the confidentiality, integrity, and availability impact levels for each of
the logical interface categories (Table 3.3). The focus is on power system reliability.
3. Initial selection of the security requirements applicable to the Smart Grid (Table 3.4).
The common governance, risk and compliance (GRC) and common technical
requirements are identified.
4. The unique technical requirements (excluding the GRC and common technical
requirements) are allocated to the logical interface categories (Table 3.5).
This information is provided to organizations that are implementing, designing, and/or operating
Smart Grid systems as a starting point for selecting and tailoring security requirements. Each
organization will need to perform a risk analysis to determine the applicability of the following
material.
53
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
• Seconds for substation and feeder supervisory control and data acquisition (SCADA)
data;
• Minutes for monitoring non-critical equipment and some market pricing information;
• Hours for meter reading and longer term market pricing information; and
• Days/weeks/months for collecting long term data such as power quality information.
Integrity for power system operations includes assurance that:
• Data has not been modified without authorization;
• Source of data is authenticated;
• Timestamp associated with the data is known and authenticated; and
• Quality of data is known and authenticated.
Confidentiality is the least critical for power system reliability. However, confidentiality is
becoming more important, particularly with the increasing availability of customer information
online:
• Privacy of customer information;
• Electric market information; and
• General corporate information, such as payroll, internal strategic planning, etc.
54
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Furthermore, communication modes and types are similar between logical interface categories 1a,
1b, 1c, and 1d and can be defined as follows:
• Interface Data Communication Mode
Near Real-Time Frequency Monitoring Mode (milliseconds, sub-cycle based on a
60Hz system) (may or may not include control action communication)
High Frequency Monitoring Mode (2sec - 59sec scan rates)
Low Frequency Monitoring Mode (scan/update rates in excess of 1min, file
transfers)
• Interface Data Communication Type
Monitoring and Control Data for real time control system environment (typical
measurement and control points)
Equipment Maintenance and Analysis (numerous measurements on field
equipment that is typically used for preventive maintenance and post analysis)
Equipment Management Channel (remote maintenance of equipment)
The characteristics which vary between and distinguish each are the availability requirements for
the interface and the compute/communications constraints for the interface as follows:
• Availability Requirements - Availability requirements will vary between these interfaces
and are driven primarily by the power system application which the interface supports
and not by the interface itself. For example, a SCADA interface to a substation or pole-
top RTU may have a HIGH availability requirement in one case due to it supporting
critical monitoring and switching functions or a MODERATE to LOW availability if
supporting an asset monitoring application.
• Communications and Compute Constraints - Compute constraints are associated with
crypto requirements on the interface. The use of crypto typically has high CPU needs for
mathematical calculations. Existing application type devices like RTUs, substation IEDs,
meters, and others are typically not equipped with sufficient digital hardware to perform
crypto or other security functions.
Bandwidth constraints are associated with data volume on the interface. In this case,
media is usually narrowband, limiting the volume of traffic and impacting the types of
security measures that are feasible.
With these requirements and constraints, logical interface categories 1a, 1b, 1c, and 1d can be
defined as follows:
1a. Interface between control systems and equipment with high availability, and with compute
and/or bandwidth constraints
• Between transmission SCADA in support of state estimation and substation equipment
for monitoring and control data using a high frequency mode
• Between distribution SCADA in support of three phase real-time power flow and
substation equipment for monitoring data using a high and low frequency mode
55
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
• Between transmission SCADA in support of AGC and DCS within a power plant for
monitoring and control data using a high frequency mode
• Between SCADA in support of Volt/VAR control and substation equipment for
monitoring and control data using a high and low frequency mode
• Between transmission SCADA in support of contingency analysis and substation
equipment for monitoring data using high frequency mode
1b. Interface between control systems and equipment without high availability, and with
compute and/or bandwidth constraints
• Between field devices and control systems for analyzing power system faults using a low
frequency mode
• Between a control system historian and field devices for capturing power equipment
attributes using a high or low frequency mode
• Between distribution SCADA and lower priority pole-top devices for monitoring field
devices using a low frequency mode
• Between pole-top IEDs and other pole-top IEDs (not used of protection or automated
switching) for monitoring and control in a high or low frequency mode
1c. Interface between control systems and equipment with high availability, without compute
and/or bandwidth constraints
• Between transmission SCADA and substation automation systems for monitoring and
control data using a high frequency mode
• Between EMS and generation control (DCS) and RTUs for monitoring and control data
using a high frequency mode
• Between distribution SCADA and substation automation systems, substation RTUs, and
pole-top devices for monitoring and control data using a high frequency mode
• Between a PMU device and a Phasor Data Concentrator (PDC) for monitoring data using
a high frequency mode
• Between IEDs (peer-to-peer) for power system protection
1d. Interface between control systems and equipment without high availability, without compute
and/or bandwidth constraints
• Between field device and asset monitoring system for monitoring data using a low
frequency mode
• Between field devices (relays, DFRs, PQ) and event analysis systems for event,
disturbance, and power quality data
• Between distribution SCADA and lower priority pole-top equipment for monitoring and
control data in a high or low frequency mode
56
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
• Between pole-top IEDs and other pole-top IEDs (not used for protection or automated
switching) for monitoring and control in a high or low frequency mode
• Between distribution SCADA and backbone network-connected collector nodes for lower
priority distribution pole-top IEDs for monitoring and control in a high or low frequency
mode
Control systems with interfaces between them have the following characteristics and issues:
• Since control systems generally have high data accuracy and high availability
requirements, the interfaces between them need to implement those security requirements
even if they do not have the same requirements.
• The interfaces generally use communication channels (WANs and/or LANs) that are
designed for control systems.
• The control systems themselves are usually in secure environments, such as within a
utility control center or within a power plant.
Control systems with interfaces between them have the following characteristics and issues:
• Since control systems generally have high data accuracy and high availability
requirements, the interfaces between them need to implement those security requirements
even if they do not have the same requirements.
• The interfaces generally use communication channels (WANs and/or LANs) that are
designed for control systems.
• The control systems are usually in secure environments, such as within a utility control
center or within a power plant.
57
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
• However, since the control systems are in different organizations, the establishment and
maintenance of the chain of trust is more important.
58
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
• Special communication networks are not expected to be needed for the market
transactions, and may include the public Internet as well as other available wide area
networks.
• Although the energy market has now been operating for over a decade at the bulk power
level, the retail energy market is in its infancy. Its growth over the next few years is
expected, but no one yet knows in what directions or to what extent.
• However, systems and procedures for market interactions are a very mature industry. The
primary requirement therefore is to utilize those concepts and protections in the newly
emerging retail energy market.
59
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Logical Interface Category 9 addresses interfaces between sensor networks and control systems,
e.g. between a sensor receiver and the substation master. These sensor receivers are usually
limited in capabilities other than collecting sensor information.
60
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
61
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Logical Interface Category 11 covers the interface between systems that use customer
(residential, commercial, and industrial) site networks such as Home Area Networks (HANs),
Building Area Networks (BANs), and Neighborhood Area Networks (NANs), for example:
• Between Customer EMS and Customer Appliances
• Between Customer EMS and Customer DER equipment
• Between Energy Service Interface and PEVs
62
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
• HAN networks will be accessible by many different vendors and organizations with
unknown corporate security requirements and equally variable degrees and types of
security solutions. Even if one particular interaction is “secure”, in aggregate the
multiplicity of interactions may not be secure.
• Some HAN devices may be in physically insecure locations, thus limiting physical
security. Even those presumably “physically secure” within a home are vulnerable to
inadvertent situations such as poor maintenance and misuse, as well as break-ins and theft.
• Many possible future interactions within the HAN environment are still being designed,
are just being speculated about, or have not yet been conceived.
The security-related issues for this external interface to the customer site include the following:
• Some information exchanged among different appliances and systems must be treated as
confidential and private to ensure that an unauthorized third party does not gain access to
it. For instance, energy usage statistics from the customer site that are sent through the
ESI/HAN gateway must be kept confidential from other appliances whose vendors may
want to scavenge this information for marketing purposes.
• Integrity of data is clearly important in general, but since so many different types of
interactions are taking place, the integrity requirements will need to be specific to the
particular application.
• Availability is generally not critical between external parties and the customer site since
most interactions are not related to power system operations nor are they needed in real-
time. Even DER generation and storage devices have their own integrated controllers
which are normally expected to run independently of any direct monitoring and control,
and should have “default” modes of operation to avoid any power system problems.
• Bandwidth is not generally a concern, since higher speed media can be used if a function
requires higher volume of data traffic. Many different types of media, particularly public
media, is increasingly available, including the public Internet over cable or DSL, campus
or corporate Intranets, cell phone GPRS, and neighborhood WiMAX and WiFi systems.
• Some customer devices that contain their own “HAN gateway” firewall are constrained
in their compute capabilities, primarily to keep costs down, which may limit the types
and layers of security which could be applied with those devices.
• Other than those used over the public Internet, communication protocols between third
parties and ESI/HAN Gateways have not yet stabilized as accepted standards, nor have
their capabilities been proven through rigorous testing.
63
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
• ESI/HAN Gateways will be accessible by many different vendors and organizations with
unknown corporate security requirements and equally variable degrees and types of
security solutions. Even if one particular interaction is “secure”, in aggregate the
multiplicity of interactions may not be secure.
• ESI/HAN Gateways may be in physically insecure locations, thus limiting physical
security. Even those presumably “physically secure” within a home are vulnerable to
inadvertent situations such as poor maintenance and misuse, as well as break-ins and theft.
• Many possible future interactions within the HAN environment are still being designed,
are just being speculated about, or have not yet been conceived, leading to many possible
but unknown security issues.
64
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
65
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
The issues for this Metering Interface Category include the following:
• Most metering information from the customer must be treated as confidential since
profiles of hourly energy usage (as opposed to monthly energy usage) could be used for
unauthorized and/or illegal activities.
• Integrity of revenue-grade metering data is vital since it has a direct financial impact on
all stakeholders of the loads and generation being metered.
• Availability of metering data is important but not critical, since alternate means for
retrieving metering data can still be used.
• Meters are constrained in their compute capabilities, primarily to keep costs down, which
may limit the types and layers of security which could be applied.
• Revenue-grade meters must be certified, so that patches and upgrades require extensive
testing and validation.
• Key management of millions of meters will pose significant challenges that have not yet
been addressed as standards.
• Due to the relatively new technologies used with smart meters, some standards have not
been fully developed, nor have their capabilities been proven through rigorous testing.
• Multiple (authorized) stakeholders, including customers, utilities, and third parties, may
need access to energy usage either directly from the meter or after it has been processed
and validated for settlements and billing, thus adding cross-organizational security
concerns.
• Utility-owned meters are in physically insecure locations that are not under utility control,
limiting physical security.
• Customer reactions to AMI systems and smart meters are as yet unknown, and some may
fear or reject the intrusion of such “Big Brother” systems.
66
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
67
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Note: In the architecture diagram, the vendor actor is currently embedded in the distribution
engineering or (not yet appearing) transmission engineering actor. It will be separated in a later
version of the NISTIR.
The main activities performed on this interface include:
• Firmware and/or software updates
• Retrieving maintenance information
• Retrieving event logs
Key characteristics of logical interface category 17 include:
• The functions performed on this interface are not considered real-time.
• Some communications carried on this interface may be performed interactively.
• The principal driver for urgency on this interface is the need for critical
operational/security updates.
• These functions are presently performed by a combination of:
– Separate remote access to devices, such as by dial-up
– Local access at the device/control system console
– Access via the same interface used for real-time communications
Activities outside of the scope of Logical Interface Category 17 include:
• Vendors acting in an (outsourced) operational role (see logical interface categories 1, 2 or
16, depending upon the role)
68
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
69
Logical
Interface
Categories
with high
with high
bandwidth
constraints
constraints
constraints
Attributes
without high
compute nor
with compute
with compute
availability, but
and equipment
and equipment
and equipment
availability, and
control systems
control systems
control systems
and/or bandwidth
and/or bandwidth
1a. Interface between
availability, without
ATR-1a: Confidentiality
requirements
X
X
X
ATR-2: Integrity requirements
X
X ATR-3: Availability requirements
X
X
communications channels
ATR-5: Microprocessor
constraints
X
X
X
X
X
X
X
protocols
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
ATR-8: Inter-organizational
interactions
X
X
X
and systems
protocols
locations
X
X
X
Logical
Interface
different
Categories
authority
common
bandwidth
back office
constraints
Attributes
without high
organization
compute nor
management
organizations
systems under
and equipment
control systems in
1d. Interface between
availability, without
ATR-1a: Confidentiality
X
requirements
X
ATR-1b: Privacy concerns
X
X
X
X
ATR-2: Integrity requirements
X
X
ATR-3: Availability requirements
ATR-5: Microprocessor
constraints
on memory and compute
capabilities
X
protocols
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
ATR-8: Inter-organizational
X
interactions
and systems
protocols
locations
X
X
X
variability, or diversity of
interactions
analog
Categories
authority
common
back office
Attributes
connections
parameters,
transactions
sensors and
with possibly
management
for measuring
usually simple
environmental
measurements
sensor devices
control systems
and non-control/
sensor networks
usually involving
between systems
8. Interface between
7. Interface between
3b. Interface between
financial or market
systems not under
corporate systems
ATR-1a: Confidentiality
X
X
X
requirements
X
X
X
ATR-1b: Privacy concerns
X
X
X
ATR-2: Integrity requirements
X
ATR-3: Availability requirements
X
communications channels
ATR-5: Microprocessor
constraints
X
on memory and compute
capabilities
X
ATR-6: Wireless media
X
X
protocols
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
ATR-8: Inter-organizational
X
X
X
interactions
X
X
and systems
protocols
locations
variability, or diversity of
interactions
network
systems
Categories
customer
availability
10b. Interface
10a. Interface
network for
Attributes
and control
(residential,
require high
functions that
industrial) site
that use the AMI
that use the AMI
sensor networks
commercial, and
external systems
systems that use
X
X
X
X
requirements
X
X
X
X
ATR-1b: Privacy concerns
X
X
X
X
X
ATR-2: Integrity requirements
X
ATR-3: Availability requirements
X
X
X
communications channels
ATR-5: Microprocessor
constraints
X
X
X
X
X
on memory and compute
capabilities
X
X
X
X
X
X
X
X
X
protocols
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
ATR-8: Inter-organizational
X
X
X
X
interactions
X ATR-9: Real-time operational
X
and systems
protocols
locations
X
X
X
X
variability, or diversity of
interactions
service
systems
Categories
metering
operations
equipment
Attributes
for standard
engineering/
systems and
systems and
maintenance
control systems
decision support
mobile field crew
maintenance and
and their vendors
control equipment
15. Interface between
14. Interface between
13. Interface between
laptops/equipment
X
X
requirements
X
ATR-1b: Privacy concerns
X
X
X
X
X
ATR-2: Integrity requirements
X
X
X
X
communications channels
ATR-5: Microprocessor
constraints
X
X
protocols
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
ATR-8: Inter-organizational
X
X
X
interactions
and systems
protocols
locations
X
X
X
X
X
X
X
X
X
system
systems
Categories
Attributes
management
networks and
consoles and all
security/network/
18. Interface between
ATR-1a: Confidentiality
X
requirements
X
ATR-1b: Privacy concerns
X
X ATR-2: Integrity requirements
ATR-5: Microprocessor
constraints
on memory and compute
capabilities
ATR-8: Inter-organizational
interactions
and systems
protocols
variability, or diversity of
interactions
Confidentiality
“Preserving authorized restrictions on information access and disclosure, including means for
protecting personal privacy and proprietary information…” [44 U.S.C., Sec. 3542]
A loss of confidentiality is the unauthorized disclosure of information.
Integrity
“Guarding against improper information modification or destruction, and includes ensuring
information non-repudiation and authenticity…” [44 U.S.C., Sec. 3542]
A loss of integrity is the unauthorized modification or destruction of information.
Availability
“Ensuring timely and reliable access to and use of information…” [44 U.S.C., SEC. 3542]
A loss of availability is the disruption of access to or use of information or an information
system.
Based on these definitions, impact levels for each security objective (confidentiality, integrity,
and availability) are specified as low, moderate, and high as defined in FIPS 199, Standards for
Security Categorization of Federal Information and Information Systems, February 2004. (see
Table 3.2 below) The impact levels are used in the selection of security requirements for each
logical interface category.
POTENTIAL IMPACT
76
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
POTENTIAL IMPACT
77
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
financial markets when confidentiality is lost are included in specific logical interface categories
listed below.
• Power system reliability: Keep electricity flowing to customers, businesses, and
industry. For decades, the power system industry has been developing extensive and
sophisticated systems and equipment to avoid or shorten power system outages. In fact,
power system operations have been termed the largest and most complex machine in the
world. Although there are definitely new areas of cyber security concerns for power
system reliability as technology opens new opportunities and challenges, nonetheless, the
existing energy management systems and equipment, possibly enhanced and expanded,
should remain as key cyber security solutions.
• Confidentiality and privacy of customers: As the Smart Grid reaches into homes and
businesses, and as customers increasingly participate in managing their energy,
confidentiality and privacy of their information has increasingly become a concern.
Unlike power system reliability, customer privacy is a new issue.
The impact levels presented in Table 3.3 – Power System Reliability Impact Levels – focus on
impacts to the nation-wide power grid, particularly with regard to grid stability and reliability.
This is an initial analysis and will be revised over the next several months.
Table 3.3 Power System Reliability Impact Levels
Interface Confidentiality Integrity Availability Additional
Category Issues
1a L H H
1b L H M
1c L H H
1d L H M
2b L H M
2a L H H
3a H M L Primarily
addresses
confidentiality
and privacy
3b H M L Primarily
addresses
confidentiality
and privacy
6* L M M
7 L H M
8 L M M
9 L M M
10a L H L
10b L H H
11 L M M For power
system
reliability, the
78
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
79
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Logical interface categories 3a, 3b and 12 do not primarily address power system reliability; they
primarily address the confidentiality and privacy of information.
80
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
priority for confidentiality. For the Smart Grid the priorities are availability and integrity.
Therefore, the list of baselines is a starting point for the Smart Grid.
Table 3.4 – Proposed Requirements for the Smart Grid 21
Common
Governance, Baseline
DHS Catalog Risk, and Common Unique (using SP 800-
Ref No. Compliance Tech Tech 53 as the
(augmented) Requirement Name (GRC) Reqs Reqs Reqs starting point)
2.1.1 Security Policies and X L, M, H
Procedures
2.2.1 Management Policies and X L, M, H
Procedures
2.2.2 Management X L, M, H
Accountability
2.2.3 Baseline Practices X L, M, H
L, M, H
2.2.4 Coordination of Threat X L, M, H
Mitigation
2.2.5 Security Policies for Third X L, M, H
Parties
2.2.6 Termination of Third Party X L, M, H
Access L, M, H
2.3.1 Personnel Security X L, M, H
Policies and Procedures
2.3.2 Position Categorization X L, M, H
2.3.3 Personnel Screening X L, M, H
2.3.4 Personnel Termination X L, M, H
2.3.5 Personnel Transfer X L, M, H
2.3.6 Access Agreements X L, M, H
2.3.7 Third Party Personnel X L, M, H
Security
2.3.8 Personnel Accountability X L, M, H
2.3.9 Personnel Roles X L, M, H
2.4.1 Physical and X L, M, H
Environmental Security
Policies and Procedures
2.4.2 Physical Access X L, M, H
Authorizations
2.4.3 Physical Access Control X L, M, H (1)
2.4.4 Monitoring Physical X L, M (1), H
21
The revised DHS Catalog is located at http://collaborate.nist.gov/twiki-
sggrid/pub/SmartGrid/NISTIR7628Feb2010/FINAL__Catalog_of_Recommendations_Rev_4_mod_01-18-10.doc
81
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Common
Governance, Baseline
DHS Catalog Risk, and Common Unique (using SP 800-
Ref No. Compliance Tech Tech 53 as the
(augmented) Requirement Name (GRC) Reqs Reqs Reqs starting point)
Access (1,2)
2.4.5 Visitor Control X L, M (1), H (1)
2.4.6 Visitor Records X L, M, H (1)
2.4.7 Physical Access Log X L, M, H
Retention
2.4.8 Emergency Shutoff X M, H
2.4.9 Emergency Power X M, H (1)
2.4.10 Emergency Lighting X L, M, H
2.4.11 Fire Protection X L, M (1,2,3),
H (1,2,3)
2.4.12 Temperature and X L, M, H
Humidity Controls
2.4.13 Water Damage Protection X L, M, H (1)
2.4.14 Delivery and Removal X L, M, H
2.4.15 Alternate Work Site X M, H
2.4.16 Portable Media X L, M (1,2,3),
H (1,2,3)
2.4.17 Personnel and Asset X L, M, H
Tracking
2.4.18 Location of Control X M, H (1)
System Assets
2.4.20 Power Equipment and X M, H
Power Cabling
2.4.21 Physical Device Access X L, M, H
Control
2.5.1 System and Services X L, M, H
Acquisition Policy and
Procedures
2.5.2 Allocation of Resources X L, M, H
2.5.3 Life-Cycle Support X L, M, H
2.5.4 Acquisitions X L, M (1), H
(1,2)
2.5.5 Control System X L, M (1,3), H
Documentation (1,2,3)
2.5.6 Software License Usage X L, M, H
Restrictions
2.5.7 User-installed Software X L, M, H
2.5.8 Security Engineering X M, H
Principals
82
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Common
Governance, Baseline
DHS Catalog Risk, and Common Unique (using SP 800-
Ref No. Compliance Tech Tech 53 as the
(augmented) Requirement Name (GRC) Reqs Reqs Reqs starting point)
2.5.9 Outsourced Control X L, M, H
System Services
2.5.10 Vendor Configuration X M, H
Management
2.5.11 Vendor Security Testing X M,H
2.5.12 Supply Chain Protection X H
2.5.13 Trustworthiness X H
2.6.1 Configuration X L, M, H
Management Policy and
Procedures
2.6.2 Baseline Configuration X L, M (1), H
(1,2,5,6)
2.6.3 Configuration Change X M (2), H (1,2)
Control
2.6.4 Monitoring Configuration X L, M, H
Changes
2.6.5 Access Restrictions for X M, H (1,2,3)
Configuration Change
2.6.6 Configuration Settings X L, M (3), H
(1,2,3)
2.6.7 Configuration for Least X L, M, H
Functionality
2.6.8 Configuration Assets X L, M, H
2.6.9 Addition, Removal, and X L, M, H
Disposition of Equipment L, M, H
2.6.10 Factory Default X L, M, H
Authentication
Management
2.6.11 Configuration X M, H
Management Plan
2.7.1 Strategic Planning Policy X L, M, H
and Procedures
2.7.2 Control System Security X L, M, H
Plan
2.7.3 Interruption Identification X L, M, H
and Classification L, M, H
2.7.4 Incident Roles and X L, M, H
Responsibilities L, M, H
2.7.5 Planning Process X L, M, H
Training
83
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Common
Governance, Baseline
DHS Catalog Risk, and Common Unique (using SP 800-
Ref No. Compliance Tech Tech 53 as the
(augmented) Requirement Name (GRC) Reqs Reqs Reqs starting point)
2.7.6 Testing X L, M, H
2.7.7 Investigate and Analyze X L, M, H
2.7.8 Corrective Action X L, M, H
2.7.9 Risk Mitigation X L, M, H
L, M, H
L, M, H
2.7.10 System Security Plan X L, M, H
Update
2.7.11 Rules of Behavior X L, M, H
2.7.12 Security-Related Activity X M, H
Planning
2.8.1 System and X L, M, H
Communication
Protection Policy and
Procedures
2.8.2 Management Port X M, H
Partitioning
2.8.3 Security Function X L, M, H
Isolation
2.8.4 Information Remnants X M, H
2.8.5 Denial-of-Service X L, M, H
Protection
2.8.6 Resource Priority X none
2.8.7 Boundary Protection X L, M
(1,2,3,4,5,10),
H
(1,2,3,4,5,6,1
0,11)
2.8.8 Communication Integrity X M (1), H (1)
2.8.9 Communication X M (1), H (1)
Confidentially
2.8.10 Trusted Path X none
2.8.11 Cryptographic Key X L, M, H (1)
Establishment and
Management
2.8.12 Use of Validated X L, M, H
Cryptography
2.8.13 Collaborative Computing X L, M, H
2.8.14 Transmission of Security X none
Parameters
84
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Common
Governance, Baseline
DHS Catalog Risk, and Common Unique (using SP 800-
Ref No. Compliance Tech Tech 53 as the
(augmented) Requirement Name (GRC) Reqs Reqs Reqs starting point)
2.8.15 Public Key Infrastructure X M, H
Certificates
2.8.16 Mobile Code X M, H
2.8.17 Voice-over-Internet X M, H
Protocol
2.8.18 System Connections X L, M, H
2.8.19 Security Roles X L, M, H
L, M, H
2.8.20 Message Authenticity X M, H
2.8.21 Architecture and X M, H
Provisioning for
Name/Address
Resolution Service
2.8.22 Secure Name/Address X L (1), M (1), H
Resolution Service (1)
(Authoritative Source)
2.8.23 Secure Name/Address X H
Resolution Service
(Recursive or Caching
Resolver)
2.8.24 Fail in Known State X H
2.8.25 Thin Nodes X None
2.8.26 Honeypots X None
2.8.27 Operating System- X None
Independent Applications
2.8.28 Confidentiality of X M, H
Information at Rest
2.8.29 Heterogeneity X none
2.8.30 Virtualization Techniques X None
2.8.31 Covert Channel Analysis X None
2.8.32 Application Partitioning X M, H
2.8.33 Information System X M, H
Partitioning
2.9.1 Information and X L, M, H
Document Management
Policy and Procedures
2.9.2 Information and X L, M, H
Document Retention
2.9.3 Information Handling X L, M, H
85
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Common
Governance, Baseline
DHS Catalog Risk, and Common Unique (using SP 800-
Ref No. Compliance Tech Tech 53 as the
(augmented) Requirement Name (GRC) Reqs Reqs Reqs starting point)
2.9.4 Information Classification X L, M, H
2.9.5 Information Exchange X
2.9.6 Information and X L, M, H
Document Classification L, M, H
L, M, H
2.9.7 Information and X L, M, H
Document Retrieval
2.9.8 Information and X L, M, H
Document Destruction
2.9.9 Information and X L, M, H
Document Management
Review
2.9.10 Automated Marking X H
2.9.11 Automated labeling X none
2.10.1 System Maintenance X L, M, H
Policy and Procedures
2.10.2 Legacy System Upgrades X L, M, H
2.10.3 System Monitoring and X L, M, H
Evaluation L, M, H
L, M, H
2.10.4 Backup and Recovery X L, M, H
L, M, H
2.10.5 Unplanned System X L, M, H
Maintenance
2.10.6 Periodic System X L, M (1), H
Maintenance (1,2)
2.10.7 Maintenance Tools X M (1,2), H
(1,2,3)
2.10.8 Maintenance Personnel X L, M, H
2.10.9 Remote Maintenance X L, M (1,2), H
(1,2,3)
2.10.10 Timely Maintenance X M, H
2.11.1 Security Awareness X L, M, H
Training Policy and
Procedures
2.11.2 Security Awareness X L, M, H
2.11.3 Security Training X L, M, H
2.11.4 Security Training Records X L, M, H
2.11.5 Contact with Security X none
86
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Common
Governance, Baseline
DHS Catalog Risk, and Common Unique (using SP 800-
Ref No. Compliance Tech Tech 53 as the
(augmented) Requirement Name (GRC) Reqs Reqs Reqs starting point)
Groups and Associations
2.11.6 Security Responsibility X L, M, H
Training
2.12.1 Incident Response Policy X L, M, H
and Procedures
2.12.2 Continuity of Operations X L, M, H
Plan
2.12.3 Continuity of Operations X L, M, H
Roles and
Responsibilities
2.12.4 Incident Response X L, M, H
Training
2.12.5 Continuity of Operations X L, M (1), H
Plan Testing (1,2)
M, H (1)
2.12.6 Continuity of Operations X L, M, H
Plan Update
2.12.7 Incident Handling X L, M (1), H (1)
2.12.8 Incident Monitoring X L, M, H (1)
2.12.9 Incident Reporting X L, M (1), H (1)
2.12.10 Incident Response X L, M (1), H (1)
Assistance
2.12.11 Incident Response X L, M, H
Investigation and Analysis
2.12.12 Corrective Action X L, M, H
L, M, H
2.12.13 Alternative Storage Sites X M (1,2), H
(1,2,3)
2.12.14 Alternate X M (1,3), H
Command/Control (1,3)
Methods M (1,2), H
(1,2,3,4)
2.12.15 Alternate Control Center X M (1,2,3,5), H
(1,2,3,4,5)
M (1,2), H
(1,2,3,4)
2.12.16 Control System Backup X L, M (1), H
(1,2,3)
2.12.17 Control System Recovery X L, M (2,3), H
and Reconstitution (2,3,4)
87
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Common
Governance, Baseline
DHS Catalog Risk, and Common Unique (using SP 800-
Ref No. Compliance Tech Tech 53 as the
(augmented) Requirement Name (GRC) Reqs Reqs Reqs starting point)
2.12.18 Fail-Safe Response X H
2.13.1 Media Protection and X L, M, H
Procedures
2.13.2 Media Access X L, M (1), H (1)
2.13.3 Media Classification X M, H
2.13.4 Media Labeling X M, H
2.13.5 Media Storage X M, H
2.13.6 Media Transport X M (2), H (2,3)
2.13.7 Media Sanitization and X L, M, H (1,2)
Storage
2.14.1 System and Information X L, M, H
Integrity Policy and
Procedures
2.14.2 Flaw Remediation X L, M (2), H
(1,2)
2.14.3 Malicious Code X L, M (1,2,3),
Protection H (1,2,3)
2.14.4 System Monitoring Tools X M (2,4,5,6), H
and Techniques 2,4,5,6)
2.14.5 Security Alerts and X L, M, H (1)
Advisories
2.14.6 Security Functionality X H
Verification
2.14.7 Software and Information X M (1), H (1,2)
Integrity
2.14.8 Spam Protection X M, H (1)
2.14.9 Information Input X M, H
Restrictions
2.14.10 Information Input X M, H
Accuracy, Completeness,
Validity and Authenticity
2.14.11 Error Handling X M, H
2.14.12 Information Output X L, M, H
Handling and Retention
2.14.13 Predictable Failure X none
Prevention
2.15.1 Access Control Policies X L, M, H
and Procedures
2.15.2 Identification and X L, M, H
88
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Common
Governance, Baseline
DHS Catalog Risk, and Common Unique (using SP 800-
Ref No. Compliance Tech Tech 53 as the
(augmented) Requirement Name (GRC) Reqs Reqs Reqs starting point)
Authentication
Procedures and Policy
2.15.3 Account Management X L, M (1,2,3,4),
H (1,2,3,4)
2.15.4 Identifier Management X L, M, H
2.15.5 Authenticator X L, M (1,2), H
Management (1,2)
2.15.6 Supervision and Review X L, M, H
L, M, H (1)
2.15.7 Access Enforcement X L, M, H
2.15.8 Separation of Duties X M, H
2.15.9 Least Privilege X M, H
2.15.10 User Identification and X L (1), M
Authentication (1,2,3), H
(1,2,3,4)
2.15.11 Permitted Actions without X L, M (1), H (1)
Identification and
Authentication
2.15.12 Device Authentication X M, H
and Identification
2.15.13 Authenticator Feedback X L, M, H
2.15.14 Cryptographic Module X L, M, H
Authentication
2.15.15 Information Flow X M, H
Enforcement
2.15.16 Passwords X L, M, H
2.15.17 System Use Notification X L, M, H
(fed gov’t
reqmt)
2.15.18 Concurrent Session X H
Control
2.15.19 Previous Logon X none
(fed gov’t Notification
reqmt)
2.15.20 Unsuccessful Logon X L, M, H
(fed gov’t Notification
reqmt)
2.15.21 Session Lock X M, H
2.15.22 Remote Session X M, H (1)
Termination
89
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Common
Governance, Baseline
DHS Catalog Risk, and Common Unique (using SP 800-
Ref No. Compliance Tech Tech 53 as the
(augmented) Requirement Name (GRC) Reqs Reqs Reqs starting point)
2.15.23 Remote Access Policy X L, M, H
and Procedures
2.15.24 Remote Access X L, M
(1,2,3,4,6,10,
11,12), H
(1,2,3,4,5,6,1
0,11,12),
2.15.25 Access Control for X L, M (1,2,3),
Portable and Mobile H (1,2,3)
Devices
2.15.26 Wireless Access X L, M (1), H
Restrictions (1,2)
2.15.27 Personally Owned X L, M, H
Information
2.15.28 External Access X L, M, H
Protections
2.15.29 Use of External X L, M (1,2), H
Information Control (1,2)
Systems
2.15.30 Publicly Accessible X L, M, H
Content
2.16.1 Audit and Accountability X L, M, H
Process and Procedures
2.16.2 Auditable Events X L, M (3,4), H
(3,4)
2.16.3 Content of Audit Records X L, M (1), H
(1,2)
2.16.4 Audit Storage Capacity X L, M, H
2.16.5 Response to Audit X L, M, H (1,2)
Processing Failures
2.16.6 Audit Monitoring, X L, M, H (1)
Analysis, and Reporting
2.16.7 Audit Reduction and X M (1), H (1)
Report Generation
2.16.8 Time Stamps X L, M (1), H (1)
2.16.9 Protection of Audit X L, M, H
Information
2.16.10 Audit Record Retention X L, M, H
2.16.11 Conduct and Frequency X L, M, H
of Audits L, M, H
90
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Common
Governance, Baseline
DHS Catalog Risk, and Common Unique (using SP 800-
Ref No. Compliance Tech Tech 53 as the
(augmented) Requirement Name (GRC) Reqs Reqs Reqs starting point)
2.16.12 Auditor Qualification X
2.16.13 Audit Tools X
2.16.14 Security Policy X L, M, H
Compliance L, M, H
2.16.15 Audit Generation X L, M, H (1)
2.16.16 Non-Repudiation X H
2.17.1 Monitoring and Reviewing X L, M, H
Control System Security
management Policy and
Procedures
2.17.2 Continuous Improvement X
2.17.3 Monitoring of Security X L, M (1), H (1)
Policy
2.17.4 Best Practices X
2.17.5 (fed Security Accreditation X L, M, H
gov’t
reqmt)
2.17.6 (fed Security Certification X L, M (1), H (1)
gov’t
reqmt)
2.18.1 Risk Assessment Policy X L, M, H
and Procedures
2.18.2 Risk Management Plan X L, M, H
2.18.3 (fed Certification, X L, M, H
gov’t Accreditation, and
reqmt) Security Assessment
Policies and Procedures
2.18.4 Security Assessments X L, M, H
2.18.5 Control System X L, M, H
Connections
2.18.6 (fed Plan of Action and X L, M, H
gov’t Milestones
reqmt)
2.18.7 Continuous Monitoring X L, M, H
2.18.8 Security Categorization X L, M, H
2.18.9 Risk Assessment X L, M, H
2.18.10 Risk Assessment Update X L, M, H
2.18.11 Vulnerability Assessment X L, M (1), H
and Awareness (1,2,3,4,6,8)
91
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Common
Governance, Baseline
DHS Catalog Risk, and Common Unique (using SP 800-
Ref No. Compliance Tech Tech 53 as the
(augmented) Requirement Name (GRC) Reqs Reqs Reqs starting point)
2.18.12 Identify, Classify, X L, M, H
Analyze, and Prioritize
Potential Security Risks
2.19.1 Security Program Plan X L, M, H
2.19.2 Senior Security Officer X L, M, H
2.19.3 (fed Security Resources X L, M, H
gov’t
reqmt)
2.19.4 (fed Plan of Action and X L, M, H
gov’t Milestones Process
reqmt)
2.19.5 (fed System Inventory X L, M, H
gov’t
reqmt)
2.19.6 (fed Security Measures of X L, M, H
gov’t Performance
reqmt)
2.19.7 Enterprise Architecture X L, M, H
2.19.8 (fed Critical Infrastructure Plan X L, M, H
gov’t
reqmt)
2.19.9 Risk Management X L, M, H
Strategy
2.19.10 Security Authorization X L, M, H
(fed gov’t Process
reqmt)
2.19.11 Mission/Business X L, M, H
Process Definition
92
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
93
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
DHS
Logical Interface Categories
Catalog
Req 1a 1b 1c 1d 2a 2b 3a 3b 6 7 8 9 10a 10b 11 12 13 14 15 16 17 18
2.8.20 X X X X X X X X X X X X X X X X X X X X X
2.8.21* X X X X X
2.8.22 X
2.8.23 X
2.8.24 X X X X X X X X X X X X X X X X X X X X X
2.8.25
2.8.26
2.8.27
2.8.28 X X X X X X X X
2.8.29
2.8.30
2.8.31
2.8.32 X
2.8.33 X
2.14.7 X X X X X X X X X X X X X X X X X X X X X
2.14.8 X X X
2.14.10 X X X X X X X X X X X X X X X X X X X X
2.14.11 X X X X X X X X X X X X X X X X X X X X
2.15.8 X X X X X X X
2.15.9 X X X X X X X X X X X X X X X X X X
2.15.10 X X X X X X X X X X X X X X X X X X X
2.15.11 X X X X X X X X X X X X X X X X X X
2.15.12 X X X X X X X X X X X X
2.15.13 X X X X X X X X X
94
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
DHS
Logical Interface Categories
Catalog
Req 1a 1b 1c 1d 2a 2b 3a 3b 6 7 8 9 10a 10b 11 12 13 14 15 16 17 18
2.15.14 X X X X X X X X X X
2.15.15 X X X X X X
2.15.16 X X X X X X X X X X X X X X X X X X X X
2.15.17 X X X
(fed gov’t
reqmt)
2.15.18
2.15.19
(fed gov’t
reqmt)
2.15.20
(fed gov’t
reqmt)
2.15.21 X X X
2.15.22 X X
2.15.23 X X X X
2.15.24 X X X
2.15.25 X X X X X X X X X
2.15.26 X X X X X X X X X X X X X X X
2.15.27 X X X X
2.16.2 X X X X X X X X X X X X X X X X X X X X X
2.16.3 X X X X X X X X X X X X X X X X X X X X X
2.16.4 X X X X X X X X X X X X X X X X X X X X X
2.16.15 X X X X X X X X X X X X X X X X X X X X X
2.16.16 X X X X X X X X X X
2.18.5 X X X X X X X X X X X X X X X
95
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
96
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Additional criteria must be used in determining the cyber security requirements before selecting
the cyber security measures. These additional criteria must take into account the characteristics
of the interface, including the constraints and issues posed by device and network technologies,
the existence of legacy systems, varying organizational structures, regulatory and legal policies,
and cost criteria.
Once these interface characteristics are applied, then cyber security requirements can be applied
that are both specific enough to be applicable to the interfaces, while general enough to permit
the implementation of different cyber security solutions that meet the cyber security
requirements or embrace new security technologies as they are developed. This cyber security
information can then be used in subsequent steps to select cyber security controls for the Smart
Grid.
3.7.5 Use of Existing Power Technologies to Address the Cyber Security Requirements
Power system operations have been managing the reliability of the power grid for decades in
which availability of power has been a major requirement, with the integrity of information as a
secondary but increasingly critical, requirement. Confidentiality of customer information has
also been important in the normal revenue billing processes. Although focused on inadvertent
security problems, such as equipment failures, careless employees, and natural disasters, many of
the existing methods and technologies can be expanded to address deliberate cyber security
attacks and security compromises resulting from the expanded use of IT and telecommunications
in the electric sector.
One of the most important security solutions is to utilize and augment existing power system
technologies to address new risks associated with the Smart Grid. These power system
management technologies (e.g., SCADA systems; EMS; contingency analysis applications; fault
location, isolation, and restoration functions; as well as revenue protection capabilities) have
been refined for years to address the increasing reliability requirements and complexity of power
system operations. These technologies are designed to detect anomalous events, notify the
appropriate personnel or systems, continue operating during an incident/event, take remedial
actions, and log all events with accurate timestamps.
In the past, there has been minimal need for distribution management except for load shedding to
avoid serious problems. In the future, with generation, storage, and load on the distribution grid,
utilities will need to implement more sophisticated power-flow-based applications to manage the
distribution grid. Also, AMI systems can be used to provide energy-related information and act
as secondary sources of information. These power-flow-based applications and AMI systems
could be designed to address security.
Finally, metering has addressed concerns about confidentiality of revenue and customer
information for many years. The implementation of smart meters has increased those concerns.
However, many of the same concepts for revenue protection could also be used for the Smart
Grid.
To summarize, expanding existing power system management capabilities to cover specific
security requirements, such as power system reliability, is an important area for future analysis.
97
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
98
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
• Currently, physical security is outside of the scope of this document. This will be
reviewed for the final version of this document.
99
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
CHAPTER FOUR
PRIVACY AND THE SMART GRID
The SGIP-CSWG Privacy Sub-group conducted a privacy impact assessment (PIA) for the
consumer-to-utility portion of the Smart Grid. In the months following the PIA, the group
additionally considered the privacy impacts and risks throughout the entire Smart Grid structure,
and also began to conduct an overview of the laws, regulations and standards 22 relevant to the
privacy of energy consumption data. The focus of the Privacy group has been on what data may
be collected or created that can reveal information about individuals or activities within specific
premises (both residential and commercial), how these different types of information may be
exploited, and policies and practices to identify and mitigate risks.
While the evolving Smart Grid will present societal benefits in the form of energy efficiency and
grid reliability, it also presents potential privacy risks. The ability to access, analyze and respond
to much more precise and detailed data from all levels of the electric grid is critical to the major
benefits of the Smart Grid, and it is also a significant concern from a privacy viewpoint,
especially when this data, and data extrapolations, are associated with individual consumers or
locations. Some media articles have raised serious concerns 23 about the type and amount of
billing, usage, appliance and other related information flowing throughout the various
components of the Smart Grid.
There are also concerns across multiple industries about data aggregation of “anonymized”
data 24 . For example, in other situations, taking multiple pieces of “anonymized” data has been
shown by various studies to actually reveal specific individuals. 25 Frequent meter readings may
provide not only a detailed time-line of activities occurring inside a metered location (see Figure
4.1), they could also lead to knowledge being gained about specific equipment usage or other
internal business processes.
22
See Appendix E for a preliminary list of state laws and regulations applicable to the electric sector.
23
One example of this is available at
http://www.philly.com/inquirer/business/20090906_Utilities__smart_meters_save_money__but_erode_privacy.ht
ml
24
http://epic.org/privacy/reidentification/
25
For one example of such a study, see the technical paper, "Trail Re-identification: Learning Who You are From
Where You Have Been" by Bradley Malin, Latanya Sweeney and Elaine Newton, abstract available at
http://privacy.cs.cmu.edu/people/sweeney/trails1.html.
100
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
26
Elias Leake Quinn, Smart Metering & Privacy: Existing Law and Competing Policies, Spring 2009, pg. 3.
Available at http://www.dora.state.co.us/puc/DocketsDecisions/DocketFilings/09I-593EG/09I-
593EG_Spring2009Report-SmartGridPrivacy.pdf.
101
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
The proliferation of smart appliances and utility devices throughout the grid, on both sides of the
meter, means an increase in the number of devices that may generate data. The privacy risks
presented by these smart appliances and devices on the customer side of the meter are expanded
when these appliances and devices transmit data outside of the Home Automation Network
(HAN) or building management system and do not have documented security requirements,
effectively extending the perimeter of the system beyond the walls of the premises.
Data may also be collected from electric vehicles and plug-in hybrid electric vehicles
(EVs/PHEVs). Charging data may be used to track the travel times and locations for the
EV/PHEV owners.
These risks may be addressed by policies and practices that are implemented with the evolution
of the Smart Grid. During July and August of 2009 the Privacy subgroup of the SGIP-CSWG
conducted an initial Privacy Impact Assessment (PIA) for the consumer-to-utility portion of the
Smart Grid and an overview of the laws, regulations and standards relevant to the privacy of
information related to consumers' personal energy consumption.
The following questions were identified and addressed in the process of performing the PIA and
in the follow-on discussions of the findings:
27
NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 1.0. Available at
http://www.nist.gov/public_affairs/releases/smartgrid_interoperability_final.pdf.
102
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
103
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
against the OECD Privacy Principles 31 and the Generally Accepted Privacy Principles (GAPP) 32 ,
which form the basis of most international, national and local data protection laws, along with
consideration of safeguards as found in the international information security standard ISO/IEC
27001, also widely used for data protection regulatory compliance.
The following privacy principles were developed using the principles from the OECD Privacy
Principles, the GAPP, and principles from ISO/IEC 27001. These are very general privacy
principles designed to be applicable across a broad range of industries. They are not mandatory
requirements.
Following each of the privacy principles are the related findings from the PIA. Following each
of the findings are suggested privacy practices that may serve as mitigations for the concerns
associated with each principle. If an organization has existing privacy responsibilities, policies,
and procedures defined, the organization should consider reviewing, updating, and potentially
augmenting these responsibilities, policies, and procedures to address the new privacy issues
associated with the Smart Grid.
31
OEDC Privacy Principles: http://www.oecd.org/document/18/0,3343,en_2649_34255_1815186_1_1_1_1,00.html
32
GAPP
http://infotech.aicpa.org/Resources/Privacy/Generally+Accepted+Privacy+Principles/Generally+Accepted+Privacy
+Principles.htm
104
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
2. Notice and Purpose: A clearly-specified notice should exist and be shared in advance of
the collection, use, retention, and sharing of energy usage data and personal information.
Finding:
The data obtained from Smart Grid systems and accompanying potential and actual uses
for that data create the need for organizations to be more transparent and clearly provide
notice documenting the types of information items collected, and the purposes for
collecting the data.
Suggested Privacy Practices:
• Provide notification for the personal information collected. Any organization
collecting energy usage data from or about premises should consider validating or
adopting a process to notify the premises’ inhabitants, and person(s) paying the bills
(which may be different entities) when appropriate, of the data being collected, why it
is necessary to collect the data, and describe the use, retention, and sharing of the
data. This notification should consider including information about when and how
information may or may not be shared with law enforcement officials. Data subjects
should be told this information before the time of collection.
• Provide notification for new information use purposes and collection.
Organizations should consider updating customer notifications whenever an
organization wants to start using existing collected data for materially different
purpose than the customer has authorized. Also, organizations should notify the
recipients of services whenever any organization wants to start collecting additional
data beyond that already being collected, along with providing a clear explanation for
why the additional data is necessary.
3. Choice and Consent: The organization should describe the choices available to
individuals and obtain explicit consent if possible, or implied consent when this is not
feasible, with respect to the collection, use, and disclosure of their personal information.
Finding:
Currently it is not readily apparent that utilities or other entities within the Smart Grid
obtain consent to use the personal information generated and collected for purposes other
than billing. As smart meters increase capabilities and expand sharing of the data
throughout the Smart Grid network, organizations should consider giving residents a
choice about the types of data collected and how it is used.
Suggested Privacy Practice:
• Provide notification about choices. This notification should include a clearly
worded description to the recipients of services notifying them of (1) any choices
available to them about information being collected, and obtaining explicit consent
when possible; and (2) explain why data items are being collected and used without
obtaining consent from the individual (for example, needing certain pieces of
information to restore service in a timely fashion).
105
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
4. Collection and Scope: Only personal information that is required to fulfill the stated
purpose should be collected from individuals. Treatment of the information should
conform to these privacy principles.
Finding:
In the current operation of the electric grid, data taken from meters consists of basic data
usage readings required to create bills. Under a Smart Grid implementation, other types
of data may be collected. Some of this additional data may be personal information.
Because of the associated privacy risks, only the minimum amount of data necessary for
service, provision and billing should be collected. Home power generation services will
likely increase the amount of information created and shared.
Suggested Privacy Practices:
• Limit the collection of data to that necessary for grid operations, including planning
and management, improving energy use and efficiency, account management and
billing.
5. Use and Retention: Information should only be used or disclosed for the purpose for
which it was collected, and should only be divulged to those parties authorized to receive
it. Personal information should be aggregated or anonymized wherever possible to limit
the potential for computer matching of records. Personal information should only be kept
as long as is necessary to fulfill the purposes for which it was collected.
Finding:
In the current operation of the electric grid, data taken from meters is used to create
residents’ bills, determine energy use trends, and allow customers to control their energy
usage both on-site and remotely. The Smart Grid will provide data that can be used in
ways not possible currently.
Suggested Privacy Practices:
• Review privacy policies and procedures. Any organization collecting energy usage
data from or about premises should review existing privacy policies to determine how
they may need to be modified. This review should include privacy policies already in
place in other industries that may provide a model for the Smart Grid.
6. Individual Access: Organizations should provide a process for personal information data
subjects to allow them to ask to see their corresponding personal information and to
106
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
7. Disclosure and Limiting Use: Personal information should be used only for the purposes
for which it was collected. Personal information should not be disclosed to any other
parties except for those identified in the notice, or with the explicit consent of the service
recipient.
Finding:
As Smart Grid implementations collect more granular and detailed information, this
information is potentially revelatory of activities and equipment usage in a given location.
As this information may reveal business activities, manufacturing procedures, and
personal activities, significant privacy concerns and risks arise when the information is
disclosed without the knowledge, consent and authority of the individual or organization
to which the information applies.
Suggested Privacy Practice:
• Limit information use. Data on energy or other service usage obtained from Smart
Grid operations should only be used or disclosed for the authorized purposes for
which it was collected, and should only be divulged to or shared with those parties
authorized to receive it and with whom the organizations have told the recipients of
services it would be shared. This becomes more important as energy usage data
becomes more granular, more refined, and has more potential for commercial uses.
8. Security and Safeguards: Personal information, in all forms, should be protected from
loss, theft, unauthorized access, disclosure, copying, use, or modification.
Finding:
Data on energy or other service usage may be transmitted to and stored in multiple
locations throughout the Smart Grid. Establishing strong security safeguards may be
necessary to protect the collected data from loss, theft, unauthorized access, disclosure,
copying, use, or modification.
Suggested Privacy Practices:
107
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
• Associate energy data with individuals only when and where required, for
example only linking equipment data with a location or customer account when
needed for billing, service restoration, or other operational needs. This practice is
already common in the utility industry, and should be maintained and applied to other
entities obtaining or using this data as the Smart Grid is further deployed.
• De-identify information. Usage data and any resulting information, such as monthly
charges for service, collected as a result of Smart Grid operations should be
aggregated and anonymized by removing personal information elements wherever
possible to ensure usage of data from individual premises is limited appropriately.
This may not be possible for some business activities, such as for billing.
• Safeguard personal information. Any organizations collecting, processing or
handling energy usage data and other personal information from or about premises
should ensure that all information collected and subsequently created about the
recipients of services is appropriately protected in all forms from loss, theft,
unauthorized access, disclosure, copying, use or modification. This practice is
common in the utility industry; however, as other entities may have commercial uses
for this information, these requirements should be reviewed by these other entities. In
addition, given the growing granularity of information from Smart Grid operations,
the responsibility for these existing policies should be reviewed and potentially
augmented.
• Don’t use personal information for research purposes. Any organization
collecting energy usage data and other personal information from or about premises
should refrain from using actual consumer personal information for research. There
is currently and will be a great deal of research being conducted both inside and
outside the utility industry on the Smart Grid, its effect upon demand response, and
other topics. The use of actual information that can be linked to a consumer in this
research would increase the risk of inadvertent exposure.
9. Accuracy and Quality: Every effort should be made to ensure that the data usage
information is accurate, complete, and relevant for the purposes identified in the notice,
and remains accurate throughout the life of the data usage information while within the
control of the organization.
Finding:
The data collected from smart meters and related equipment will potentially be stored in
multiple locations throughout the Smart Grid. Smart Grid data may be automatically
collected in a variety of ways. Establishing strong security safeguards will be necessary
to protect the information. Since Smart Grid data may be stored in many locations, and
therefore, accessed by many different individuals and entities and used for a very wide
variety of purposes, personal information may be inappropriately modified. Automated
decisions about home energy use could be detrimental for residents (e.g., restricted
power, thermostats turned to dangerous levels), while decisions about personal energy
consumption could be based upon inaccurate information.
Potential Privacy Practice:
108
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
10. Openness, Monitoring, and Challenging Compliance: Privacy policies should be made
available to service recipients. These service recipients should be given the ability and
process to challenge an organization’s compliance with their state privacy regulations and
organizational privacy policies as well as their actual privacy practices.
Finding:
In the current electric grid, utilities follow a wide variety of methods and policies for
communicating to service recipients how personal information is used. The data collected
from new smart meters and related equipment will potentially be stored in multiple
locations throughout the Smart Grid, possibly within multiple states. This complicates
the openness of organizational privacy compliance and being able to challenge the
organization’s compliance with privacy policies and practices.
Suggested Privacy Practices:
• Policy challenge procedures. Organizations collecting energy usage data, and all
other entities throughout the Smart Grid, should establish procedures that allow
service recipients to have the ability and process to challenge the organization’s
compliance with their published privacy policies as well as their actual privacy
practices. This becomes more important as energy usage data becomes more
granular, more refined, and has more potential for commercial uses.
• Perform regular privacy impact assessments. Any organization collecting energy
usage data from or about premises should consider performing annual PIAs, and
providing a copy of the results to each involved state's public utilities commissioner’s
office to review. This will help to assure compliance with appropriate state policies
and provide an accessible public record. Organizations should also perform a PIA on
each new system, network, or Smart Grid application and consider providing a copy
of the results to each involved state's public utilities commissioner’s office to review.
• Establish breach notice practices. Any organization collecting energy usage data
from or about premises should consider expanding or establishing policies and
procedures to identify breaches and misuse of Smart Grid data, along with expanding
or establishing procedures and plans for notifying service recipients in a timely
manner with appropriate details about the breach. This becomes particularly
important with new possible transmissions of billing information between utilities and
other information between utilities and other entities providing services in a smart
grid environment (e.g.,. third party energy efficiency service providers).
109
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
33
http://www.cs.colostate.edu/~cs656/presentations-2009/HeYan-kAnonimity.ppt
34
http://usacm.acm.org/usacm/VRD/
35
L. Sweeney, Uniqueness of Simple Demographics in the U.S. Population, LIDAPWP4. Carnegie Mellon
University, Laboratory for International Data Privacy, Pittsburgh, PA: 2000.
36
Alessandro Acquisti1 and Ralph Gross, Predicting Social Security numbers from public data, May 5, 2009,
http://www.pnas.org/content/106/27/10975.full.pdf+html
110
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
of the data sets contained anonymized information; the other contained outside information–
generally available to the public–collected on a routine basis, which included identifying
information. If both datasets have at least one type of information that is the same, the
anonymized information may be linked to an individual, or may narrow the possibilities to the
point that linkage is trivial. While current privacy and security practices tend to focus on the
removal of personally identifiable information (PII), the studies above show that re-identification
can occur. This issue of data re-identification becomes potentially much more significant as the
amount and granularity of the data being gathered during Smart Grid operations increase as more
components of the Smart Grid are deployed.
Table 4.1 identifies potential data and descriptions of information that may be available in the
Smart Grid.
111
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
• Type II: Mechanisms for obtaining (or manipulating) personal information that did not
previously exist.
Examples of Type I include detailed information on the appliances and equipment in use at a
given location, and finely grained time series data on power consumption at metered locations
and from individual appliances.
Type II includes instances where personal information is available from other sources, and the
Smart Grid may present a new source for that same information. For example, an individual’s
physical location can be tracked through their credit card and cell phone records today. Charging
EVs/PHEVs raises the possibility of tracking physical location through new energy consumption
data.
112
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Privacy
Concern Discussion Categorization
get this information to know who, how
and why individuals used their products
in certain ways.
• Such information could impact
appliance warranties.
• Other entities may want this data to do
targeted marketing.
Perform Real- Access to live energy use data can reveal Type II: Many methods of real-
Time Remote if people are in a facility or residence, time surveillance currently exist.
Surveillance what they are doing, where they are in the The availability of computerized
structure, and so on. real-time or near real-time energy
usage data would create another
way in which such surveillance
could be conducted.
Non-Grid Personal energy consumption data storage Under the existing metering and
Commercial may reveal lifestyle information that could billing systems, meter data is not
Uses of Data be of value to many entities including sufficiently granular in most cases
vendors of a wide range of products and to reveal any detail about
services. activities. However, smart meters,
• Vendors may purchase attribute lists time of use and demand rates, and
for targeted sales and marketing direct load control of equipment
campaigns that may not be welcomed may create detailed data which
by those targets. could be sold and used for energy
management analyses and peer
comparisons. While this
information has beneficial value
to third parties, consumer
education about protecting that
data has considerable positive
outcomes.
Many of the concerns relating to Smart Grid and privacy may be addressed by limiting the
information required to that which is necessary from an operational standpoint.
Where there is an operational need for information, controls should be implemented to ensure
that data is collected only where such a need exists. Organizations may want to develop policies
to determine what customer and premises information should be confidential and how that
information should be retained, distributed internally and secured from breach. As noted in other
parts of this document, training employees is critical to implementing this policy. Similarly,
service recipients should be informed as to what information the organization is collecting and
how that information will be used. Service recipients may also need the ability to inspect that
information for accuracy and quality, as recommended in the privacy principles listed above.
113
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Existing business rules, standards, laws and regulations previously considered applicable to other
sectors of the economy might be usable as models to provide protection against Type II areas of
concern. However, because of the current technology used for the collection of the data, Type I
concerns may require new rules of business, standards or regulation. These issues are discussed
in more detail in the following sections.
114
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
1. The evolving Smart Grid technologies and associated new types of information related to
individuals and premises may create privacy risks and challenges that are not addressed
or mitigated by existing laws and regulations with regard to energy consumption, billing
and other related Smart Grid data.
2. New Smart Grid technologies, and particularly smart meters and similar types of
endpoints, may also create new privacy risks and concerns beyond the existing practices
and policies of the organizations that have been historically responsible for protecting
energy consumption data collected from the traditional electrical grid.
Given these realities and findings, it is hoped that the information contained in this chapter will
serve as a useful guide and reference for the wide variety of Smart Grid domain players and
lawmakers who have, or may have, responsibility for consumer energy consumption data now or
at a future date.
115
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
CHAPTER FIVE
STANDARDS REVIEW
The 2007 EISA assigns NIST the responsibility to coordinate development of an interoperability framework including model
standards and protocols. The identification of the standards and protocol documents that support interoperability of the Smart Grid is
therefore a key element of the NIST framework. In this draft of the NISTIR, this chapter identifies the standards that the SGIP-CSWG
has identified as relevant to cyber security in the Smart Grid. This list of standards represents what is currently being evaluated for
inclusion in the NIST Framework and Roadmap for Smart Grid Interoperability Standards. Work continues to identify other
requirements that should be included in this chapter. In addition, the standards sub-group is reviewing the standards that have been
identified at the NIST Smart Grid workshops and by the various PAP teams to determine whether each standard includes security
requirements. Over the next few months, the list will be expanded to include all the standards identified by the PAP teams. Security
requirements that are included in each standard will be compared to the requirements specified in this NIST report. In this draft of the
NISTIR, the comparison focuses on the security families listed in the DHS Catalog. In the next version of the NISTIR, the
comparison will be at the requirement level.
This chapter contains three tables: Table 5.1 provides an overview of each of the standards; Table 5.2 identifies the security families
that are addressed by each standard; and Table 5.3 lists the applicable OSI layer and includes any additional notes.
The columns in the following tables represent:
• ID Number – for reference only so that other columns or discussions can easily make reference to the information for an item
in this table
• SDO – identifies the Standard Developing Organization
• Standard ID – identifies the standard being referred to
• Standard Name – provides the detailed name of the standard
• Working Group – identifies the working group responsible for the standard development within the standard developing
organization
• Contact Name – the name of the person who is the contact or liaison for the standard working group if applicable
• Contact Email – contact information for the working group contact
• Standard Freely Available (Y/N) – Identifies whether the standard can be obtained through the internet for download
116
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
• Price – identifies the price associated with purchasing and/or downloading the standard
• Version Reviewed – identifies the version that is being reviewed by the SGIP-CSWG for consideration in Smart Grid Security
• Required by Regulation or Law (Y/N) – identifies whether there is a governing body that deems this standard required
• Utility Industry Specific (Y/N) – indicates whether the standard is specific to the utility industry
• Categories 2.1 – 2.18 – derived from the DHS catalogue categories – these columns identify whether the standard was a
control of the specific catalogue category
• OSI Stack Layers – identifies which layers are involved in the standard
• Notes and/or Comments – provides additional detail or comments regarding the standard and its evaluation by the SGOP-
CSWG
Reader Note: Not all standards listed are currently available to the SGIP-CSWG and therefore cannot be thoroughly
documented. Any comments received from external parties regarding standards that the requirements sub-group does not have access
to were not addressed.
Required by Regulation
Standard Freely
Available (Y/N)
Utility Industry
Specific (Y/N)
or law (Y/N)
Price
ID Working Version
No. SDO Standard ID Standard Name Group Reviewed
1 IEC IEC 62351 -1 Data and Communications Security IEC TC57
Part 1: Introduction to Security Issues WG15 Y $ 143 V1 N Y
2 IEC IEC 62351 -2 Data and Communications Security IEC TC57 Y $ 204 V1 N
117
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Required by Regulation
Standard Freely
Available (Y/N)
Utility Industry
Specific (Y/N)
or law (Y/N)
Price
ID Working Version
No. SDO Standard ID Standard Name Group Reviewed
Part 2: Glossary of Terms WG15
3 IEC IEC 62351 -3 Data and Communications Security IEC TC57
Part 3: Profiles Including TCP/IP WG15 Y $ 51 V1 N Y
4 IEC IEC 62351 -4 Data and Communications Security IEC TC57
Part 4: Profiles Including MMS WG15 Y $ 77 V1 N Y
5 IEC IEC 62351 -5 Data and Communications Security IEC TC57
Part 5: Security for IEC 60870-5 and WG15
Derivatives Y $ 204 V1 N Y
6 IEC IEC 62351 -6 Data and Communications Security IEC TC57
Part 6: Security for IEC 61850 WG15 Y $ 77 V1 N Y
7 IEC IEC 62351 -7 Data and Communications Security IEC TC57
Part 7: Network and system management WG15
(NSM) data object models When published V1 N Y
8 IEC IEC 62351 -8 Data and Communications Security IEC TC57
Part 8: Role-based access control WG15 When completed N Y
9 ANSI ANSI C12.22 Meter and End Device Tables ANSI ANSI C12.22-
communications over any network C12.22 N $166 2008 N Y
10 DHS DHS Catalog of Control Systems Security: DHS
Recommendations for Standards
Developers V4 N N
11 IEEE IEEE 802.11i Part 11: Wireless LAN Medium Access
Control(MAC) and Physical Layer(PHY)
specifications, Amendment 6: Medium
Access Control (MAC) Security
Enhancements Y 7/23/2004 N
12 IEEE IEEE 1547.3 Guide For Monitoring, Information IEEE
Exchange, and Control of Distributed 1547.3 Y $120 V1 N Y
118
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Required by Regulation
Standard Freely
Available (Y/N)
Utility Industry
Specific (Y/N)
or law (Y/N)
Price
ID Working Version
No. SDO Standard ID Standard Name Group Reviewed
Resources Interconnected with Electric
Power Systems
13 IEEE IEEE 1686 Substation Intelligent Electronic Devices $63 to
(IEDs) Cyber Security Capabilities N $102 2007 (initial) N Y
14 IETF SNMP Simple Network Management Protocol IETF
(SNMP) Y $0 V3 N N
15 ISA SP99 Cyber security mitigation for industrial IECTC65
IEC IEC 62443 and bulk power generation stations N N
16 ISO ISO 27000 Information technology - Security
techniques - Information security
management systems - Overview and
vocabulary N N
17 NERC CIP 002 thru 009 NERC Critical Infrastructure Protection
(CIP Standards) Y $0 V2 Y Y
18 NIST FIPS 140-2 Security Requirements for Cryptographic
Modules Y $0 N N
19 NIST FIPS 197 Cryptographic standard: Advanced
Encryption Standard (AES) Y $0 11/26/2001 N N
20 NIST SP 800-53 Security controls required for federal
information systems Y $0 2.0 N N
21 NIST SP 800-82 DRAFT Guide to Industrial Control 2nd
Systems (ICS) Security Y $0 Draft N N
22 IEC IEC 61850-3 General electrical and security IEC TC57
requirements for substation IEDs WG10 Y $260 V1 N Y
23 UCAIug UCAIug AMI- System Security Requirements AMI-SEC
SEC Y $0 1.01 N Y
119
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Required by Regulation
Standard Freely
Available (Y/N)
Utility Industry
Specific (Y/N)
or law (Y/N)
Price
ID Working Version
No. SDO Standard ID Standard Name Group Reviewed
24 OASIS WS-Security Web Services Security OASIS
Web
Services
Security
(WSS) TC Y $0 1.1 N
25 IEEE 802.1AR Secure Device Identity N $100 2009 N N
26 IEEE 802.1AE Media Access Control Security Standard Y $0 2006 N N
27 IEEE 802.1X-REV Port Based Network Access Control N $102 D4.5 N N
28 IETF TLS Transport Layer Security (TLS) Y $0 1.2/RFC5246 N N
29 IETF DTLS Datagram Transport Layer Security
(DTLS) Y $0 1.0/RFC4347 N N
30 IETF IPSec Internet Protocol Security Y $0 N N
31 IETF RFC3711 Secure Real-Time Transport Protocol Y $0 N N
32 IETF RFC4962 Guidance for Authentication,
Authorization, and Accounting (AAA) Key
management Y $0 N N
33 IETF RFC 3748 Extensible Authentication Protocol (EAP) Y $0 N N
34 IEEE 802.16e Air Interface for Broadband Wireless
Access Systems (WiMax) N $380 2009 N N
35 NIST SP 800-38(A-E) Recommendations for Block Cipher
modes Y $0
36 3GPP TS 33.102 UMTS LTE 3G Security Architecture Y $0 8.4.0 N N
37 ISO/IEC ISO/IEC 9798 Security Techniques - Entity
Authentication (Parts 1 - 4) N N
38 ISO/IEC ISO/IEC 11770 Security Techniques - Key Management N N
120
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Required by Regulation
Standard Freely
Available (Y/N)
Utility Industry
Specific (Y/N)
or law (Y/N)
Price
ID Working Version
No. SDO Standard ID Standard Name Group Reviewed
(Parts 1 - 3)
39 ISO/IEC ISO/IEC 13888 Security Techniques - Non Repudiation
(Parts 1 - 3) N N
40 ISO/IEC ISO/iEC 14888 Security Techniques - Digital Signatures
(Parts 1 - 3) N N
41 ISO/IEC ISO/IEC 15946-1 Cryptographic Techniques Based on
Elliptic Curves -Part 1:General N $122 2008 N
42 ISO/IEC ISO/IEC 18033 Security Techniques - Encryption
Algorithms (Parts 1 - 4) N N
43 ISO/IEC ISO/IEC 19772 Security techniques -- Authenticated
encryption N $116 2009 N
44 W3C XML Encryption XML Encryption Syntax and Processing Y $0 N N
45 W3C XML Signature XML Signature Syntax and Processing Y $0 N N
46 W3C Canonical XML Canonical XML Y $0 N N
47 NERC Security Guidelines for the Electricity
CSSWG Sector: Control System Cyber Security V 1.0 May 2,
(1) 37 Incident Response Planning Y $0 2007 N Y
48 NERC Security Guidelines for the Electricity
CSSWG (2) Sector: Control System — Business V 1.0 May 3,
Network Electronic Connectivity Y $0 2005 N Y
49 NERC Security Guidelines for the Electricity
CSSWG (3) Sector: Patch Management for Control V 1.0 May 3,
Systems Y $0 2005 N Y
37
The number in parentheses for the five NERC CSSWG documents is for reference purposes only – to distinguish the five documents.
121
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Required by Regulation
Standard Freely
Available (Y/N)
Utility Industry
Specific (Y/N)
or law (Y/N)
Price
ID Working Version
No. SDO Standard ID Standard Name Group Reviewed
50 NERC Security Guidelines for the Electricity V 1.0 October
CSSWG (4) Sector: Physical Security - Substations Y $0 15, 2004 N Y
51 NERC Security Guideline for the Electricity V0.995
CSSWG (5) Sector: Time Stamping of Operational December 3,
Data Logs Y $0 2009? N Y
52 IEEE C37.231 Recommended Practice for
Microprocessor-based Protection
Equipment Firmware Control N $63.00 2006 N Y
53 NIST FIPS 198 The Keyed-Hash Message Authentication
Code(HMAC) Y $0 3/6/2002 N
54 NIST FIBS 180-2 Secure Hash Standard(SHS) Y $0 8/1/2002 N
55 ANSI ANS X9.52-1998 Triple Data Encryption Algorithm Modes
of Operation N $100 1998 N
56 NIST FIPS 197 Advanced Encryption Standard(AES) Y $0 11/26/2001 N
57 NIST FIPS 186-3 Digital Signature Standard(DSS) Y $0 Jun-09 N
58 ANSI ANSI X9.62 Public Key Cryptography for the Financial
Services Industry, The Elliptic Curve
Digital Signature Algorithm(ECDSA) N $100 2005 N
59 PKCS PKCS #1,#3,#5- RSA Public Key Cryptography Standards
#12,#15 Y N
60 ANSI ANSI X9.42 Public Key Cryptography for the Financial
Services Industry: Agreement of
Symmetric Keys Using Discrete
Logarithm Cryptography N $100 2003 N
62 IETF IETF 4120 The Kerberos Network Authentication
Service (V5) Y Jul-05 N
122
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Required by Regulation
Standard Freely
Available (Y/N)
Utility Industry
Specific (Y/N)
or law (Y/N)
Price
ID Working Version
No. SDO Standard ID Standard Name Group Reviewed
63 ANSI/INCITS INCITS 359 Information Technology - Role Based
Access Control N $30 2/3/2004 N
64 NIST SP 800-63 Electronic Authentication Guideline Y $0 April 2006 N N
65 OASIS XACML 2.0 eXtensible Access Control Markup OASIS
Language XACML TC Y $0 2.0 N N
66 OASIS SAML 2.0 Security Assertion Markup Language OASIS
Security
Services
TC Y $0 2.0 N N
67 OGC GeoXACML Geospatial exTensible Access Control OGC
Markup Language (GeoXACML) Security
Work
Group Y $0 1.0 N N
123
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Management
Maintenance
Assessment
Standard ID
Acquisition
ID Number
Protection
Training
Security
Integrity
SDO
124
22
21
20
19
18
17
16
ID Number
SDO
IEC
ISO
NIST
NIST
NIST
NIST
NERC
009
Standard ID
FIPS 197
SP 800-82
SP 800-53
ISO 27000
FIPS 140-2
CIP 002 thru
IEC 61850-3
5.5 General Firewall Policies
X
X
2.1 Security Policy
for ICS
4 ICS Security Program
X
2.2 Organizational Security
Development & Deployment
6.2.1 Personnel Security
X 2.3 Personnel Security
Acquisition Acquisition
6.2.4 Configuration
X
6.1.2 Planning
X
DHS
2.8.5
Communication Protection Protection
6.3.2 Access Control 2.9 Information and Document
X
Management
6.2.5 Maintenance 2.10 System Development and
X
Maintenance
6.2.9 Awareness & Training 2.11 Security Awareness and
X
Training
800-53 and the DHS Catalog.
DHS
2.15.
Integrity Integrity
6.3.1 Identification &
X
Assessments
2.18 Risk Management and
X
NIST SP 800-53 is a source document for the requirements in this NISTIR. Appendix B includes a mapping between NIST SP
Assessment
27
26
35
34
33
32
31
30
25
24
29
28
23
ID Number
SDO
IETF
IETF
IETF
IETF
IETF
IETF
NIST
IEEE
IEEE
IEEE
IEEE
OASIS
TLS
SEC
DTLS
IPSec
802.16e
802.1AE
802.1AR
Standard ID
RFC4962
RFC3711
RFC 3748
WS-Security
802.1X-REV
UCAIug UCAIug AMI-
SP 800-38(A-
3.2.5 Boundary Services 2.1 Security Policy
X
X
X
X
X
X
X
X
X
X
X
Management Services Protection
3.2.9 Notification & 2.9 Information and Document
Signaling Services Management
3.4.1 Development Rigor 2.10 System Development and
Maintenance
3.4.2 Organizational Rigor 2.11 Security Awareness and
Training
3.4.3 Handling/Operating
Rigor 2.12 Incident Response
Integrity
3.2.3 Authentication
X
X
X
X
X
X
X
X
3.2.2 Auditing
2.16 Audit and Accountability
Assessment
46
45
44
ID Number
SDO
W3C
W3C
W3C
36 3GPP
43 ISO/IEC
42 ISO/IEC
41 ISO/IEC
40 ISO/IEC
39 ISO/IEC
38 ISO/IEC
37 ISO/IEC
E)
XML
19772
18033
14888
13888
11770
ISO/IEC
ISO/IEC
ISO/IEC
ISO/IEC
ISO/IEC
ISO/IEC
15946-1
Standard ID
Canonical
TS 33.102
Encryption
ISO/IEC 9798
XML Signature
2.1 Security Policy
Acquisition
X
X
X
X
X
X
X
Protection
X
X
X
Integrity
X
38
SDO
NIST
NIST
IEEE
G (5)
G (4)
G (3)
G (2)
ANSI
NERC
NERC
NERC
NERC
NERC
CSSW
CSSW
CSSW
CSSW
CSSW
G (1) 38
XML
1998
C37.231
Standard ID
FIPS 198
FIBS 180-2
ANS X9.52-
2.1 Security Policy
X
X
X
Protection
Integrity
67
ID Number
SDO
NIST
NIST
CITS
ANSI
PKCS PKCS
#12,#15
Standard ID
FIPS 197
#1,#3,#5-
NIST SP 800-63
FIPS 186-3
OGC GeoXACML
X
2.1 Security Policy
X
X
X
X
X
X
X
Protection
Management
Integrity
X
X
X
X
X
X
Application Layer
Transport Layer
Data Link Layer
Physical Layer
Network Layer
Session Layer
Presentation
ID Number
Layer
SDO
130
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Application Layer
Transport Layer
Data Link Layer
Physical Layer
Network Layer
Session Layer
Presentation
ID Number
Layer
SDO
131
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Application Layer
Transport Layer
Data Link Layer
Physical Layer
Network Layer
Session Layer
Presentation
ID Number
Layer
SDO
132
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Application Layer
Transport Layer
Data Link Layer
Physical Layer
Network Layer
Session Layer
Presentation
ID Number
Layer
SDO
133
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Application Layer
Transport Layer
Data Link Layer
Physical Layer
Network Layer
Session Layer
Presentation
ID Number
Layer
SDO
134
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Application Layer
Transport Layer
Data Link Layer
Physical Layer
Network Layer
Session Layer
Presentation
ID Number
Layer
SDO
135
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Application Layer
Transport Layer
Data Link Layer
Physical Layer
Network Layer
Session Layer
Presentation
ID Number
Layer
SDO
136
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Application Layer
Transport Layer
Data Link Layer
Physical Layer
Network Layer
Session Layer
Presentation
ID Number
Layer
SDO
137
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Application Layer
Transport Layer
Data Link Layer
Physical Layer
Network Layer
Session Layer
Presentation
ID Number
Layer
SDO
39 39
The number in parentheses for the five NERC CSSWG documents is for reference purposes only – to distinguish the five documents.
138
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Application Layer
Transport Layer
Data Link Layer
Physical Layer
Network Layer
Session Layer
Presentation
ID Number
Layer
SDO
139
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Application Layer
Transport Layer
Data Link Layer
Physical Layer
Network Layer
Session Layer
Presentation
ID Number
Layer
SDO
140
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Application Layer
Transport Layer
Data Link Layer
Physical Layer
Network Layer
Session Layer
Presentation
ID Number
Layer
SDO
141
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
CHAPTER SIX
RESEARCH AND DEVELOPMENT THEMES FOR CYBER
SECURITY IN THE SMART GRID
6.1 INTRODUCTION
Cyber security is one of the key technical areas where the state of the art falls short of meeting
the envisioned functional, reliability, and scalability requirements of the Smart Grid. This
chapter is the deliverable produced by the Research and Development (R&D) subgroup of SGIP-
CSWG based on the inputs from various group members. In general, research involves discovery
of the basic science that supports a product’s viability (or lays the foundation for achieving a
target that is currently not achievable), development refers to turning something into a useful
product or solution, and engineering refines a product or solution to a cost and scale that makes it
economically viable. Another differentiation is basic research which delves into scientific
principles (usually done in universities) and applied research which uses basic research to better
human lives. Research can be theoretical or experimental. Finally, there are long-term (5-10 yrs)
and short-term (less than 5 yrs) research. This chapter stops short of specifying which of the
above categories each research problem falls into. That is, we do not discuss whether something
is research, development, engineering, short-term or long-term, although we might do so in
future revisions. In general, this chapter discusses problems that arise or are expected to arise in
the Smart Grid that do not yet have commercially viable solutions.
The topics are partly based on experience of members of the SGIP-CSWG R&D group and
research problems that are widely publicized. The raw topics submitted by individual group
members were collected in a flat list and iterated over to disambiguate and re-factor them to a
consistent set. The available sections were then edited, consolidated and reorganized as the
following five high-level theme areas:
1. Device Level
2. Novel Mechanisms
3. Systems Level
4. Networking Issues
5. Other Security Issues in the Smart Grid Context
These five groups collectively represent an initial cut at the thematic issues requiring immediate
research and development to make the Smart Grid vision a viable reality. We expect that this
R&D group will continue to revise and update this document as new topics are identified from
other SGIP-CSWG subgroups such as bottom-up, vulnerability, and privacy; by comments from
readers; and by tracking government, academic and industry research efforts that are related to
Smart Grid cyber security. These research efforts include the US Department of Energy Control
System Security and the National SCADA Testbed programs, US Department of Homeland
Security Control System Security program and Cyber Physical Systems Security efforts (see
https://www.enstg.com/Signup/files/DHS%20ST%20Cyber%20Workshop%20Final%20Report-
v292.pdf), the industry Roadmap to Secure Control Systems, the UCA International Users group
focusing on AMI security, and the North American Synchrophasor Initiative.
142
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Improve Cost Effective Higher Tamper Resistant and Survivable Device Architectures
As IEDs play more critical roles in the Smart Grid, one needs to ensure that the devices are not
easily attacked by firmware updates, commandeered by a spoofed remote device, or swapped out
by a rogue device. At the same time, because of the unique nature and scale of these devices,
protection measures need to be cost effective (deployment and use) and mass producible. There
are some initial forms of these technologies in the field but there is a growing belief that they
need to be further improved as security researchers have already demonstrated penetrations of
these devices, even with some reasonable protections. Further, it is important to assume devices
will become penetrated and there must be a method for their containment and secure recovery
using remote means. This is of great importance to maintain the reliability and overall
survivability of the Smart Grid. Please see Chapter Three for a discussion of defense-in-depth on
a systems basis that would begin to address these issues.
Research is needed in devising scalable, cost-effective device architectures that can form a robust
hardware and software basis for overall systems level survivability and resiliency that:
• Are highly tamper resistant and evident, and can provide for secure remote recovery
• Improve security of firmware/software upgrades
Without these R&D advances, local attacks can become distributed/cascading large scale attack
campaigns.
This work would also investigate the possible applications of advanced intrusion detection
systems and the types of intrusion detection that may be possible for embedded processors, such
as real-time intrusion detection.
143
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
144
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
data about the computing elements as well as about the electrical elements. In addition to
naturally occurring noise, some of the sensor data may report effects of malicious cyber activity
and “misinformation” fed by an adversary.
Reliable operation of the Smart Grid depends on timely and accurate detection of outliers and
anomalous events. Power grid operations will need sophisticated outlier detection techniques
that enable the collection of high integrity data in the presence of errors in data collection.
Research in this area will explore developing normative models of steady state operation of the
grid and probabilistic models of faulty operation of sensors. Smart Grid operators can be
misguided by intruders who alter readings systematically, possibly with full knowledge of outlier
detection strategies being used. Ways of detecting and coping with errors and faults in the power
grid need to be reviewed and studied in a model that includes such systematic malicious
manipulation. Research should reveal the limits of existing techniques and provide better
understanding of assumptions and new strategies to complement or replace existing ones.
Some example areas where modeling research could lead to development of new sensors:
• Connect/disconnect reporting information from meters may identify an unauthorized
disconnect, which, in the context appropriate domain knowledge can be used to
determine root cause. This research would develop methods to determine when the
number of unauthorized disconnects should be addressed by additional remediation
actions to protect the overall AMI communications infrastructure, as well as other
distribution operations (DR events, etc.).
• Information about meters running backwards could generally be used for theft detection
(for those customers not subscribed to net metering). This research would identify
thresholds where too many unauthorized occurrences would initiate contingency
operations to protect the distribution grid.
Fraud detection algorithms and models used in credit card transaction monitoring may be
relevant to this application.
145
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
subset of constituents). A number of research challenges that are particularly important in the
Smart Grid context area are described below.
146
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
mechanisms that already exist in the system. Many of these sources of delays can be
manipulated by a malicious adversary. To defend against these, additional security mechanisms
are needed, which in turn may add more delay. On the other hand, security is not absolute, and
quantifying cyber-security is already a hard problem. Given the circular dependency between
security and delay, the various delay sources in the wide area system, and the timeliness
requirements of the Smart Grid applications, there is a need and challenge to organize and
understand the delay-assurance trade space for potential solutions that are appropriate for the
grid applications. Without this understanding, at times of crisis, operators will be ill-prepared,
and will have to depend on individual's intuition and expertise. On the other hand, if the tradeoffs
are well understood, it will be possible to develop and validate contingencies that can be quickly
invoked or offered to human operators at times of crisis
147
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
It can sometimes be the case that even though individual components work well in their domains,
compositions of them can fail to deliver the desired combination of attributes, or fail to deliver
them efficiently. For example, a protocol in the X.509 draft standard was found to have a flaw
which allowed an old session key to be accepted as new. Formal methods for cryptographic
algorithm composition have helped, but tend to concentrate on small, specific models of
individual protocols rather than the composition of multiple algorithms as is typically the case in
real implementations. In other circumstances, the composition of two useful models can cause
unintended and unwanted inefficiencies. An example of this is the combination of the
congestion control of TCP overlaid over ad-hoc mobile radio networks.
Research which systematizes the composition of communications and/or cryptographic
mechanisms and which assists practitioners in avoiding performance, security or efficiency
pitfalls would greatly aid the creation and enhancement of the Smart Grid.
Measuring Risk
The state of the art in this area is limited to surveys and informal analysis of critical assets and
the impact of their compromise or loss of availability. Advanced tools and techniques that
provide quantitative notions of risks, that is, threats, vulnerabilities and attack consequences for
current and emerging power grid systems will allow for better protection and regulation of power
systems.
148
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Economic and other drivers push the use of COTS (commercial-off-the-shelf) components,
public networks like the Internet or the sharing of available Enterprise systems. Research is
needed to investigate the extent such resources can be used in the Smart Grid reliably and safely.
Use of the Internet in Smart Grid: A specific case is the use of the existing Internet in Smart
Grid related communications, including possibly as an emergency out-of-band access
infrastructure. The Internet is readily available, evolving and inherently fault tolerant. But it is
also shared, contains numerous malicious malware and malicious activities. Methods to deal
with denial of service as well as identifying other critical issues will serve to understand the
strengths and weaknesses as well as cautions of using the existing Internet for specific types of
Smart Grid applications.
Security/reliability issues surrounding the adaption of TCP/IP is a related research topic that
investigates security topics related to the adoption of the Internet Protocols for Smart Grid
networks. This is a separate topic from Internet use. Research could include understanding the
current state of security designs proposed for advanced networks. Features such as Quality of
Service, Mobility, Multihoming, Broadcasting/Multicasting and other enhancements necessary
for Smart Grid applications must be adequately secured and well managed if it is to be adopted.
149
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
1. Managed separation of business entities: Research in this area will focus on the
network and systems architecture that enables effective communication among the
various business entities without inadvertent sharing/leakage of their trade secrets,
business strategies or operational data and activities. It is anticipated fine-grained energy
data and various other types of information will be collected (or will be available as a
byproduct of interoperability) from businesses and residences to realize some of the
advantages of Smart Grid technology.
a. Techniques to specify and enforce the appropriate sharing policies among entities
with various cooperative, competing, regulatory relationships are not well
understood today. Work in this area would mitigate these risks and promote
confidence among the participants that they are not being illegitimately monitored
by their energy service provider, regulatory bodies or competitors. Architectural
solutions will be important for this objective, but there are also possibilities for
improvements, for example, privacy enhancing technologies based on
cryptography or work on anonymity protections.
b. As they collect more information, energy service providers will need to manage
large amounts of privacy-sensitive data in an efficient and responsible manner.
Research on privacy policy and new storage management techniques will help to
diminish risk and enhance the business value of the data collected while
respecting customer concerns and regulatory requirements. Such work would
contribute to improved tracking of the purpose for which data was collected and
enable greater consumer discretionary control.
c. Verifiable enforcement of privacy policies regardless of the current state and
location of data will provide implicit or explicit trust in the Smart Grid. Research
is needed to develop policies and mechanisms for such enforcement.
2. Authentication and Access Control in a highly dynamic federated environment:
Collaborating autonomous systems in a federated environment must need to invoke
operations on each other, other than accessing collected data (e.g., an ISO asking for
more power from a plant)-- access control (authentication and authorization), and
especially when the federates enter in dynamic relationships (daily buy/sell, long term
contracts etc) is an issue that needs research as well.
150
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Maintaining the resiliency and continuous availability of the power grid itself as a critical
national infrastructure is an important mandate. There are also other such critical national
infrastructure elements as well, such as telecommunications, oil and natural gas pipelines, water
distribution systems, etc. with as strong a mandate for resiliency and continuous availability.
However, the unique nature of the electrical grid is that it supplies key elements toward the well
being of these other critical infrastructure elements. And additionally, there are reverse
dependencies emerging on Smart Grid being dependent on the continuous well being of the
telecommunications and digital computing infrastructure, as well as on the continuing flow of the
raw materials to generate the power. These interdependencies are sometimes highly visible and
obvious, but many remain hidden below the surface of the detailed review for each. There is little
current understanding of the cascading effect outages and service interruptions might have,
especially those of a malicious and judiciously placed nature with intent to cause maximum
disruption and mass chaos. This research would investigate and identify these dependencies,
and work on key concepts and plans toward mitigating them, from the perspective of the Smart
Grid. It should lead to techniques that show not only how communication failures could impact
grid efficiency and reliability, how power failures could affect digital communications, and how
a simultaneous combination of failures in each of the systems might impact the system as a
whole, but also apply a rigorous approach to identifying and highlighting these key
interdependencies across all of these critical common infrastructure elements. The research
would need to develop and apply new system of systems concepts and design approaches toward
mitigating these interdependencies at nationwide scale.
151
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
152
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
APPENDIX A
KEY POWER SYSTEM USE CASES FOR SECURITY
REQUIREMENTS
The focus of this appendix, “Key Power System Use Cases and Security Requirements” is to
identify the key Use Cases that are “architecturally significant” and is neither exhaustive nor
complete. New Use Cases may be added to this section in future versions of this document as they
become available. This selection of Use Cases will be used for evaluating smart grid characteristics
and their associated cyber security objectives, high-level requirements (Integrity, Availability, and
Confidentiality) and stakeholder concerns. In addition, the focus is more on operational functions as
opposed to “back office” or corporate functions, since it is the automation and control aspects of
power system management that are relatively unique and certainly are the ones that stretch the
security risk assessment, the security controls, and the security management.
There are many interfaces and “environments” with constraints and sensitive aspects that make up
the information infrastructure which is monitoring and controlling the power system infrastructure.
This document does not directly capture those distinctions, but leaves it up to the implementers of
security measures to take those into account. The Use Cases were derived “as-is” and put into a
common format for evaluation. This is not a listing of recommended or mandatory Use Cases, and
is not intended for architecting systems or identifying all the potential scenarios that may exist. The
full sets of Use Cases, taken from many sources, include the following:
• AMI Business Functions which were extracted from Appendix B of the AMI-SEC Security
Requirements Specification (T&D DEWG and now also posted on SGIP-CSWG TWiki).
• Benefits and Challenges of Distribution Automation – Use Case Scenarios (White Paper
for Distribution on T&D DEWG, extracted from CEC document which has 82 Use Cases,
and now also posted on SGIP-CSWG TWiki).
There is a certain amount of overlap in these sources, particularly in the new area of AMI, but no-
one would argue that even the combined set (reaching over 1000 Use Cases) really covers all
requirements - they just act as indications of the areas of interactions. For instance, for just one
item, the connect/disconnect of meters, 6 utilities developed over 20 Use Case variations in order to
meet their diverse needs, often due to different State regulatory requirements.
The Use Cases were not generally copied verbatim from their sources, but sometimes edited to
focus on the security issues.
A-1
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
The following Use Cases can be considered to have key security requirements that may vary in
vulnerabilities and impacts, depending upon the actual systems, but that nonetheless can be
generally assessed as having security requirements with respect to Integrity, Availability, and
Confidentiality (IAC).
Integrity is generally considered the most critical security requirement for power system operations,
and includes assurance that:
• Data has not been modified without authorization
• Source of data is authenticated
• Timestamp associated with the data is known and authenticated
• Quality of data is known and authenticated
Availability is generally considered the next most critical security requirement, although the time
latency associated with availability can vary:
• 4 ms for protective relaying
• Sub-seconds for transmission wide-area situational awareness monitoring
• Seconds for substation and feeder SCADA data
• Minutes for monitoring non-critical equipment and some market pricing information
• Hours for meter reading and longer term market pricing information
• Days/weeks/months for collecting long term data such as power quality information
Confidentiality is generally the least critical for actual power system operations, although this is
changing for some parts of the power system, as customer information is more easily available in
cyber form:
• Privacy of customer information is the most important
• Electric market information has some confidential portions
• General corporate information, such as human resources, internal decision-making, etc.
Critical Issues for the Security Requirements of Power Systems
The automation and control systems for power system operations have many differences from most
business or corporate systems. Some particularly critical issues related to security requirements
include:
• Operation of the power system must continue 24x7 with high availability (e.g. 99.99% for
SCADA and higher for protective relaying) regardless of any compromise in security or the
implementation of security measures which hinder normal or emergency power system
operations.
• Power system operations must be able to continue during any security attack or compromise (as
much as possible).
• Power system operations must recover quickly after a security attack or compromised
information system.
• The complex and many-fold interfaces and interactions across this largest machine of the world
– the power system – makes security particularly difficult since it is not easy to separate the
automation and control systems into distinct “security domains”. And yet end-to-end security is
critical.
A-2
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
• There is not a one-size-fits-all set of security practices for any particular system or for any
particular power system environment.
• Testing of security measures cannot be allowed to impact power system operations.
• Balance is needed between security measures and power system operational requirements.
Absolute security is never perfectly achievable, so the costs and impacts on functionality of
implementing security measures must be weighed against the possible impacts from security
breaches.
• Balance is also needed between risk and the cost of implementing the security measures.
Security Programs and Management
Development of security programs is critical to all Use Cases, including:
• Risk Assessment to develop security requirements based on business rational (e.g. impacts from
security breaches of IAC) and system vulnerabilities.
- The likelihood of particular threat agents, which are usually included in risk
assessments, should only play a minor role in the overall risk assessment since the power
system is so large and interconnected that appreciating the risk of these threat agents
would be very difficult.
- However, in detailed risk assessments of specific assets and systems, some appreciation
of threat agent probabilities is necessary to ensure that an appropriate balance between
security and operability is maintained.
• Security technologies that are needed to meet the security requirements:
- Plan the system designs and technologies to embed the security from the start
- Implement the security protocols
- Add physical security measures
- Implement the security monitoring and alarming tools
- Establish Role-Based Access Control to authorize and authenticate users, both human
and cyber, for all activities, including password/access management, certificate and key
management, and revocation management
- Provide the security applications for managing the security measures
• Security policies, training, and enforcement to focus on the human side of security, including:
- Normal operations
- Emergency operations when faced with a possible or actual security attack
- Recovery procedures after an attack
- Documentation of all anomalies for later analysis and re-risk assessment.
• Conformance testing for both humans and systems to verify they are using the security measures
and tools appropriately and not by-passing them:
- Care must be taken not to impact operations during such testing
- If certain security measures actually impact power system operations, the balance
between that impact and the impact of a security compromise should be evaluated
• Periodic re-assessment of security risks
A-3
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Category: AMI
Category Description
Scenario Description
Meter reading services provide the basic meter reading capabilities for generating customer bills.
Different types of metering services are usually provided, depending upon the type of customer
(residential, smaller commercial, larger commercial, smaller industrial, larger industrial) and upon the
applicable customer tariff.
Periodic Meter Reading
On-Demand Meter Reading
Net Metering for DER and PEV
Feed-In Tariff Metering for DER and PEV
Bill - Paycheck Matching
Category: AMI
A-1
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Category Description
Scenario Description
Customers who either want a lower rate or have a history of slow payment can benefit from prepayment
of power. Smart metering makes it easier to deploy new types of prepayment to customers and provide
them with better visibility on the remaining hours of power, as well as extending time of use rates to
prepayment customers.
AMI systems can also trigger notifications when the pre-payment limits are close to being reached
and/or have been exceeded.
Limited Energy Usage
Limited Demand
Category: AMI
Category Description
A-2
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Scenario Description
Non-technical losses (or theft of power by another name) has long been an on-going battle between
utilities and certain customers. In a traditional meter, when the meter reader arrives, they can look for
visual signs of tampering, such as broken seals and meters plugged in upside down. When AMI
systems are used, tampering that is not visually obvious may be detected during the analysis of the data,
such as anomalous low usage. AMI will help with more timely and sensitive detection of power theft.
Tamper Detection
Anomalous Readings
Meter Status
Suspicious Meter
Category: AMI
Category Description
A-3
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
third party systems which are interfaced to the AMI systems.
Scenario Description
Traditionally, utilities send a metering service person to connect or disconnect the meter. With an AMI
system, the connect/disconnect can be performed remotely by switching the remote connect/disconnect
(RCD) switch for the following reasons.
Remote Connect for Move-In
Remote Connect for Reinstatement on Payment
Remote Disconnect for Move-Out
Remote Disconnect for Non-Payment
Remote Disconnect for Emergency Load Control
Unsolicited Connect / Disconnect Event
Category: AMI
Category Description
Scenario Description
A-4
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
The AMI system detects customer outages and reports it in near-real-time to the distribution utility. The
utility uses the customer information from the Customer Information System, the Trouble Call System,
Geographical Information System, and the Outage Management System to identify the probable
location of the fault. The process includes the following steps:
Smart meters report one or more power losses (e.g. “last gasp”)
Outage management system collects meter outage reports and customer trouble calls
Outage management system determines location of outage and generates outage trouble tickets
Work management system schedules work crews to resolve outage
Interactive utility-customer systems inform the customers about the progress of events
Trouble tickets are used for statistical analysis of outages
Category: AMI
Category Description
Scenario Description
Meter maintenance is needed to locate and repair/replace meters that have problems, or to update
firmware and parameters if updates are required. For those with batteries, such as gas and water meters,
battery management will also be needed.
Connectivity validation
Geo-location of meter
A-5
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Category: AMI
Category Description
The AMI category covers the fundamental functions of an advanced metering system. These functions
include: meter reading, use of an integrated service switch, theft detection and improved outage
detection and restoration. The high level technical requirements for these functions are well understood
by the industry, but the specific benefit varies from utility to utility.
Advanced functions that are often associated with AMI are demand response program support and
communications to in-home devices. These functions are not exclusive to AMI and will be discussed in
separate category areas.
Scenario Description
This scenario discusses the AMI meter’s functionality to detect and report unauthorized removal and
similar physical tampering. AMI meters require additional capability over traditional meters to prevent
theft and tampering due to the elimination of regular visual inspection provided by meter reading.
Optimizes asset utilization and To reduce energy theft Customer data privacy and
operate efficiently To prevent theft/compromise of security
Operates resiliently against attack passwords and key material Retail Electric Supplier access
and natural disasters To prevent installation of Customer data access
malware
A-6
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Category: AMI
Category Description
The AMI category covers the fundamental functions of an advanced metering system. These functions
include: meter reading, use of an integrated service switch, theft detection and improved outage
detection and restoration. The high level technical requirements for these functions are well understood
by the industry, but the specific benefit varies from utility to utility.
Advanced functions that are often associated with AMI are demand response program support and
communications to in-home devices. These functions are not exclusive to AMI and will be discussed in
separate category areas.
Scenario Description
AMI meters eliminate the possibility of some forms of theft (i.e. meter reversal). Other types of theft
will be more difficult to detect due to the elimination of regular physical inspection provided by meter
reading. This scenario discusses the analysis of meter data to discover potential theft occurrences.
Optimizes asset utilization and To reduce theft Customer data privacy and
operate efficiently To protect integrity of reporting security
Operates resiliently against attack To maintain availability for Retail Electric Supplier access
and natural disasters reporting and billing Customer data access
Customer Safety
Scenario: Real Time Pricing (RTP) for Customer Load and DER/PEV
Category Description
Demand response is a general capability that could be implemented in many different ways. The
primary focus is to provide the customer with pricing information for current or future time periods so
they may respond by modifying their demand. This may entail just decreasing load or may involve
shifting load by increasing demand during lower priced time periods so that they can decrease demand
during higher priced time periods. The pricing periods may be real-time-based or may be tariff-based,
while the prices may also be operationally-based or fixed or some combination. Real-time pricing
A-7
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
inherently requires computer-based responses, while the fixed time-of-use pricing may be manually
handled once the customer is aware of the time periods and the pricing.
Scenario Description
Use of Real Time Pricing for electricity is common for very large customers, affording them an ability
to determine when to use power and minimize the costs of energy for their business. The extension of
real time pricing to smaller industrial and commercial customers and even residential customers is
possible with smart metering and in-home displays. Aggregators or customer energy management
systems must be used for these smaller consumers due to the complexity and 24x7 nature of managing
power consumption. Pricing signals may be sent via an AMI system, the Internet, or other data
channels.
Category Description
Demand response is a general capability that could be implemented in many different ways. The
primary focus is to provide the customer with pricing information for current or future time periods so
they may respond by modifying their demand. This may entail just decreasing load or may involve
shifting load by increasing demand during lower priced time periods so that they can decrease demand
during higher priced time periods. The pricing periods may be real-time-based or may be tariff-based,
while the prices may also be operationally-based or fixed or some combination. Real-time pricing
inherently requires computer-based responses, while the fixed time-of-use pricing may be manually
handled once the customer is aware of the time periods and the pricing.
Scenario Description
A-8
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Time of use pricing creates blocks of time and seasonal differences that allow smaller customers with
less time to manage power consumption to gain some of the benefits of real time pricing. This is the
favored regulatory method in most of the world for dealing with global warming.
Although Real Time Pricing is more flexible than Time of Use, it is likely that TOU will still provide
many customers will all of the benefits that they can profitably use or manage.
Category Description
Demand response is a general capability that could be implemented in many different ways. The
primary focus is to provide the customer with pricing information for current or future time periods so
they may respond by modifying their demand. This may entail just decreasing load or may involve
shifting load by increasing demand during lower priced time periods so that they can decrease demand
during higher priced time periods. The pricing periods may be real-time-based or may be tariff-based,
while the prices may also be operationally-based or fixed or some combination. Real-time pricing
inherently requires computer-based responses, while the fixed time-of-use pricing may be manually
handled once the customer is aware of the time periods and the pricing.
Scenario Description
When customers have the ability to generate or store power as well as consume power, net metering is
installed to measure not only the flow of power in each direction, but also when the net power flows
occurred. Often Time of Use (TOU) tariffs are employed.
Today larger C&I customers and an increasing number of residential and smaller C&I customers have
net metering installed for their photovoltaic systems, wind turbines, combined heat and power (CHP),
and other DER devices. As plug-in electric vehicles (PEVs) become available, net metering will
increasingly be implemented in homes and small businesses, even parking lots.
A-9
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Category Description
Demand response is a general capability that could be implemented in many different ways. The
primary focus is to provide the customer with pricing information for current or future time periods so
they may respond by modifying their demand. This may entail just decreasing load or may involve
shifting load by increasing demand during lower priced time periods so that they can decrease demand
during higher priced time periods. The pricing periods may be real-time-based or may be tariff-based,
while the prices may also be operationally-based or fixed or some combination. Real-time pricing
inherently requires computer-based responses, while the fixed time-of-use pricing may be manually
handled once the customer is aware of the time periods and the pricing.
Scenario Description
Feed-in tariff pricing is similar to net metering except that generation from customer DER/PEV has a
different tariff rate than the customer load tariff rate during specific time periods.
A-10
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Category Description
Demand response is a general capability that could be implemented in many different ways. The
primary focus is to provide the customer with pricing information for current or future time periods so
they may respond by modifying their demand. This may entail just decreasing load or may involve
shifting load by increasing demand during lower priced time periods so that they can decrease demand
during higher priced time periods. The pricing periods may be real-time-based or may be tariff-based,
while the prices may also be operationally-based or fixed or some combination. Real-time pricing
inherently requires computer-based responses, while the fixed time-of-use pricing may be manually
handled once the customer is aware of the time periods and the pricing.
Scenario Description
Critical Peak Pricing builds on Time of Use Pricing by selecting a small number of days each year
where the electric delivery system will be heavily stressed and increasing the peak (and sometime
shoulder peak) prices by up to 10 times the normal peak price. This is intended to reduce the stress on
the system during these days.
Category Description
Demand response is a general capability that could be implemented in many different ways. The
A-11
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
primary focus is to provide the customer with pricing information for current or future time periods so
they may respond by modifying their demand. This may entail just decreasing load or may involve
shifting load by increasing demand during lower priced time periods so that they can decrease demand
during higher priced time periods. The pricing periods may be real-time-based or may be tariff-based,
while the prices may also be operationally-based or fixed or some combination. Real-time pricing
inherently requires computer-based responses, while the fixed time-of-use pricing may be manually
handled once the customer is aware of the time periods and the pricing.
Scenario Description
In addition to customers with PEVs participating in their home-based Demand Response functions,
they will have additional requirements for managing the charging and discharging of their mobile PEVs
in other locations:
Customer connects PEV at another home
Customer connects PEV outside home territory
Customer connects PEV at public location
Customer charges the PEV
Category Description
Customers want to understand how their energy consumption habits affect their monthly energy bills
and to find ways to reduce their monthly energy costs. Customers should have the ability to receive
information on their usage and the price of energy on a variety of devices (in home displays, computers
and mobile devices). In addition to real time and historical energy data, customers should be able to
receive messages from the utility notifying them about outages.
A-12
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Scenario Description
This scenario describes the process to configure a customer’s device to receive and send data to utility
systems. The device could be an information display, communicating thermostat, load control device or
smart appliance.
Category Description
Customers want to understand how their energy consumption habits affect their monthly energy bills
and to find ways to reduce their monthly energy costs. Customers should have the ability to receive
information on their usage and the price of energy on a variety of devices (in home displays, computers
and mobile devices). In addition to real time and historical energy data, customers should be able to
receive messages from the utility notifying them about outages.
Scenario Description
This scenario describes the information that should be available to customers on their in home devices.
Multiple communication paths and device functions will be considered.
A-13
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Category Description
Customers want to understand how their energy consumption habits affect their monthly energy bills
and to find ways to reduce their monthly energy costs. Customers should have the ability to receive
information on their usage and the price of energy on a variety of devices (in home displays, computers
and mobile devices). In addition to real time and historical energy data, customers should be able to
receive messages from the utility notifying them about outages.
Scenario Description
This alternate scenario describes the resolution of communication or other types of errors that could
occur with in home devices. Roles of the customer, device vendor and utility will be discussed.
Category Description
Customers want to understand how their energy consumption habits affect their monthly energy bills
and to find ways to reduce their monthly energy costs. Customers should have the ability to receive
information on their usage and the price of energy on a variety of devices (in home displays, computers
and mobile devices). In addition to real time and historical energy data, customers should be able to
receive messages from the utility notifying them about outages.
Scenario Description
In addition to a utility operated communications network (i.e. AMI), the internet can be used to
communicate to customers and their devices. Personal computers and mobile devices may be more
suitable for displaying some types of energy data than low cost specialized in home display devices.
This scenario describes the information that should be available to the customer using the internet and
A-14
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Category Description
Customers want to understand how their energy consumption habits affect their monthly energy bills
and to find ways to reduce their monthly energy costs. Customers should have the ability to receive
information on their usage and the price of energy on a variety of devices (in home displays, computers
and mobile devices). In addition to real time and historical energy data, customers should be able to
receive messages from the utility notifying them about outages.
Scenario Description
When an outage occurs the utility can notify affected customers and provide estimated restoration times
and report when power has been restored. Smart grid technologies can improve the utility’s accuracy
for determination of affected area and restoration progress.
Enables active participation by To validate that the notification Customer device standards
consumers is legitimate Customer data privacy and
Accommodates all generation and Customer’s information is kept security
storage options private
Enables new products, services
and markets
A-15
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Category Description
Customers with Home Area Networks and/or Building Energy Management Systems will be able to
interact with the electric utilities as well as third party energy services providers to access information
on their own energy profiles, usage, pricing, etc.
Scenario Description
Customers with Home Area Networks and/or Building Energy Management Systems will be able to
interact with the electric utilities as well as third party energy services providers. Some of these
interactions include:
Access to real-time (or near real-time) energy and demand usage and billing information
Requesting energy services such as move-in/move-out requests, pre-paying for electricity, changing
energy plans (if such tariffs become available), etc.
Access to energy pricing information
Access to their own DER generation/storage status
Access to their own PEV charging/discharging status
Establishing thermostat settings for demand response pricing levels
Although different types of energy-related information access is involved, the security requirements are
similar.
Category Description
The electricity market varies significantly from State to State, region to region, and at local levels. The
market is still evolving after some initial setbacks, and is expected to expand from bulk power to retail
A-16
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
power and eventually to individual customer power as tariffs are developed to provide incentives.
Demand response, handled in a separate section, is a part of the electricity market.
Scenario Description
The bulk power market varies from region to region, and is conducted primarily through Regional
Transmission Operators (RTO) and Independent System Operators (ISO). The market is handled
independently from actual operations, although the bids into the market obviously affect which
generators are used for what time periods and which functions (base load, regulation, reserve, etc.).
Therefore there are no direct operational security impacts, but there are definitely financial security
impacts.
Category Description
The electricity market varies significantly from State to State, region to region, and at local levels. The
market is still evolving after some initial setbacks, and is expected to expand from bulk power to retail
power and eventually to individual customer power as tariffs are developed to provide incentives.
Demand response, handled in a separate section, is a part of the electricity market.
Scenario Description
The retail power electricity market is still minor, but growing, compared to the bulk power market, but
typically involves aggregators and energy service providers bidding customer-owned generation or load
control into both energy and ancillary services. Again it is handled independently from actual power
system operations. Therefore there are no direct operational security impacts, but there are definitely
financial security impacts. (The aggregator’s management of the customer-owned generation and load
A-17
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Category Description
The electricity market varies significantly from State to State, region to region, and at local levels. The
market is still evolving after some initial setbacks, and is expected to expand from bulk power to retail
power and eventually to individual customer power as tariffs are developed to provide incentives.
Demand response, handled in a separate section, is a part of the electricity market.
Scenario Description
The carbon trading market does not exist yet, but the security requirements will probably be similar to
the retail electricity market.
A-18
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Category Description
A broad definition of Distribution Automation includes any automation which is used in the planning,
engineering, construction, operation, and maintenance of the distribution power system, including
interactions with the transmission system, interconnected distributed energy resources (DER), and
automated interfaces with end-users.
No one approach is optimal for a utility or its customers. Certain distribution automation functions,
such as optimal volt/var control, can be more beneficial to one utility or even a few feeders in one
utility, while other distribution automation functions, such as fault detection, isolation, and service
restoration, could be far more beneficial in other utilities.
Increasingly, distribution automation will entail closed-loop control, where distribution algorithms,
applied to real-time models of the distribution system, will increase reliability and/or efficiency of the
distribution system without direct operator involvement.
Scenario Description
A-19
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Category Description
A broad definition of Distribution Automation includes any automation which is used in the planning,
engineering, construction, operation, and maintenance of the distribution power system, including
interactions with the transmission system, interconnected distributed energy resources (DER), and
automated interfaces with end-users.
No one approach is optimal for a utility or its customers. Certain distribution automation functions,
such as optimal volt/var control, can be more beneficial to one utility or even a few feeders in one
utility, while other distribution automation functions, such as fault detection, isolation, and service
restoration, could be far more beneficial in other utilities.
Increasingly, distribution automation will entail closed-loop control, where distribution algorithms,
applied to real-time models of the distribution system, will increase reliability and/or efficiency of the
distribution system without direct operator involvement.
Scenario Description
Local automation of feeder equipment consists of power equipment that is managed locally by
computer-based controllers which are preset with various parameters to issue control actions. These
controllers may just monitor power system measurements locally, or may include some short range
communications to other controllers and/or local field crews. However, in these scenarios, no
communications exist between the feeder equipment and the control center.
Local Automated Switch Management
Local Volt/Var Control
Local Field Crew Communications to Underground Network Equipment
A-20
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Category Description
A broad definition of Distribution Automation includes any automation which is used in the planning,
engineering, construction, operation, and maintenance of the distribution power system, including
interactions with the transmission system, interconnected distributed energy resources (DER), and
automated interfaces with end-users.
No one approach is optimal for a utility or its customers. Certain distribution automation functions,
such as optimal volt/var control, can be more beneficial to one utility or even a few feeders in one
utility, while other distribution automation functions, such as fault detection, isolation, and service
restoration, could be far more beneficial in other utilities.
Increasingly, distribution automation will entail closed-loop control, where distribution algorithms,
applied to real-time models of the distribution system, will increase reliability and/or efficiency of the
distribution system without direct operator involvement.
Scenario Description
Operators and distribution applications can monitor the equipment on the feeders and determine
whether any actions should be taken to increase reliability, improve efficiency, or respond to
emergencies. For instance, they can:
Remotely open or close automated switches
Remotely switch capacitor banks in and out
Remotely raise or lower voltage regulators
Block local automated actions
Send updated parameters to feeder equipment
Interact with equipment in underground distribution vaults
Retrieve power system information from Smart Meters
Automation of Emergency Response
Dynamic Rating of Feeders
A-21
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Category Description
A broad definition of Distribution Automation includes any automation which is used in the planning,
engineering, construction, operation, and maintenance of the distribution power system, including
interactions with the transmission system, interconnected distributed energy resources (DER), and
automated interfaces with end-users.
No one approach is optimal for a utility or its customers. Certain distribution automation functions,
such as optimal volt/var control, can be more beneficial to one utility or even a few feeders in one
utility, while other distribution automation functions, such as fault detection, isolation, and service
restoration, could be far more beneficial in other utilities.
Increasingly, distribution automation will entail closed-loop control, where distribution algorithms,
applied to real-time models of the distribution system, will increase reliability and/or efficiency of the
distribution system without direct operator involvement.
Scenario Description
AMI smart meters and distribution automated devices can detect power outages that affect individual
customers and larger groups of customers. As customers rely more fundamentally on power (e.g. PEV)
and become used to not having to call in outages, outage detection, and restoration will be come
increasingly critical.
The automated fault location, isolation, and service restoration function uses the combination of the
power system model with the SCADA data from the field on real-time conditions to determine where a
fault is probably located, by undertaking the following steps:
Determines the faults cleared by controllable protective devices:
Determines the faulted sections based on SCADA fault indications and protection lockout signals
Estimates the probable fault locations, based on SCADA fault current measurements and real-time fault
analysis
Determines the fault-clearing non-monitored protective device
Uses closed-loop or advisory methods to isolate the faulted segment.
Once the fault is isolated, it determines how best to restore service to unfaulted segments through
feeder reconfiguration.
A-22
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Category Description
A broad definition of Distribution Automation includes any automation which is used in the planning,
engineering, construction, operation, and maintenance of the distribution power system, including
interactions with the transmission system, interconnected distributed energy resources (DER), and
automated interfaces with end-users.
No one approach is optimal for a utility or its customers. Certain distribution automation functions,
such as optimal volt/var control, can be more beneficial to one utility or even a few feeders in one
utility, while other distribution automation functions, such as fault detection, isolation, and service
restoration, could be far more beneficial in other utilities.
Increasingly, distribution automation will entail closed-loop control, where distribution algorithms,
applied to real-time models of the distribution system, will increase reliability and/or efficiency of the
distribution system without direct operator involvement.
Scenario Description
Load management provides active and passive control by the utility of customer appliances (e.g.
cycling of air conditioner, water heaters, and pool pumps) and certain C&I customer systems (e.g.
plenum pre-cooling, heat storage management).
Direct load control and load shedding
Demand side management
Load shift scheduling
Curtailment planning
Selective load management through Home Area Networks
Category Description
A-23
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
A broad definition of Distribution Automation includes any automation which is used in the planning,
engineering, construction, operation, and maintenance of the distribution power system, including
interactions with the transmission system, interconnected distributed energy resources (DER), and
automated interfaces with end-users.
No one approach is optimal for a utility or its customers. Certain distribution automation functions,
such as optimal volt/var control, can be more beneficial to one utility or even a few feeders in one
utility, while other distribution automation functions, such as fault detection, isolation, and service
restoration, could be far more beneficial in other utilities.
Increasingly, distribution automation will entail closed-loop control, where distribution algorithms,
applied to real-time models of the distribution system, will increase reliability and/or efficiency of the
distribution system without direct operator involvement.
Scenario Description
The brains behind the monitoring and controlling of field devices are the DA analysis software
applications. These applications generally use models of the power system to validate the raw data,
assess real-time and future conditions, and issue the appropriate actions. The applications may be
distributed and located in the field equipment for local assessments and control, and/or may be
centralized in a Distribution Management System for global assessment and control.
Local peer-to-peer interactions between equipment
Normal distribution operations using the Distribution System Power Flow (DSPF) model
Emergency distribution operations using the DSPF model
Study-Mode Distribution System Power Flow (DSPF) model
DSPF /DER Model of distribution operations with significant DER generation/storage
Category Description
A-24
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
A broad definition of Distribution Automation includes any automation which is used in the planning,
engineering, construction, operation, and maintenance of the distribution power system, including
interactions with the transmission system, interconnected distributed energy resources (DER), and
automated interfaces with end-users.
No one approach is optimal for a utility or its customers. Certain distribution automation functions,
such as optimal volt/var control, can be more beneficial to one utility or even a few feeders in one
utility, while other distribution automation functions, such as fault detection, isolation, and service
restoration, could be far more beneficial in other utilities.
Increasingly, distribution automation will entail closed-loop control, where distribution algorithms,
applied to real-time models of the distribution system, will increase reliability and/or efficiency of the
distribution system without direct operator involvement.
Scenario Description
In the future, more and more of generation and storage resources will be connected to the distribution
network and will significantly increase the complexity and sensitivity of distribution operations.
Therefore, the management of DER generation will become increasingly important in the overall
management of the distribution system, including load forecasts, real-time monitoring, feeder
reconfiguration, virtual and logical microgrids, and distribution planning.
Direct monitoring and control of DER
Shut-down or islanding verification for DER
Plug-in Hybrid Vehicle (PEV) management, as load, storage, and generation resource
Electric storage fill/draw management
Renewable energy DER with variable generation
Small fossil resource management, such as backup generators to be used for peak shifting
Category Description
A broad definition of Distribution Automation includes any automation which is used in the planning,
A-25
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
engineering, construction, operation, and maintenance of the distribution power system, including
interactions with the transmission system, interconnected distributed energy resources (DER), and
automated interfaces with end-users.
No one approach is optimal for a utility or its customers. Certain distribution automation functions,
such as optimal volt/var control, can be more beneficial to one utility or even a few feeders in one
utility, while other distribution automation functions, such as fault detection, isolation, and service
restoration, could be far more beneficial in other utilities.
Increasingly, distribution automation will entail closed-loop control, where distribution algorithms,
applied to real-time models of the distribution system, will increase reliability and/or efficiency of the
distribution system without direct operator involvement.
Scenario Description
Distribution planning typically uses engineering systems with access only to processed power system
data that is available from the control center. It is therefore relatively self-contained.
Operational planning
Assessing Planned Outages
Storm Condition Planning
Short-term distribution planning
Short-Term Load Forecast
Short-Term DER Generation and Storage Impact Studies
Long-term distribution planning
Long-Tem Load Forecasts by Area
Optimal Placements of Switches, Capacitors, Regulators, and DER
Distribution System Upgrades and Extensions
Distribution Financial Planners
A-26
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Category Description
Plug in electric vehicles will have a significant impact on the future electric system and challenge the
utility and customer to manage vehicle connection and charging. As adoption rates of electric vehicles
increase, the utility will have to handle the new load imposed on the electrical system. Scenarios will
consider customer payment issues regarding mobility, load shifting vehicle charging and the use of
electric vehicles as a distributed resource.
Scenario Description
This scenario discusses the simple case of a customer plugging in an electric vehicle at their premise to
charge its battery. Variations of this scenario will be considered that add complexity: a customer
charging their vehicle at another location and providing payment or charging at another location where
the premise owner pays.
Scenario: Customer Connects Plug In Hybrid Electric Vehicle to Energy Portal and Participates in
‘Smart' (Optimized) Charging
Category Description
Plug in electric vehicles will have a significant impact on the future electric system and challenge the
utility and customer to manage vehicle connection and charging. As adoption rates of electric vehicles
increase, the utility will have to handle the new load imposed on the electrical system. Scenarios will
consider customer payment issues regarding mobility, load shifting vehicle charging and the use of
electric vehicles as a distributed resource.
Scenario Description
A-27
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
In addition to simply plugging in an electric vehicle for charging, in this scenario the electric vehicle
charging is optimized to take advantage of lower rates or help prevent excessive load peaks on the
electrical system.
Scenario: Plug In Hybrid Electric Vehicle or Customer Receives and Responds to Discrete Demand
Response Events
Category Description
Plug in electric vehicles will have a significant impact on the future electric system and challenge the
utility and customer to manage vehicle connection and charging. As adoption rates of electric vehicles
increase, the utility will have to handle the new load imposed on the electrical system. Scenarios will
consider customer payment issues regarding mobility, load shifting vehicle charging and the use of
electric vehicles as a distributed resource.
Scenario Description
An advanced scenario for electric vehicles is the use of the vehicle to provide energy stored in its
battery back to the electrical system. Customers could participate in demand response programs where
they are provided an incentive to allow the utility to request power from the vehicle at times of high
system load.
A-28
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Scenario: Plug In Hybrid Electric Vehicle or Customer Receives and Responds to Utility Price Signals
Category Description
Plug in electric vehicles will have a significant impact on the future electric system and challenge the
utility and customer to manage vehicle connection and charging. As adoption rates of electric vehicles
increase, the utility will have to handle the new load imposed on the electrical system. Scenarios will
consider customer payment issues regarding mobility, load shifting vehicle charging and the use of
electric vehicles as a distributed resource.
Scenario Description
In this scenario, the electric vehicle is able to receive and act on electricity pricing data sent from the
utility. The use of pricing data for charging is primarily covered in another scenario. The pricing data
can also be used in support of a distributed resource program where the customer allows the vehicle to
provide power to the electric grid based on market conditions.
A-29
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Category Description
Traditionally, distributed resources have served as a primary or emergency back-up energy source for
customers that place a premium on reliability and power quality. Distributed resources include
generation and storage devices that can provide power back to the electric power system. Societal,
policy and technological changes are increasing the adoption rate of distributed resources and smart
grid technologies can enhance the value of these systems.
Scenario Description
This scenario describes the process of connecting a distributed resource to the electric power system
and the requirements of net metering.
Category Description
Traditionally, distributed resources have served as a primary or emergency back-up energy source for
customers that place a premium on reliability and power quality. Distributed resources include
generation and storage devices that can provide power back to the electric power system. Societal,
policy and technological changes are increasing the adoption rate of distributed resources and smart
grid technologies can enhance the value of these systems.
A-30
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Scenario Description
Distributed generation and storage can be used as a demand response resource where the utility can
request or control devices to provide energy back to the electrical system. Customers enroll in utility
programs that allow their distributed resource to be used for load support or to assist in maintaining
power quality. The utility programs can be based on direct control signals or pricing information.
Scenario: Real-time Normal Transmission Operations Using EMS Applications and SCADA Data
Category Description
Transmission operations involve monitoring and controlling the transmission system using the SCADA
system to monitor and control equipment in transmission substations. The Energy Management System
(EMS) assesses the state of the transmission system using applications typically based on transmission
power flow models. The SCADA/EMS is located in the utility’s control center, while the key
equipment is located in the transmission substations. Protective relaying equipment monitors the health
of the transmission system and takes corrective action within a few milliseconds, such as tripping
circuit breakers, if power system anomalies are detected.
Scenario Description
Transmission normal real-time operations involve monitoring and controlling the transmission system
using the SCADA and Energy Management System. The types of information exchanged include:
Monitored equipment states (open/close), alarms (overheat, overload, battery level, capacity), and
measurements (current, voltage, frequency, energy)
A-31
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Operator command and control actions, such as supervisory control of switching operations,
setup/options of EMS functions, and preparation for storm conditions
Closed-loop actions, such as protective relaying tripping circuit breakers upon power system anomalies
Automation system controls voltage, var and power flow based on algorithms, real-time data, and
network linked capacitive and reactive components
Category Description
Transmission operations involve monitoring and controlling the transmission system using the SCADA
system to monitor and control equipment in transmission substations. The Energy Management System
(EMS) assesses the state of the transmission system using applications typically based on transmission
power flow models. The SCADA/EMS is located in the utility’s control center, while the key
equipment is located in the transmission substations. Protective relaying equipment monitors the health
of the transmission system and takes corrective action within a few milliseconds, such as tripping
circuit breakers, if power system anomalies are detected.
Scenario Description
Energy Management Systems (EMS) assesses the state of the transmission power system using the
transmission power system analysis models and the SCADA data from the transmission substations.
EMS performs model update, state estimation, bus load forecast
EMS performs contingency analysis, recommends preventive and corrective actions
EMS performs optimal power flow analysis, recommends optimization actions
EMS or planners perform stability study of network
Exchange power system model information with RTOs/ISOs and/or other utilities
A-32
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Characteristics
Integrity is vital to the reliability of the Cyber Security
Provides power quality transmission system
Optimizes asset Availability is critical to react to contingency
utilization situations via operator commands (e.g. one
Anticipates and second)
responds to system Confidentiality is not important
disturbances
Category Description
Transmission operations involve monitoring and controlling the transmission system using the SCADA
system to monitor and control equipment in transmission substations. The Energy Management System
(EMS) assesses the state of the transmission system using applications typically based on transmission
power flow models. The SCADA/EMS is located in the utility’s control center, while the key
equipment is located in the transmission substations. Protective relaying equipment monitors the health
of the transmission system and takes corrective action within a few milliseconds, such as tripping
circuit breakers, if power system anomalies are detected.
Scenario Description
During emergencies, the power system takes some automated actions and the operators can also take
actions:
Power System Protection: Emergency operations handles under-frequency load/generation shedding,
under-voltage load shedding, LTC control/blocking, shunt control, series compensation control, system
separation detection, and wide area real time instability recovery
Operators manage emergency alarms
SCADA system responds to emergencies by running key applications such as disturbance monitoring
analysis (including fault location), dynamic limit calculations for transformers and breakers based on
real time data from equipment monitors, and pre-arming of fast acting emergency automation
SCADA/EMS generates signals for emergency support by distribution utilities (according to the T&D
contracts):
Operators performs system restorations based on system restoration plans prepared (authorized) by
operation management
A-33
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Category Description
Transmission operations involve monitoring and controlling the transmission system using the SCADA
system to monitor and control equipment in transmission substations. The Energy Management System
(EMS) assesses the state of the transmission system using applications typically based on transmission
power flow models. The SCADA/EMS is located in the utility’s control center, while the key
equipment is located in the transmission substations. Protective relaying equipment monitors the health
of the transmission system and takes corrective action within a few milliseconds, such as tripping
circuit breakers, if power system anomalies are detected.
Scenario Description
The Wide Area Synchro-Phasor system provides synchronized and time-tagged voltage and current
phasor measurements to any protection, control, or monitoring function that requires measurements
taken from several locations, whose phase angles are measured against a common, system wide
reference. Present day implementation of many protection, control, or monitoring functions are hobbled
by not having access to the phase angles between local and remote measurements. With system wide
phase angle information, they can be improved and extended. The essential concept behind this system
is the system wide synchronization of measurement sampling clocks to a common time reference.
A-34
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Category Description
Scenario Description
RTOs and ISOs manage the scheduling and dispatch of central and distributed generation and storage.
These functions include:
Real time scheduling with the RTO/ISO (for non-market generation/storage)
Real time commitment to RTO/ISO
Real time dispatching by RTO/ISO for energy and ancillary services
Real time plant operations in response to RTO/ISO dispatch commands
Real time contingency and emergency operations
Black Start (system restoration after blackout)
Emissions monitoring and control
Category Description
At a high level Asset Management seeks a balance between asset performance, cost and risk to achieve
the utilities business objectives. A wide range of conventional functions, models, applications,
devices, methodologies and tools may be deployed to effectively plan, select, track, utilize, control,
monitor, maintain and protect utility assets.
A-35
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
For our purposes we will establish the scope for the Asset Management category to be the use of
specific applications and devices by utility staff such as condition monitoring equipment, protection
equipment, event recorders, computer-based maintenance management systems (CMMS), display
applications, ratings databases, analysis applications and data marts (historians).
Scenario Description
Load profile data is important for the utility planning staff and is also used by the asset management
team that is monitoring the utilization of the assets and by the SCADA/EMS and system operations
team. This scenario involves the use of field devices that measure loading, the communications
network that delivers the data, the historian database and the load profile application and display
capability that is either separate or an integrated part of the SCADA/EMS.
Load profile data may also be used by automatic switching applications that use load data to ensure
new system configurations do not cause overloads.
Provides power quality for the Data is accurate (integrity) Customer data privacy and
range of needs in a digital Data is provided timely security
economy Customer data is kept private Cyber Security
Optimizes asset utilization and
operating efficiency
Anticipates and responds to
system disturbances in a self-
correcting manner
Scenario: Utility makes decisions on asset replacement based on a range of inputs including
comprehensive off line and on line condition data and analysis applications
Category Description
At a high level Asset Management seeks a balance between asset performance, cost and risk to achieve
the utilities business objectives. A wide range of conventional functions, models, applications,
devices, methodologies and tools may be deployed to effectively plan, select, track, utilize, control,
monitor, maintain and protect utility assets.
A-36
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
For our purposes we will establish the scope for the Asset Management category to be the use of
specific applications and devices by utility staff such as condition monitoring equipment, protection
equipment, event recorders, computer-based maintenance management systems (CMMS), display
applications, ratings databases, analysis applications and data marts (historians).
Scenario Description
When decisions on asset replacement become necessary the system operator, asset management,
apparatus engineering and maintenance engineering staff work closely together with the objective of
maximizing the life and utilization of the asset while avoiding an unplanned outage and damage to the
equipment.
This scenario involves the use of on-line condition monitoring devices for the range of assets
monitored, off line test results, mobile work force technologies, the communications equipment used to
collect the on-line data, data marts (historian databases) to store and trend data as well as condition
analysis applications, CMMS applications, display applications and SCADA/EMS.
Scenario: Utility performs localized load reduction to relieve circuit and/or transformer overloads
Category Description
At a high level Asset Management seeks a balance between asset performance, cost and risk to achieve
the utilities business objectives. A wide range of conventional functions, models, applications,
devices, methodologies and tools may be deployed to effectively plan, select, track, utilize, control,
monitor, maintain and protect utility assets.
For our purposes we will establish the scope for the Asset Management category to be the use of
specific applications and devices by utility staff such as condition monitoring equipment, protection
equipment, event recorders, computer-based maintenance management systems (CMMS), display
applications, ratings databases, analysis applications and data marts (historians).
A-37
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Advanced functions that are associated with Asset Management include dynamic rating and end of life
estimation.
Scenario Description
Transmission capacity can become constrained due to a number of system level scenarios and result in
an overload situation on lines and substation equipment. Circuit and/or transformer overloads at the
distribution level can occur when higher than anticipated customer loads are placed on a circuit or when
operator or automatic switching actions are implemented to change the network configuration.
Traditional load reduction systems are used to address generation shortfalls and other system wide
issues. Localized load reduction can be a key tool enabling the operator to temporarily curtail the load
in a specific area to reduce the impact on specific equipment. This scenario describes the integrated
use of the AMI system, the demand response system, other load reduction systems and the
SCADA/EMS to achieve this goal.
Provides power quality for the Load reduction messages are Demand response acceptance by
range of needs in a digital accurate and trustworthy customers
economy Customer’s information is kept Customer data privacy and
Optimizes asset utilization and private security
operating efficiency DR messages are received and Retail Electric Supplier access
Anticipates and responds to processed timely Customer data access
system disturbances in a self-
correcting manner
Scenario: Utility system operator determines level of severity for an impending asset failure and takes
corrective action
Category Description
At a high level Asset Management seeks a balance between asset performance, cost and risk to achieve
the utilities business objectives. A wide range of conventional functions, models, applications,
devices, methodologies and tools may be deployed to effectively plan, select, track, utilize, control,
monitor, maintain and protect utility assets.
For our purposes we will establish the scope for the Asset Management category to be the use of
A-38
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
specific applications and devices by utility staff such as condition monitoring equipment, protection
equipment, event recorders, computer-based maintenance management systems (CMMS), display
applications, ratings databases, analysis applications and data marts (historians).
Scenario Description
When pending asset failure can be anticipated the system operator, asset management, apparatus
engineering and maintenance engineering staff work closely together with the objective of avoiding an
unplanned outage while avoiding further damage to the equipment.
This scenario involves the use of on-line condition monitoring devices for the range of assets
monitored, off line test results, mobile work force technologies, the communications equipment used to
collect the on-line data, data marts (historian databases) to store and trend data as well as condition
analysis applications, CMMS applications, display applications and SCADA/EMS.
Provides power quality for the Asset information provided is Cyber Security
range of needs in a digital accurate and trustworthy Customer data privacy and
economy Asset information is provided security
Optimizes asset utilization and timely
operating efficiency
Anticipates and responds to
system disturbances in a self-
correcting manner
A-39
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
APPENDIX B
CROSSWALK OF CYBER SECURITY DOCUMENTS
The following is a mapping between the security requirements contained in several relevant documents that include security
requirements that may be applicable to the Smart Grid. All of the documents listed in this table will be used as source documents in
the selection and tailoring of the security requirements for the Smart Grid.
DHS Catalog of
Control System DHS Catalog of Control NERC CIPs (1-9) NIST SP
800-53 NIST SP 800-53 Security Req System Security May 2009 800-82
Access Control
AC-1 Access Control Policy and 2.9.6 Information and CIP 003 (R4, R4.1,
Procedures Document Classification R4.2)
2.9.7 Information and
Document Retrieval
2.15.1 Access Control Policies CIP 003-2 (R1, 3.2.2
and Procedures R1.1, R1.3, R5,
R5.3)
AC-2 Account Management 2.2.6 Termination of Third CIP 004-2 (R4)
Party Access
2.15.6 Supervision and Review CIP 007-2 (R5.1.2)
AC-3 Access Enforcement 2.9.6 Information and CIP 003 (R4, R4.1,
Document Classification R4.2)
2.15.7 Access Enforcement CIP 004-2 (R4)
CIP 005-2 (R2,
R2.1-R2.4)
B-1
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
DHS Catalog of
Control System DHS Catalog of Control NERC CIPs (1-9) NIST SP
800-53 NIST SP 800-53 Security Req System Security May 2009 800-82
AC-4 Information Flow Enforcement 2.15.3 Account Management CIP 003-2 (R5,
R5.1, R5.2, 5.3)
CIP 004-2 (R4,
R4.1, R4.2)
CIP 005-2 (R2.5)
CIP 007-2 (R5,
R5.1, R5.2)
2.15.15 Information Flow
Enforcement
AC-5 Separation of Duties 2.15.8 Separation of Duties
B-2
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
DHS Catalog of
Control System DHS Catalog of Control NERC CIPs (1-9) NIST SP
800-53 NIST SP 800-53 Security Req System Security May 2009 800-82
AC-14 Permitted Actions without 2.15.11 Permitted Actions without
Identification or Authentication Identification and
Authentication
AC-15 Automated Marking (Withdrawn)
AC-16 Security Attributes 2.9.11 Automated labeling
AC-17 Remote Access 2.15.23 Remote Access Policy and CIP 005-2 (R1,
Procedures R1.1, R1.2, R2,
R2.3, R2.4
2.15.24 Remote Access CIP 005-2 (R2, R3,
R3.1, R3.2
AC-18 Wireless Access 2.15.26 Wireless Access 6.3.2.5
Restrictions
AC-19 Access Control for Mobile Devices 2.15.25 Access Control for CIP 005-2 (R2.4, 6.2.2.2
Portable and Mobile R5, R5.1)
Devices
AC-20 Use of External Information 2.15.29 Use of External
Systems Information Control
Systems
B-3
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
DHS Catalog of
Control System DHS Catalog of Control NERC CIPs (1-9) NIST SP
800-53 NIST SP 800-53 Security Req System Security May 2009 800-82
Awareness and Training
AT-1 Security Awareness and Training 2.11.1 Security Awareness CIP 004-2 (R1,
Policy and Procedures Training Policy and R2)
Procedures
AT-2 Security Awareness 2.11.2 Security Awareness CIP 004-2 (R1)
AT-3 Security Training 2.7.5 Planning Process Training CIP 004-2 (R2)
2.11.3 Security Training CIP 004-2 (R2)
AT-4 Security Training Records 2.11.4 Security Training Records CIP 004-2 (R2.3)
AT-5 Contacts with Security Groups and 2.11.5 Contact with Security
Associations Groups and Associations
Audit and Accountability
AU-1 Audit and Accountability Policy 2.16.1 Audit and Accountability CIP 003-2 (R1, 4.2
and Procedures Process and Procedures R1.1, R1.3) 6.3.3
AU-2 Auditable Events 2.16.2 Auditable Events CIP 005-2 (R3) 6.3.3
CIP 007-2 (R5.1.2,
R5.2.3, R6.1,
R6.3)
AU-3 Content of Audit Records 2.16.3 Content of Audit Records CIP 007-2 (R5.1.2) 6.3.3
AU-6 Audit Review, Analysis, and 2.15.6 Supervision and Review CIP 007-2 (R5.1.2)
B-4
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
DHS Catalog of
Control System DHS Catalog of Control NERC CIPs (1-9) NIST SP
800-53 NIST SP 800-53 Security Req System Security May 2009 800-82
Reporting 2.16.6 Audit Monitoring, CIP 007-2 (R6.5) 6.3.3
Analysis, and Reporting
AU-7 Audit Reduction and Report 2.16.7 Audit Reduction and 6.3.3
Generation Report Generation
AU-9 Protection of Audit Information 2.16.9 Protection of Audit CIP 003-2 (R4) 6.3.3
Information
AU-10 Non-repudiation 2.16.16 Non-Repudiation
AU-11 Audit Record Retention 2.16.10 Audit Record Retention CIP 005-2 (R5.3) 6.3.3
CIP 007-2 (R5.1.2,
R6.4)
CIP 008-2 (R.2)
AU-12 Audit Generation 2.16.15 Audit Generation
B-5
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
DHS Catalog of
Control System DHS Catalog of Control NERC CIPs (1-9) NIST SP
800-53 NIST SP 800-53 Security Req System Security May 2009 800-82
2.16.11 Conduct and Frequency of 6.3.1
Audits
2.16.14 Security Policy
Compliance
2.17.3 Monitoring of Security
Policy
2.17.6 Security Certification
2.18.4 Security Assessments CIP 007-2 (R1)
CA-3 Information System Connections 2.8.18 System Connections CIP 005-2 (R2,
R2.2-R2.4)
2.18.5 Control System CIP 005-2 (R2)
Connections
CA-4 Security Certification (Withdrawn)
CA-5 Plan of Action and Milestones 2.18.6 Plan of Action and CIP 005-2 (R4.5)
Milestones CIP 007-2 (R8.4)
CA-6 Security Authorization 2.17.5 Security Accreditation
B-6
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
DHS Catalog of
Control System DHS Catalog of Control NERC CIPs (1-9) NIST SP
800-53 NIST SP 800-53 Security Req System Security May 2009 800-82
Configuration Management
CM-1 Configuration Management Policy 2.6.1 Configuration CIP 003-2 (R6)
and Procedures Management Policy and
Procedures
CM-2 Baseline Configuration 2.6.2 Baseline Configuration CIP-2 007 (R9)
CM-3 Configuration Change Control 2.6.3 Configuration Change CIP 003-2 (R6)
Control
CM-4 Security Impact Analysis 2.6.4 Monitoring Configuration CIP 003-2 (R6)
Changes
CM-5 Access Restrictions for Change 2.6.5 Access Restrictions for CIP 003-2 (R6)
Configuration Change
CM-6 Configuration Settings 2.6.6 Configuration Settings CIP 003-2 (R6)
CIP 005 (R2.2)
CM-7 Least Functionality 2.6.7 Configuration for Least
Functionality
CM-8 Information System Component 2.6.8 Configuration Assets
Inventory
CM-9 Configuration Management Plan 2.6.11 Configuration
Management Plan
Contingency Planning
CP-1 Contingency Planning Policy and
Procedures
CP-2 Contingency Plan 2.12.2 Continuity of Operations CIP 008-2 (R1)
Plan CIP 009-2 (R1)
B-7
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
DHS Catalog of
Control System DHS Catalog of Control NERC CIPs (1-9) NIST SP
800-53 NIST SP 800-53 Security Req System Security May 2009 800-82
2.12.3 Continuity of Operations CIP 009-2 (R1.1, 6.2.3
Roles and Responsibilities R1.2)
2.12.6 Continuity of Operations CIP 009-2 (R3)
Plan Update
CP-3 Contingency Training
CP-4 Contingency Plan Testing and 2.12.5 Continuity of Operations CIP 008-2 (R1.6) 6.2.3
Exercises Plan Testing CIP 009-2 (R2, 6.2.3.2
R5)
CP-5 Contingency Plan Update
(Withdrawn)
CP-6 Alternate Storage Site 2.12.13 Alternative Storage Sites
B-8
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
DHS Catalog of
Control System DHS Catalog of Control NERC CIPs (1-9) NIST SP
800-53 NIST SP 800-53 Security Req System Security May 2009 800-82
Reconstitution 2.12.17 Control System Recovery CIP 009-2 (R4) 6.2.3.2
and Reconstitution
Identification and Authentication
IA-1 Identification and Authentication 2.15.2 Identification and CIP 003-2 (R1,
Policy and Procedures Authentication Procedures R1.1, R1.3)
and Policy
IA-2 Identification and Authentication 2.15.10 User Identification and CIP 005-2 (R2,)
(Organizational Users) Authentication
B-9
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
DHS Catalog of
Control System DHS Catalog of Control NERC CIPs (1-9) NIST SP
800-53 NIST SP 800-53 Security Req System Security May 2009 800-82
IR-1 Incident Response Policy and 2.7.4 Incident Roles and CIP 008-2 (R1.2)
Procedures Responsibilities CIP 009-2 (R1.2)
2.12.1 Incident Response Policy CIP 008-2 (R1, 6.1.1
and Procedures R1.2-R1.5)
IR-2 Incident Response Training 2.7.4 Incident Roles and CIP 008-2 (R1.2)
Responsibilities CIP 009-2 (R1.2)
2.12.4 Incident Response CIP 009-2 (R2)
Training
IR-3 Incident Response Testing and 2.12.5 Continuity of Operations CIP 008-2 (R1.6) 6.2.3
Exercises Plan Testing CIP 009-2 (R2, 6.2.3.2
R5)
IR-4 Incident Handling 2.7.7 Investigate and Analyze CIP 008-2 (R1)
2.7.8 Corrective Action CIP 009 (R3)
2.12.7 Incident Handling CIP 008-2 (R1.1,
R1.2, R1.3)
2.12.12 Corrective Action CIP 008-2 (R1.4)
CIP 009-2 (R3)
IR-5 Incident Monitoring 2.12.8 Incident Monitoring CIP 007-2 (R6,
R6.2)
IR-6 Incident Reporting 2.12.9 Incident Reporting CIP 008-2 (R1.3)
IR-7 Incident Response Assistance 2.12.10 Incident Response CIP 008-2 (R1,
Assistance R1.2, R1.3)
IR-8 Incident Response Plan 2.7.3 Interruption Identification
and Classification
B-10
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
DHS Catalog of
Control System DHS Catalog of Control NERC CIPs (1-9) NIST SP
800-53 NIST SP 800-53 Security Req System Security May 2009 800-82
2.12.11 Incident Response CIP 008-2 (R1)
Investigation and Analysis
2.12.12 Corrective Action CIP 008-2 (R1.4)
CIP 009-2 (R3)
Maintenance
MA-1 System Maintenance Policy and 2.10.1 System Maintenance
Procedures Policy and Procedures
B-11
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
DHS Catalog of
Control System DHS Catalog of Control NERC CIPs (1-9) NIST SP
800-53 NIST SP 800-53 Security Req System Security May 2009 800-82
2.13.4 Media Labeling
MP-4 Media Storage 2.13.5 Media Storage
MP-6 Media Sanitization 2.6.9 Addition, Removal, and CIP 003-2 (R6)
Disposition of Equipment
2.9.8 Information and
Document Destruction
2.13.7 Media Sanitization and CIP 007-2 (R7, 6.2.7
Storage R7.1, R7.2,
R7.3)
Physical and Environmental Protection
PE-1 Physical and Environmental 2.4.1 Physical and CIP 006-2 (R1, 6.2.2
Protection Policy and Procedures Environmental Security R2)
Policies and Procedures
PE-2 Physical Access Authorizations 2.4.2 Physical Access CIP 004-2 (R4)
Authorizations
PE-3 Physical Access Control 2.4.3 Physical Access Control CIP 006-2 (R2) 6.2.2
2.4.21 Physical Device Access CIP 006-2 (R2,
Control R3)
PE-4 Access Control for Transmission
Medium
PE-5 Access Control for Output Devices
PE-6 Monitoring Physical Access 2.4.4 Monitoring Physical CIP 006-2 (R5) 6.2.2
Access
B-12
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
DHS Catalog of
Control System DHS Catalog of Control NERC CIPs (1-9) NIST SP
800-53 NIST SP 800-53 Security Req System Security May 2009 800-82
PE-7 Visitor Control 2.4.5 Visitor Control CIP 006-2 (R1.4)
B-13
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
DHS Catalog of
Control System DHS Catalog of Control NERC CIPs (1-9) NIST SP
800-53 NIST SP 800-53 Security Req System Security May 2009 800-82
PL-1 Security Planning Policy and 2.7.1 Strategic Planning Policy
Procedures and Procedures
PS-3 Personnel Screening 2.3.3 Personnel Screening CIP 004-2 (R3) 6.2.1
B-14
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
DHS Catalog of
Control System DHS Catalog of Control NERC CIPs (1-9) NIST SP
800-53 NIST SP 800-53 Security Req System Security May 2009 800-82
PS-5 Personnel Transfer 2.3.5 Personnel Transfer CIP 004-2 (R4.1,
R4.2)
PS-7 Third-Party Personnel Security 2.3.7 Third Party Personnel CIP 004-2 (R3.3)
Security
PS-8 Personnel Sanctions 2.3.8 Personnel Accountability
Risk Assessment
RA-1 Risk Assessment Policy and 2.18.1 Risk Assessment Policy CIP 002-2 (R1, 6.1.1
Procedures and Procedures R1.1, R1.2, R4)
CIP 003-2 (R1,
R1.3)
RA-2 Security Categorization 2.9.4 Information Classification CIP 003-2 (R4,
R4.2)
RA-3 Risk Assessment 2.18.9 Risk Assessment CIP 002-2 (R1.2)
2.18.10 Risk Assessment Update CIP 002-2 (R4)
2.18.12 Identify, Classify,
Analyze, and Prioritize
Potential Security Risks
RA-4 Risk Assessment Update
(Withdrawn)
RA-5 Vulnerability Scanning 2.10.3 System Monitoring and CIP 007-2 (R8)
Evaluation
B-15
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
DHS Catalog of
Control System DHS Catalog of Control NERC CIPs (1-9) NIST SP
800-53 NIST SP 800-53 Security Req System Security May 2009 800-82
2.18.11 Vulnerability Assessment CIP 005-2 (R4,
and Awareness R4.2, R4.3,
R4.4)
CIP 007-2 (R8)
System and Service Acquisition
SA-1 System and Services Acquisition 2.5.1 System and Services
Policy and Procedures Acquisition Policy and
Procedures
SA-2 Allocation of Resources 2.5.2 Allocation of Resources
B-16
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
DHS Catalog of
Control System DHS Catalog of Control NERC CIPs (1-9) NIST SP
800-53 NIST SP 800-53 Security Req System Security May 2009 800-82
SA-10 Developer Configuration 2.5.10 Vendor Configuration
Management Management
B-17
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
DHS Catalog of
Control System DHS Catalog of Control NERC CIPs (1-9) NIST SP
800-53 NIST SP 800-53 Security Req System Security May 2009 800-82
SC-7 Boundary Protection 2.8.7 Boundary Protection CIP 005-2 (R1,
R1.1, R1.2,
R1.3, R1.4,
R1.6, R2, R2.1-
R2.4, R5,
R5.1)
SC-8 Transmission Integrity 2.8.8 Communication Integrity
B-18
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
DHS Catalog of
Control System DHS Catalog of Control NERC CIPs (1-9) NIST SP
800-53 NIST SP 800-53 Security Req System Security May 2009 800-82
SC-19 Voice Over Internet Protocol 2.8.17 Voice-over-Internet
Protocol
SC-20 Secure Name /Address Resolution 2.8.22 Secure Name/Address
Service Resolution Service
(Authoritative Source) (Authoritative Source)
B-19
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
DHS Catalog of
Control System DHS Catalog of Control NERC CIPs (1-9) NIST SP
800-53 NIST SP 800-53 Security Req System Security May 2009 800-82
SC-31 Covert Channel Analysis 2.8.31 Covert Channel Analysis
SI-4 Information System Monitoring 2.14.4 System Monitoring Tools CIP 007-2 (R6) 2.14.4
and Techniques
SI-5 Security Alerts, Advisories, and 2.14.5 Security Alerts and 2.14.5
Directives Advisories
SI-6 Security Functionality Verification 2.14.6 Security Functionality CIP 007-2 (R1) 2.14.6
Verification
SI-7 Software and Information Integrity 2.14.7 Software and Information
Integrity
SI-8 Spam Protection 2.14.8 Spam Protection CIP 007-2 (R4) 3.2,
6.2.6
B-20
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
DHS Catalog of
Control System DHS Catalog of Control NERC CIPs (1-9) NIST SP
800-53 NIST SP 800-53 Security Req System Security May 2009 800-82
SI-9 Information Input Restrictions 2.14.9 Information Input CIP 003-2 (R5)
Restrictions CIP 007-2 (R5,
R5.1, 5.2)
SI-10 Information Input Validation 2.14.10 Information Input
Accuracy, Completeness,
Validity and Authenticity
SI-11 Error Handling 2.14.11 Error Handling
SI-12 Information Output Handling and 2.9.2 Information and CIP 006-2 (R7)
Retention Document Retention
2.14.12 Information Output
Handling and Retention
SI-13 Predictable Failure Prevention 2.14.13 Predictable Failure
Prevention
Program Management
PM-1 Information Security Program Plan 2.1.1 Security Policies and CIP 003-2 (R1, 4.2
Procedures R1.1, R1.3, R5,
R5.3)
2.2.1 Management Policies and CIP 003-2 (R1, R2, ES-3
Procedures R3, R4, R5, R6)
B-21
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
DHS Catalog of
Control System DHS Catalog of Control NERC CIPs (1-9) NIST SP
800-53 NIST SP 800-53 Security Req System Security May 2009 800-82
2.17.1 Monitoring and Reviewing
Control System Security
management Policy and
Procedures
2.19.1 Security Program Plan
PM-9 Risk Management Strategy 2.2.4 Coordination of Threat CIP 008-2 (R1.3)
Mitigation
2.7.3 Interruption Identification
and Classification
2.7.9 Risk Mitigation CIP 002-2 (R1)
2.18.2 Risk Management Plan CIP 003-2 (R4,
R4.1, R4.2)
B-22
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
DHS Catalog of
Control System DHS Catalog of Control NERC CIPs (1-9) NIST SP
800-53 NIST SP 800-53 Security Req System Security May 2009 800-82
2.19.9 Risk Management
Strategy
PM-10 Security Authorization Process 2.19.10 Security Authorization
Process
PM-11 Mission/Business Process 2.19.11 Mission/Business Process
Definition Definition
B-23
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
APPENDIX C
VULNERABILITY CLASSES
C.1 INTRODUCTION
This chapter is in draft format. For the purpose of this chapter, a Vulnerability Class is a category
of weakness which could adversely impact the operation of the electric grid. A “vulnerability” is
the thing which can be leveraged to cause disruption or have otherwise undo influence over the
Smart Grid. Actual attacks and impacts will be noted in additional documentation still being
produced.
We envision this information to be used in discussions specifically by the SGIP-CSWG at large
and its various subgroups.
As input to the classification process, we used many sources of vulnerability information,
including NIST 800-82 and 800-53, OWASP vulnerabilities, CWE vulnerabilities, attack
documentation from INL, input provided by the NIST SGIP-CSWG Bottoms-Up group, and the
NERC CIP standards. Compiling one document from these many sources with different view-
points has sometimes been challenging, and further refinement is planned based on feedback
from the SGIP-CSWG. This document is still under revision and is open for comment.
C.2.1 Training
This category of vulnerabilities is related to personnel training in all forms that relates to
implementing, maintaining, and operating systems.
C-1
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
C-2
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
C-3
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Description
Under policy is needs to be very clear that only access and information is granted on an as need
basis, access needs to be well controlled and monitored and again very dependent of the access
requirement and level of impact that access could have on an organization.
C-4
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Here it is the added steps like, validating backups, ensuring devices being recovered are clean
before installing the backups, incident reporting, etc…
Potential Impact
Longer than required of a possible plant or operational outage.
C-5
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
C-6
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
• Victim mistakes
• Implementation oversights
• Denial of service attacks
• Enrollment attacks (OWASP page “Comprehensive list of Threats to Authentication
Procedures and Data”)
• Allowing password aging
• Authentication Bypass via Assumed-Immutable Data
• Empty String Password
• Failure to drop privileges when reasonable
• Hard-Coded Password
• Not allowing password aging
• Often Misused: Authentication
• Reflection attack in an auth protocol
• Unsafe Mobile Code
• Using password systems
• Using referer field for authentication or authorization
• Using single-factor authentication
Potential Impact
Access granted without official permission
Authorization Vulnerability
Description
Authorization is the process of assigning correct system permissions to an authenticated entity.
This class of vulnerability allows authenticated entities the ability to perform actions which
policy does not allow.
Examples
• Code Permission Vulnerability
• Access control enforced by presentation layer
• File Access Race Condition: TOCTOU
• Least Privilege Violation
• Often Misused: Privilege Management
• Using referer field for authentication or authorization
• Insecure direct object references
C-7
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Cryptographic Vulnerability
Description
Cryptography is the use of mathematical principles to ensure that information is hidden from
unauthorized parties, the information is unchanged, and the intended party can verify the sender.
This vulnerability class includes issues which allow an attacker to view, modify or forge
encrypted data, or impersonate another party through digital signature abuse.
Examples
• Algorithm problems
• Key management problems
• Random number generator problems
• Addition of data-structure sentinel
• Assigning instead of comparing
• Comparing instead of assigning
• Deletion of data-structure sentinel
• Duplicate key in associative list
• Failure to check whether privileges were dropped successfully
• Failure to deallocate data
• Failure to provide confidentiality for stored data
• Guessed or visible temporary file
• Improper cleanup on thrown exception
• Improper error handling
• Improper temp file opening
• Incorrect block delimitation
• Misinterpreted function return value
• Missing parameter
• Omitted break statement
• Passing mutable objects to an un-trusted method
• Symbolic name not mapping to correct object
• Truncation error
• Undefined Behavior
• Uninitialized Variable
C-8
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Environmental Vulnerability
Description
“This category includes everything that is outside of the source code but is still critical to the
security of the product that is being created. Because the issues covered by this kingdom are not
directly related to source code, we separated it from the rest of the kingdoms.” (OWASP page)
Examples
• ASP.NET Misconfigurations
• Empty String Password
• Failure of true random number generator
• Information leak through class cloning
• Information leak through serialization
• Insecure Compiler Optimization
• Insecure Transport
• Insufficient Session-ID Length
• Insufficient entropy in pseudo-random number generator
• J2EE Misconfiguration: Unsafe Bean Declaration
• Missing Error Handling
• Publicizing of private data when using inner classes
• Relative path library search
• Reliance on data layout
• Relying on package-level scope
• Resource exhaustion
• Trust of system event data
C-9
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Examples
• ASP.NET Misconfigurations
• Catch NullPointerException
• Empty Catch Block
• Improper cleanup on thrown exception
• Improper error handling
• Information Leakage
• Missing Error Handling
• Often Misused: Exception Handling
• Overly-Broad Catch Block
• Overly-Broad Throws Declaration
• Return Inside Finally Block
• Uncaught exception
• Unchecked Error Condition
C-10
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
C-11
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Path Vulnerability
C-12
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Description
“This category is for tagging path issues that allow attackers to access files that are not intended
to be accessed. Generally, this is due to dynamically construction of a file path using unvalidated
user input” (OWASP page).
Examples
• Path Traversal Attack
• Relative Path Traversal Attack
• Virtual Files Attack
• Path Equivalence Attack
• Link Following Attack
• Virtual Files Attack
Protocol Errors
Description
Protocols are rules of communication. This vulnerability class deals with the security issues
introduced during protocol design.
Examples
• Failure to add integrity check value
• Failure to check for certificate revocation
• Failure to check integrity check value
• Failure to encrypt data
• Failure to follow chain of trust in certificate validation
• Failure to protect stored data from modification
• Failure to validate certificate expiration
• Failure to validate host-specific certificate data
• Key exchange without entity authentication
• Storing passwords in a recoverable format
• Trusting self-reported DNS name
• Trusting self-reported IP address
• Use of hard-coded password
• Insufficient transport layer protection
• Use of weak SSL/TLS protocols
• SSL/TLS key exchange without authentication
C-13
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
C-14
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
• Stack overflow
• Truncation error
• Trust Boundary Violation
• Unchecked array indexing
• Unsigned to signed conversion error
• Using freed memory
• Validation performed in client
• Wrap-around error
• Cardinality incorrect
• Value integrity modification
• Sequencing or timing error
C-15
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
C-16
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Buffer Overflow
Description
Software used to implement an ICS could be vulnerable to buffer overflows; adversaries could
exploit these to perform various attacks. (SP 800-82)
A buffer overflow condition exists when a program attempts to put more data in a buffer than it
can hold, or when a program attempts to put data in a memory area outside of the boundaries of a
buffer. The simplest type of error, and the most common cause of buffer overflows, is the
"classic" case in which the program copies the buffer without checking its length at all. Other
variants exist, but the existence of a classic overflow strongly suggests that the programmer is
not considering even the most basic of security protections. (CWE)
Examples
• CVE-1999-0046 - buffer overflow in local program using long environment variable
• CVE-2000-1094 - buffer overflow using command with long argument
• CVE-2001-0191 - By replacing a valid cookie value with an extremely long string of
characters, an attacker may overflow the application's buffers.
• CVE-2002-1337 - buffer overflow in comment characters, when product increments a
counter for a ">" but does not decrement for "<"
• CVE-2003-0595 - By replacing a valid cookie value with an extremely long string of
characters, an attacker may overflow the application's buffers (CWE).
C-17
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
C-18
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
API Abuse
Description
“An API is a contract between a caller and a callee. The most common forms of API abuse are
caused by the caller failing to honor its end of this contract” (OWASP page).
Examples
“For example, if a program fails to call chdir() after calling chroot(), it violates the contract that
specifies how to change the active root directory in a secure fashion. Another good example of
library abuse is expecting the callee to return trustworthy DNS information to the caller. In this
case, the caller abuses the callee API by making certain assumptions about its behavior (that the
return value can be used for authentication purposes). One can also violate the caller-callee
contract from the other side. For example, if a coder subclasses SecureRandom and returns a
non-random value, the contract is violated” (OWASP page).
• Dangerous Function
• Directory Restriction Error
• Failure to follow guideline/specification
• Heap Inspection
• Ignored function return value
• Object Model Violation: Just One of equals() and hashCode() Defined
• Often Misused: Authentication
• Often Misused: Exception Handling
• Often Misused: File System
• Often Misused: Privilege Management
• Often Misused: String Management
C-19
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Examples
• Dangerous Function such as the C function gets()
• Directory Restriction Error
• Failure to follow guideline/specification
• Heap Inspection
• Insecure Temporary File
• Object Model Violation: Just One of equals() and hashCode() Defined
• Often Misused: Exception Handling
• Often Misused: File System
• Often Misused: Privilege Management
• Often Misused: String Management
• Unsafe function call from a signal handler
• Use of Obsolete Methods
C.4.1 Design
C.4.2 Implementation
C-20
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Description
Malicious software can result in performance degradation, loss of system availability, and the
capture, modification, or deletion of data. Malware protection software, such as antivirus
software, is needed to prevent systems from being infected by malicious software (SP 800-82).
Examples
• Malware protection software not installed
• Malware protection software or definitions not current
• Malware protection software implemented without exhaustive testing
C.4.3 Operational
C-21
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Examples
Potential Impact
C-22
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
or a correlation of certain events, and may also need to be logged. A central logging facility may
also be necessary for correlating events. Appropriate event reactions could include automatic
paging of relevant personnel in the event of persistent tamper messages or requiring positive
acknowledgement to indicate supervisory approval before executing a potentially disruptive
command such as simultaneously disconnecting many loads from the electrical grid or granting
control access rights to hundreds of users.
C.5 NETWORK
Networks are defined by connections between multiple locations, organizational units and are
comprised of many differing devices using similar protocols and procedures to facilitate a secure
exchange of information. Vulnerabilities and risks occur within smart grid networks when policy
management and procedures as they relate to the data exchanged do not conform to required
standards and compliance polices.
Network areas identified as being susceptible to risk and with policy and compliance impacts
are: data integrity, security, protocol encryption, authentication, and device hardware.
C-23
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Potential Impact
• Compromise of smart device, head node, or utility management servers.
• Buffer Overflows
• Covert Channels
• MitM
• DoS / DDoS
C-24
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
• Back Doors
• Worms and other malicious software
C-25
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Insufficient Redundancy
Description
Architecture does not provide for sufficient redundancy exposing the system to intentional or
unintentional denial of service.
Examples
• Lack of redundancy for critical networks (800-82 3-9)
Potential Impact
• Denial of Service (DoS / DDoS)
C-26
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
• MitM
• EEPROM Dumping
• Micro Controller Dumping
• Bus Snooping
• Key Extraction
REFERENCES
NIST Special Publication 800-82, Guide to Industrial Control Systems Security
http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf
C-27
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
APPENDIX D
BOTTOM-UP SECURITY ANALYSIS OF THE SMART GRID
D.1 Scope of This Effort
This effort, a subgroup of the SGIP-CSWG, is performing a bottom-up analysis of cyber security
issues in the evolving Smart Grid. The goal is to identify specific protocols, interfaces,
applications, best practices, etc. that could and should be developed to solve specific Smart Grid
cyber security problems. The approach taken herein is bottom-up; that is, to identify some
specific problems and issues that need to be addressed, but not to perform a comprehensive gap
analysis that covers all issues. This effort intends to complement the top-down efforts being
followed elsewhere in the SGIP-CSWG. By proceeding with a bottom-up analysis, our hope is
to more quickly identify fruitful areas for solution development, while leaving comprehensive
gap analysis to other efforts of the SGIP-CSWG, and providing an independent completeness
check for top-down gap analyses. This effort is proceeding simultaneously in several phases.
First, we have captured a number of evident and specific security problems in the Smart Grid
that are amenable to and should have open and interoperable solutions, but are not obviously
solved by existing standards, de facto standards, or best practices. This list includes only cyber
security problems that have some specific relevance to or uniqueness in the smart grid. Thus we
do not list general cyber security problems such as poor software engineering practices, key
management, etc. unless these problems have some unique twist when considered in the context
of the smart grid. We are continuing to add to this list of problems as we come across problems
not yet documented.
In conjunction with developing the list of specific problems, we have developed a separate list of
more abstract security issues that are not as specific as the problems in the first list, but are
nevertheless of significant importance. Considering these issues in specific contexts can reveal
specific problems.
Next, drawing in part from the specific problems and abstract issues cataloged in the first two
lists, we are developing a third list of cyber security design considerations for smart grid
systems. These design considerations discuss important cyber security issues that arise in the
design, deployment, and use of smart grid systems, and should be considered by system
designers, implementers, purchasers, integrators, and users of smart grid technologies. In
discussing the relative merits of different technologies or solutions to problems, these design
considerations stop short of recommending specific solutions or even requirements. Our
intention is to highlight important issues that can serve as a means of identifying and formulating
requirements and high-level designs for key protocols and interfaces that are missing and need to
be developed.
D-1
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Remote Terminal Units (RTUs) – In a SCADA system, an RTU is a device installed at a remote
location to collect and code data in a transmittable format back to a central station or master.
RTUs typically connect to input and output channels. Input channels are equipped to handle
metering information and sensing changes. Output channels are equipped for control or alarms.
Continuous communication to an RTU is accomplished through an internally-controlled or
externally-provided serial or network connection. Typical environments can also include dial-up
connections where continuous monitoring is not required.
Programmable Logic Controllers (PLCs) / Intelligent Electronic Devices (IEDs) / Relays – Most
electric utilities have separate Distributed Control Systems (DCS) and Relay Protection Systems
for their power plants and substation control systems. In a substation environment PLCs and
IEDs are used to protect transformers and customer equipment when a specific undesirable event
occurs on the transmission or distribution system. In power plants, this type of equipment is used
to protect associated generating equipment from internal and external system failures. Current
technology in electric power distribution automation also includes IEDs on the feeder, outside
the substation fence. The simplest of these devices perform such functions as local control of
switched capacitor banks (over 100,000 of these are deployed in North America), feeder
switching devices including remotely-operable switches, switch operators, sectionalizers and
reclosers (automatically-reclosing circuit breakers). In addition to these relatively simple
devices, feeder automation also includes DCSs, some of which perform automatic feeder
reconfiguration (switching) to isolate and reroute power in the event of a fault on the circuit.
These systems can be very sophisticated, involving pure, peer-oriented distributed logic and
traveling autonomous software agents. Commercial application of these latter systems numbers
in the many thousands of units. With the emergence of the Smart Grid, new classes of IEDs are
being developed to manage a wide variety of alternative energy and energy storage devices.
Smart Meters – A type of advanced meter that identifies consumption in more detail than a
conventional meter. Communication to this type of meter is typically accomplished using the
internet, wireless networks, local power lines, or fiber back to the local utility provider.
Specialized communication hardware – Internally-controlled communication networks such as
microwave, fiber optic, or RF-based technologies are the platforms utilized by the electrical
sector to connect remote devices to central stations or masters. Examples can include routers,
gateways, switches, access points, and modems.
D.3 Evident and Specific Cyber Security Problems
This section documents specific cyber security problems in the smart grid, as much as possible
by describing actual field cases that explain exactly the operational, system, and device issues.
The problems listed herein are intentionally not ordered or categorized in any particular way.
D-2
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Designing algorithms and protocols that operate correctly and are free of undiscovered flaws is
difficult at best. There is general agreement in the security community that openly published and
time-tested algorithms and protocols are less likely to contain security flaws than secretly
developed ones because their publication enables scrutiny by the entire community. Limitations
to standards accessibility, in the form of purchase costs and restrictive licenses, may similarly
discourage inspection and review by parties without strong motivation and financial backing, and
may increase the risk that smart grid standards contain security vulnerabilities.
The above barrier to evaluation and use of standards has been discussed at several stages during
the process of developing the NIST Smart Grid Framework/Roadmap and remain on the agenda
of NIST-related efforts. They are also addressed in the IEEE-USA National Energy Policy
Recommendations and in the (forthcoming) background statement that accompanies those
recommendations.
Factors contributing to the issue include:
z The various governance and funding models of the SDOs
z For international SDOs, the governance and funding models of their affiliated U.S.
National Committees. For example, for IEC the national committees determine
distribution policies within their countries.
z For some SDOs the lack of provisions in their practices and funding models for standards
of high public visibility and national importance.
z The general avoidance by the Federal government of a role in funding SDOs and their
U.S. participants (as is often done by governments of other countries), even for standards
of particular interest to the government.
z A legally murky situation regarding the public right to copies of standards that become
integrated in some way into law or regulation.
Currently many substation IEDs have a notion of “role” but no notion of “user”. Passwords are
stored locally on the device and several different passwords allow different authorization levels.
These role passwords are shared amongst all users of the device with the role in question,
possibly including non-utility employees such as contractors and vendors. Furthermore, due to
the number of devices, these passwords are often the same across all devices in the utility, and
seldom changed.
The device may be accessed locally in the sense that the user is physically present in the
substation and accesses the IED from a front panel connection or wired network connection, or
D-3
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
possibly wireless. The device may also be accessed remotely over a low-speed (dialup) or high-
speed (network) connection from a different physical location.
Substations generally have some sort of connectivity to the control center that might be used to
distribute authentication information and collect audit logs, but this connectivity may be as slow
as 1200 baud. Performing an authentication protocol such as RADIUS or LDAP over this
connection is probably not desirable. Furthermore, reliance on central authentication servers is
unwise, since authentication should continue to apply for personnel accessing devices locally in
the substation when control center communications are down.
Strong Authentication and authorization measures are preferable, and in cases where there is
documented exception to this due to legacy and computing constrained devices, compensating
controls should be given due consideration. For example in many utility organizations, very
strong operational control and workflow prioritization is in place, such that all access to field
equipment is scheduled, logged, and supervised. In the general sense, the operations department
typically knows exactly who is at any given field location at all times. In addition, switchgear
and or other protective equipment generally have tamper detection on doors as well as
connection logging and reporting such that any unexpected or unauthorized access can be
reported immediately over communications.
D-4
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Access may be local through the optical port of a meter, or remote through the AMI
infrastructure, or remote through the HAN gateway.
Meters generally have some sort of connectivity to an AMI head end, but this connectivity may
be as slow as 1200 baud, or lower (e.g. some power line carrier devices have data rates measured
in millibaud). This connectivity cannot be assumed to be present in a maintenance scenario.
As utilities merge and service territories change, a utility will eventually end up with a collection
of smart meters from different vendors. Meter to/from AMI head end authentication should be
interoperable to ensure that authentication and authorization information need not be updated
separately on different vendor’s AMI systems.
D-5
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
D-6
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
D-7
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
There are existing cases of large deployed meter bases using the same symmetric key across all
meters, and even in different States. In order to share network services, adjacent utilities may
even share and deploy that key information throughout both utility AMI networks.
Compromising a meter in one network could compromise all meters and collectors in both
networks.
Due to the highly distributed nature of AMI, it is more likely that an AMI WAN link will be over
a relatively low bandwidth medium such as cellular band wireless (e.g., EVDO, GPRS) or radio
networks like FlexNet. The link layer security supported by these networks varies greatly. Later
versions of WiMax can utilize EAP for authentication, but NIST SP800-127 provides a number
of recommendations and cautions about WiMax authentication. With cellular protocols, the
AirCards used by the collector modems are no different than the ones used for laptops. They
connect to a wireless cloud typically shared by all local wireless users, with no point-to-point
encryption, and no restrictions on whom in the wireless cloud can connect to the collector
modem’s interface. From the wireless, connectivity to the head end system is usually over the
Internet, sometimes (hopefully always) using a VPN connection. Given the proliferation of
botnets, it is not far-fetched to imagine enough wireless users to be compromised and launch a
denial of service via a collector modem.
Regardless of the strength of any link layer security implemented by the communications service
provider, without end-to-end VPN security, the traffic remains accessible to insiders at the
service provider. This can permit legitimate access such as lawful intercept, but also can allow
unscrupulous insiders at the service provider access to the traffic.
Additionally, like the mesh wireless portion, cellular networks are subject to intentional and
unintentional interference and congestion. Cellular networks were significantly disrupted in
Manhattan during the 9/11 attacks by congestion and rendered mostly unusable to first
responders. Similar congestion events could disrupt utility communications relying on
commercial WAN links.
D-8
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Smart grid devices that are deployed in the field, such as substation equipment, pole-top
equipment, smart meters and collectors, and in-home devices, are at risk of side channel attacks
due to their accessibility. Extraction of encryption keys by side channel attacks from smart grid
equipment could lead to compromise of usage information, personal information, passwords, etc.
Extraction of authentication keys by side channel attacks could allow an attacker to impersonate
smart grid devices and/or personnel, and potentially gain administrative access to smart grid
systems.
D-9
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
these settings can be changed remotely. One potential form of attack is to tamper with relay
settings and then attack in some other way. The tampered relay settings would then exacerbate
the consequences of the second attack.
A draft NERC white paper on identifying cyber-critical assets recognizes the need for protecting
the system by which device settings are determined and loaded to the field devices themselves.
This can include the configuration management process by which the settings are determined. It
should likely extend to ongoing surveillance of the settings to ensure that they remain the same
as intended in the configuration management process.
Security Protocols
Time has impact on multiple security protocols especially in regards to the integrity of
authentication schemes and other operations if it is invalid or tampered with. For example some
protocols can have reliance on time stamp information to ensure against replay attacks, or in
other cases of time based revoked access. Due care needs to be taken to ensure time cannot be
tampered with in any system as well as ensuring if it is that it can be detected, responded to, and
contained.
Synchrophasors
Syncrophasor measurement units are increasing being deployed throughout the grid. A phasor is
a vector consisting of magnitude and angle. The angle is a relative quantity, and can be
interpreted only with respect to a time reference. A synchrophasor is a phasor that is calculated
from data samples using a standard time signal as the reference for the sampling process.
Initial deployments of synchrophasor measurement units use synchrophasors to measure the
current state of the power system more accurately than it can be determined through state
estimation. If the time references for enough synchrophasor measurements are incorrect, the
measured system state will be incorrect, and corrective actions based on this inaccurate
information could lead to grid destabilization.
D-10
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Certificates
Certificates are typically used to bind an identity to a public key or keys, facilitating such
operations as digital signatures and data encryption. They are widely used on the internet, but
there are some potential problems associated with their use.
Absolute time matters for interpretation of validity periods in certificates. If the system time of a
device interpreting a certificate is incorrect, an expired certificate could be treated as valid or a
valid certificate rejected as expired. This could result in incorrect authentication or rejection of
users, incorrect establishment or rejection of VPN tunnels, etc. Kerberos (on which Windows
domain authentication is based) also depends critically on synchronized clocks.
For instance, some utilities operate in regulated labor environments. Contractual labor
agreements can impact labor costs if field personnel have to take on new or different tasks to
access, service, or manage security technology. This can mean a new class or grade of pay and
considerable training costs for a large part of the organization. In addition there are further
complexities introduced by personnel screening, clearance, and training requirements for
accessing cyber assets.
Another potential ramification of increased labor complexity due to security provisions can occur
if employees or subcontractors have financial incentive to bypass or circumvent the security
provisions. For example, if a subcontractor is paid by the number of devices serviced, anything
that slows down production, including both safety and security measures, directly affects the
bottom line of that subcontractor, giving rise to an unintended financial motivation to bypass
security or safety measures.
D-11
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
substation is extended to incorporate external components such as solar panels, wind turbines,
capacitor banks, etc. that are not located within the physical security perimeter of the substation,
this protection mechanism is no longer sufficient.
An attacker who gains physical access to an external component can then eavesdrop on the
communication bus, and obtain (or guess) MAC addresses of components inside the substation.
Indeed, the MAC addresses for many components are often physically printed or stamped on the
component. Once obtained, the attacker can fabricate packets that have the same MAC
addresses as other devices on the network. The attacker may therefore impersonate other devices,
re-route traffic from the proper destination to the attacker, and perform man-in-the-middle
attacks on protocols that are normally limited to the inside of the substation.
D-12
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
The patch, test and deploy lifecycle is fundamentally different in the electrical sector. It can take
a year or more (for good reason) to go through a qualification of a patch or upgrade. Thus there
are unique challenges to be addressed in how security upgrades to firmware needs to be
managed.
D.4.3 Authentication
There is no centralized authentication in the de-centralized nature of the grid. Authentication
systems need to be able to operate in the massively distributed and locally autonomous
environment. For example, substation equipment such as IEDs needs to have access controls that
only allow for authorized users to configure or operate them. However, the credential
management of such systems cannot assume that a constant network connection exists to a
central office to be used in their authentication processes. There needs to be secure
authentication methods that allows for local autonomy when needed and yet can provide for the
revocation and attribution from a central authority as required. Equally important is any
authentication processes must securely support emergency operations and not become an
impediment at a critical time.
D-13
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
as credit card processing, database applications, etc. may be completely inappropriate in such
settings and actually weaken security controls. IT groups will almost always be required for
proper installation of software and security systems on user PCs. However, for these unique
systems, administration of security assets, keys, passwords etc. that require heavy ongoing
dependence on IT resources may create much larger and unacceptable vulnerabilities.
In terms of personnel security, it may be worthwhile considering what is known as “two-person
integrity”, or TPI for short. TPI is a security measure to prevent single person access to key
management mechanisms. This comes from national security environments, but may have some
applicability to the smart grid. This is somewhat similar to safety and having at least two people
working in hazardous environments.
Another area of concern related to personnel issues has to do with not having a backup to
someone having a critical function - in other words, a person (actor) as a single point of failure
(SPOF).
D.4.10 Network and System Monitoring and Management for Power Equipment
Power equipment does not necessarily use common and open monitoring protocols and
management systems. They are often a fusion of proprietary or legacy based protocols with their
D-14
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
own security issues. There is a need for openly accessibility information models and protocols
that can be used over a large variety of transports and devices. There might even be a need for
bridging power equipment into traditional IT monitoring systems for their cyber aspects. The
management interfaces themselves must also be secure, as early lessons with SNMP have taught
the networking community. Also and very importantly the system monitoring and management
will have to work within a context of massive scale, distribution, and often bandwidth limited
connections.
For instance, trusting a meter for usage readings is a necessary risk, and the impact of incorrect
readings is minimal (short of buffer and integer overruns). However, because physical
protections on a meter are nearly nonexistent, they should not be allowed to communicate
directly with highly critical systems, as in existing WiMAX deployments, where the meter
communicates directly with the head end, which may control a significant amount of load. An
attack on the meter may result in compromise of the head end.
Similarly, because most pole-top devices have very little physical protection, the level of trust for
those devices must be limited accordingly. An attacker could replace the firmware, or, in many
systems, simply place a malicious device between the pole-top device and the network
D-15
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
connection to the Utility network, since these are often designed as separate components with
RJ45 connectors. If the head end system for the pole-top devices places too much trust in them,
a successful attack on a pole-top device can be used as a stepping stone to attack the head end.
Trust Management lays out several levels of trust, based on physical and logical access-control
and criticality of the system (i.e. we make most decisions based on how important this system
is). In this type of Trust Management, we categorize each system in the Smart Grid, not only for
its own needs (AIC, etc...) but by our required and/or limitations of trust mandated by our ability
to control physical and logical access to it and desire to do so (criticality of the system). This will
lead to a more robust system, where compromise of a less trusted component will not easily lead
to compromise of more trusted components.
D-16
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
D.4.19 Entropy
Many devices do not have access to sufficient sources of entropy to serve as good sources of
randomness for cryptographic key generation and other cryptographic operations. This is a
fundamental issue and has impacts on the key management and provisioning system that must be
designed and operated in this case.
D-17
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
risk mitigation and decision process can sometimes be prohibitive for the deployment if the cost
outweighs the benefits of the deployment of the patch. Decision makers may choose to accept
the risk if the cost is too high compared to the impact.
The length of time to qualify a patch or firmware update, and lack of centralized and remote
patch/firmware management solutions contribute to higher costs associated with patch
management and firmware updates in the electricity sector. Upgrades to devices in the
electricity sector can take a year or more to qualify. The extensive regression testing is
extremely important to ensure that an upgrade to a device won’t negatively impact reliability, but
also adds cost. Once a patch or firmware update is qualified for deployment, asset owners
typically need to perform the upgrade at the physical location of the device due to a lack of tools
for centralized and remote patch/firmware management.
D-18
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
1. The extent to which roles and roles should be pre-defined in standards versus providing
the flexibility for individual entities to define their own. Is there a suitable default set of
roles that is applicable to the majority of the utility industry, but can be tailored to the
needs of a specific entity? Such roles might include:
• Auditors: users with the ability to only read/verify the state of the devices (this may
include remote attestation).
• System dispatchers: Users who perform system operational functions in control
centers.
• Protection engineers: Users who determine and install/update settings of protective
relays and retrieve log information for analysis of disturbances.
• Substation maintainers: Users who maintain substation equipment and have access
requirements to related control equipment.
• Administrators: users who can add, remove or modify the rights of other users;
• Security officers: users who are able to change the security parameters of the device
(e.g. authorize firmware updates).
2. Management and usability of roles. How many distinct roles become administratively
unwieldy?
3. Policies need to be expressed in a manner that is implementable and relates to an entity’s
implemented roles. Regulators and entity governance need guidance on how to express
implementable policies.
4. Support for non-hierarchical roles. The best example is originator and checker (e.g., of
device settings). Any of a group of people can originate and check, but the same person
can't do both for the same item.
5. Approaches to expressing roles in a usable manner.
6. Support for emergency access that may need to bypass normal role assignment.
7. Which devices need to support RBAC? Which do not?
D-19
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Any risk management framework would be well served to address this issue by:
• Building a model that takes the nature of the network, its physical environment, and its
architecture into account (e.g. is it private or public, is critical infrastructure sufficiently
segmented away from general IT networks, is there physical protection/boundaries, etc.)
• Assigning criticality and impact levels to smart grid functions/applications (e.g. retrieval
of metering data is not as critical as control commands)
• Identifying countermeasure systems (e.g. firewalls, IDS/IPS, SEM, Encrypted links &
data, etc.) and assigning mitigating levels as well as which smart grid functions they can
reasonably be applied to and how.
The end goal for the model should be to make the best security practices self-evident through a
final quantitative metric without giving a specific prohibition.
D-20
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Regulations such as FERC 889 establish “Standards of Conduct” that prohibit market
participants from having certain information on the operational state of the grid as known to grid
control centers. In the Smart Grid, future regulations could possibly extend this concept to
information outside the bulk power domain. Traffic analysis could enable an eavesdropper to
gain information prohibited by such regulations. In addition, even if operational information
were encrypted, traffic analysis could provide an attacker with enough information on the
operational situation to enable more sophisticated timing of physical or cyber attacks.
Recently there have been efforts by region, state, and regulatory entities to create purchasing
requirements. If not carefully coordinated, these efforts could have similar harmful effects.
D-21
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
With regard to cyber security requirements, if security requirements are subject to interpretation,
customers will each use their own preferences to specify features that will re-create the problem
of the SCADA protocols. For the smart grid, this would be a serious problem, since the time and
effort necessary to analyze, negotiate, implement, test, release and maintain a collection if
customer-specific implementations will greatly delay deployment of the smart grid.
Specifically, with regard to the smart grid, recent procurements have shown little consistency,
each calling out different requirements. This can have an adverse affect on both interoperability
and security.
D-22
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Cyber security governance for the electric grid as a whole requires strategic direction and
impetus. It requires commitment, resources and assignment of responsibility for cyber and
information security management, as well as a means for the Board to determine that its intent
has been met for the electric grid as part of the critical infrastructure of the United States.
Experience has shown that effectiveness of cyber security governance is dependent on the
involvement of senior management in approving policy, and appropriate monitoring and metrics
coupled with reporting and trend analysis regarding threats and vulnerabilities to the electric
grid.
Members of the Board need to be aware of the utility's information assets and their criticality to
ongoing business operations of the electric grid. This can be accomplished by periodically
providing the board with the high-level results of comprehensive risk assessments and business
impact analysis. It may also be accomplished by business dependency assessments of
information resources. A result of these activities should include Board Members
validating/ratifying the key assets they want protected and confirming that protection levels and
priorities are appropriate to a recognized standard of due care.
The tone at the top (top-down management) must be conducive to effective security governance.
It is unreasonable to expect lower-level personnel to abide by security policies if senior
management does not. Visible and periodic board member endorsement of intrinsic security
policies provides the basis for ensuring that security expectations are met at all levels of the
enterprise and electric grid. Penalties for non-compliance must be defined, communicated and
enforced from the board level down.
Utility Executives
Implementing effective cyber security governance and defining the strategic security objectives
of the utility are complex, arduous tasks. They require leadership and ongoing support from
executive management to succeed. Developing an effective cyber security strategy requires
integration with and cooperation of business unit managers and process owners. A successful
outcome is the alignment of cyber security activities in support of the utility's objectives. The
extent to which this is achieved will determine the effectiveness of the cyber security program in
meeting the desired objective of providing a predictable, defined level of management assurance
for business processes and an acceptable level of impact from adverse events.
An example of this is the foundation for the U.S. federal government's cyber security, which
requires assigning clear and unambiguous authority and responsibility for security, holding
officials accountable for fulfilling those responsibilities, and integrating security requirements
into budget and capital planning processes.
D-23
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
A Steering Committee serves as an effective communication channel for Management's aims and
directions and provides an ongoing basis for ensuring alignment of the security program with
the utility's organizational objectives It is also instrumental in achieving behavior change toward
a culture that promotes good security practices and policy compliance.
Failure to recognize this and implement appropriate governance structures can result in Senior
Management being unaware of this responsibility and the attendant liability. It usually results in
a lack of effective alignment of security activities with organizational objectives of the utility.
Increasingly, prudent and proactive management is elevating the position of Information Security
Officer to a C-level or Executive Position as utilities begin to understand their dependence on
information and the growing threats to it. Ensuring that the position exists, and assigning it the
responsibility, authority and required resources, demonstrates Management's and Board of
Directors' awareness of and commitment to sound cyber security governance.
Computational Constraints
Some smart grid devices, particularly residential meters and in-home devices, may be
constrained in computational power. These constraints may make public key cryptography or
even any cryptography at all infeasible. Note, however, that the recent generations of most
vendor's smart meters support symmetric encryption, and at least one supports public key
cryptography (ECC).
Channel Bandwidth
D-24
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
The Smart Grid will involve communication over a variety of channels with varying bandwidths.
Encryption alone does not generally impact channel bandwidth, since symmetric ciphers such as
AES produce roughly the same number of output bits as input bits, except for rounding up to the
cipher block size. However, encryption negatively influences lower layer compression
algorithms since encrypted data is uniformly random and therefore not compressible. For
compression to be effective, compression must be performed before encryption, and this must be
taken into account in designing the network stack.
Low bandwidth channels may be too slow to exchange large certificates frequently. If the initial
certificate exchange is not time critical and is used to establish a shared symmetric key(s) that is
used for an extended period of time, as with IKE, certificate exchange can be practical over even
slow channels. However, if the certificate-based key-establishment exchange is time critical,
protocols such as IKE that exchange multiple messages before arriving at a pre-shared key may
be too expensive, even if the size of the certificate is minimal.
Distribution of certificates on the internet is typically done via public key infrastructure (PKI),
and relies on chains of certificates to validate individual end certificates. Adapting such an
infrastructure to computationally and bandwidth constrained devices is a non-trivial problem,
and certificates are often 2K in size. A typical web browser (e.g. Firefox 3.0.14) ships with 140
built-in certificates. Because this may represent 100K or more, it also may present a storage
challenge for some classes of non-computer devices.
Connectivity
Standard PKI systems based on a peer-to-peer key establishment model where any peer may
need to communicate with any other may not be necessary or desirable from a security
standpoint for components in the smart grid. Many devices may not have connectivity to key
servers, certificate authorities, OCSP servers, etc.
Many connections between smart grid devices will have much longer durations (often
permanent) than typical connections on the Internet.
Certificate Lifecycles
Background
Certificates are issued with a validity period. The validity period is defined in the X509
certificate with two fields called “notBefore” and “notAfter”. The notAfter field is often referred
to as the expiration date. As will be shown below, it is important to only consider certificates as
valid if they are being used during the validity period.
D-25
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
If it is determined that a certificate has been issued to an entity that is no longer trustworthy (for
example the cert was issued to a device that was lost or stolen or sent to a repair depot), the
certificate can be revoked. Certificate revocation lists (CRLs) are used to store the certificate
serial number and revocation date for all revoked certificates. An entity that acts in reliance on a
certificate is called a relying party (RP). To determine if the RP can accept the certificate, the
RP needs to check, at a minimum, the following;
1. The certificate was issued by a trusted CA (This may require the device to
provide, or the RP to obtain, a chain of certificates back to the RP’s trust anchor.)
2. The certificates being validated (including any necessary chain back to the RPs
trust anchor) are being used between the notBefore and notAfter dates.
3. The certificates are not in an authoritative Certificate Revocation List (CRL).
4. Other steps may be required depending on the RP’s local policy, such as verifying
that the distinguished name of the certificate subject, or the certificate policy
fields are appropriate for the given application for which the certificate is being
used.
For the purposes of this section we will focus primarily on steps 2 and 3.
Administrators must consider the balance between issuing certificates with short validity periods
and more operational overhead, but with more manageable sized CRLs, and issuing certificates
with longer validity periods lower operational overhead, but with potentially unwieldy large
CRLs.
When certificates are issued to employees whose employment status or level of responsibility
may change every few years, it would be appropriate to issue certificates with relatively short
lifetimes such as a year or two. In this way, if an employee’s status changes, and it becomes
necessary to revoke his/her certificate, then this certificate would only need to be maintained on
the CRL until the certificates expiration date. In this way (by issuing relatively short lived
certificates), the CRLs can be kept to a reasonable size.
When certificates are issued to devices that are expected to last for many years or even decades,
and these devices are housed in a secure environment, it may not be necessary to issue certificate
with such short validity periods, as the likelihood of ever needing to revoke a certificate is low.
Therefore the CRLs would not be expected to be very large. The natural question arises, when a
smart grid RP receives a certificate from an entity (person or device) and the certificate is
D-26
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
expired, should the RP accept the certificate and authenticate the entity, or should the RP reject
the certificate? What if rejecting the certificate will cause a major system malfunction?
First let’s consider that smart grid devices will be deployed with the intent to keep them
operational for many years (probably in the neighborhood for 20 to 30 years). Therefore, we
would not expect to be replacing these devices very often. Of course there will be unplanned
defects that will cause devices to be replaced from time to time. These devices will need to go
on the CRL when they are removed from service, unless their keys can be guaranteed to be
security destroyed. Because we do not want CRLs to grow without limit, it would be prudent to
issue device certificates with an appropriate lifetime. For devices expected to last 20 years with
a low MTBF which are housed in secure facilities, a 10 year certificate may be appropriate.
This means that a device installed in the system (with a certificate), which subsequently fails,
may need to be on a CRL for up to ten years.
If a good device never gets a new certificate before its certificate expires, the device will not be
able to communicate in the system. To avoid this, the device could be provisioned to “renew” its
certificate quite some time before its current certificate expires. For example, the device may be
provisioned to renew its certificate a year before its current certificate expires. If the renewal
attempt failed for any reason, the device would have a whole year to retry and obtain a new
certificate. It is therefore easy to see that probability of a critical device not being able to
participate in the system because of an expired certificate can be made as low as desirable by
provisioning the device to renew its certificate with sufficient “lead time”.
It is worth mentioning that because of the size and scale of the smart grid, other techniques may
be needed to keep CRLs from growing excessively. These would include partitioning of CRLs
into a number of smaller CRLs by “scoping” CRLs based on specific parameters, such as the
devices’ location in the network, the type of device, or the year in which the certificate was
issued. Methods supporting such partitioning are documented in RFC 5280. Clearly with a
system as large as the smart grid, multiple methods of limiting the size of CRLS will be required,
but only with the use of reasonable expiration dates can CRLs be kept from growing without
limit.
These methods should not be confused with techniques such as Delta CRLs, which allows CRLs
to be fragmented into multiple files; or the use of the Online Certificate Status Protocol (OCSP),
which allows an RP or certificate subject to obtain the certificate status for a single certificate
from a certificate status server. These methods are useful for facilitating efficient use of
bandwidth, however they do nothing to keep the size of the CRLs reasonable.
D-27
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
is validating. This problem can be mitigated in a number of ways. CRLs can be cached and
used by RPs for lengthy periods of time, depending on local policy. CRLs can be scoped to
small geographically close entities, such as all devices in a substation and all entities that the
substation may need to communication with. These CRLs can then be stored in the substation to
enhance their accessibility to all devices in the substation. One other alternative, which has the
potential of offering very high availability, is where each certificate subject, periodically obtains
it own signed certificate status, and caries it with him/her. When authenticating with an RP, the
certificate subject not only provides its certificate but also it’s most recent certificate status. If
no other status source is available to the RP, and if the provided status is recent enough, the RP
may accept this status as valid. This technique, sometimes referred to as OCSP Stapling, is
supported by the common TLS protocol and is defined in RFC 4366. OSCP Stapling offers a
powerful high availability solution for determining a certificate’s status.
D-28
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
standard E2212 - 02a “Standard Practice for Healthcare Certificate Policy”. At one
extreme, this standard set of policies would define all possible roles for certificate
subjects, it would define all categories of devices, and it would define specific
requirements on the PKI participants for each supported assurance level. Further, such
standards could include accreditation criteria for Smart Grid PKI service providers.
• Additional thought needs to go into determining what exactly should be authenticated
between Smart Grid components. One could argue that not only is the identity of a
component important, but also its authorization status, and its tamper status. The
authorization status can be determined by roles, policies, or other attributes included in a
certificate. However to determine a device’s tamper status, the device will need to
incorporate methods such as high assurance boot, secure software management, and local
tamper detection via FIPS 140 mechanisms. Further the device will need to perform
remote device attestation techniques to prove to others that the device has not been
tampered with.
• Some certificate subjects should have secure hardware for storing private keys and trust
anchor certificates. Due to the advent of the Smart Card market, such secure chips have
become very affordable.
• RPs should have access to a reasonable accurate trustworthy source of time, to determine
if a certificate is being used within its validity period.
• Further consideration should go into determining appropriate certificate lifetimes.
CRL Alternatives
There are two alternatives to a full-blown CRL; they are CRL partitions and OCSP. A CRL
partition is simply a subset of a CRL; implementations exist that have partition tables with the
status of as few as 100 certificates listed in it. For example, if a device needs to validate
certificate number 3456, it would send a partition request to the domain CA. and the CA would
send back a partition that addresses certificates 3400-3499. The device can use it to validate if
the partner (or any other certificate in that range) has been revoked. Seeing that infrastructures
are typically fixed, it is probable that a device will only interact with 1-20 other devices over its
entire lifetime. So requesting and storing one to twenty ~1KB partition files is feasible compared
to requesting and storing an “infinitely-long” CRL.
The other alternative is OCSP (Online Certificate Status Protocol) which, as the name implies, is
an online, real-time service. OCSP is that is space optimal as it only stores valid certificates;
there is no issue of an infinitely-long CRL; the OCSP repository is only as long as the number of
valid certificates in the domain. Also OCSP has the added benefit of a real-time, positive
validation of a certificate. With OCSP, when a device needs to validate a potential partner, it
simply sends a validation request to OCSP Responder and it simply sends back an “OK” or
“BAD” This approach requires no storage on the fielded device, but it does require the
communications link to be active.
D-29
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
utility technicians may need to authenticate to devices in substations to restore power, and must
be able to do so even if connectivity to the control center is unavailable. Authentication and
authorization services must be able to operate in a locally autonomous manner at the substation.
Availability
Availability for some (but not all) smart grid systems can be more important than security.
Dropping or refusing to re-establish connections due to key or certificate expiration may
interrupt critical communications.
Trust Roots
A typical web browser ships with a large number of built-in certificates (e.g. Firefox 3.0.14 ships
with 140). It may not be appropriate for all of the Certificate Authorities that issue these
certificates to be trust roots for smart grid systems. On the other hand, with third party data
services (like Google PowerMeter) and load management services, it may not be appropriate for
the utility to be the sole root of trust.
Additionally, there is a question about who issues certificates and how the system can assure that
the claimed identity actually matches the certificate. The common method for internet use is that
there are top-level (root) certificates that are the basis of all trust. This trust may be extended to
secondary certificate issuing organization, but there is a question about how a root organization
becomes a root organization, how they verify the identity for those requiring certificates, and
even what identity actually means for a device.
D-30
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
The general concerns are that these additional techniques have received a level of scrutiny and
analysis commensurate with the standards development process of FIPS and recommendation
practices of NIST. At a minimum a technique outside of this family of techniques should be (1)
defined in a publicly available forum (2) published to a community of cryptographers for review
and comment for a reasonable duration, (3) should be in, or under development in, a standard by
a recognized standard development organization (SDO). In addition a case should be made for
its use along the lines of resource constraints, unique nature of an application, or new security
capabilities not afforded by the FIPS-approved and NIST-recommended techniques.
D-31
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
3) To what degree can the NSA license be applied to the Smart Grid?
4) What are the licensing terms of this technology outside the NSA sublicense?
These industry issues have resulted in:
1) Technology vendors deploying ECC schemes based on divergent standardization efforts
or proprietary specifications that are thwarting interoperability.
2) Technology vendors are avoiding deployment of the standardized techniques thwarting
adoption and availability of commercial products.
3) New standardization efforts creating interoperability issues.
It is also worth noting that ECC implementation strategies based on the fundamental algorithms
of ECC, which were published prior to the filing dates of many of the patents in this area, are
identified and described in:
http://tools.ietf.org/html/draft-mcgrew-fundamental-ecc-01.txt
IPR statements and FAQ covering pricing have been made concerning some commercial use of
patented ECC technology:
http://www.certicom.com/images/pdfs/certicom%20-ipr-contribution-to-ietfsept08.pdf
http://www.certicom.com/images/pdfs/certicom%20zigbee%20smart%20energy%20faq_
30_mar_2009.pdf
However these have not been comprehensive enough to cover the envisioned scenarios that arise
in the Smart Grid. Interoperability efforts, where a small set of core cryptographic techniques
are standardized, like NSA’s Cryptographic Interoperability Strategy, have been highly effective
in building out multi-vendor infrastructures that span numerous standards development
organizations’ specifications.
Federal support and action that specifies and makes available technology for the Smart Energy
infrastructure, similar to the Suite B support for National Security, would remove many of these
issues for the Smart Grid.
Biometrics
TBD next version
D-32
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Incompatible password complexity requirements can make reuse of a password across two
different systems impossible. This can improve security since compromise of the password from
one system will not result in compromise of password of the other system. Incompatible
password complexity requirements might be desirable to force users to choose different
passwords for systems with different security levels, e.g., corporate desktop vs. control system.
However, forcing users to use too many different passwords can cause higher rates of forgotten
passwords and lead users to write passwords down, thereby reducing security. Due to the large
number of systems that utility engineers may need access to, reuse of passwords across multiple
systems may be necessary. Incompatible password complexity requirements can also cause
interoperability problems and make centralized management of passwords for different systems
impossible. NIST SP800-63 contains some guidance on measuring password strength and
recommendations for minimum password strengths.
D.5.3 Authentication
The initial release of the NERC CIP standards did not require strong authentication. In accepting
that version of the standards, FERC Order 706 requested NERC to incorporate strong
authentication into a future version of the standards.
During the drafting of IEEE-1686, the IEEE Standard for Substation Intelligent Electronic
Devices (IEDs) Cyber Security Capabilities, an effort was made to incorporate strong
authentication. The best source of information on strong authentication was found to be NIST
SP 800-63, but the format of that document was found unsuitable as a normative reference for an
IEEE standard. However, the technical material in NIST SP 800-63 provides some useful
advantages for the following reasons:
z The NERC CIP standards are moving from a concept of critical and non-critical assets to
three levels of impact: High, Medium, Low
D-33
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Currently EAP-TLS [RFC5216] and EAP-GPSK [RFC5433] are the IETF Standard Track EAP
methods generating key material and supporting mutual authentication. EAP can also be used to
provide a key hierarchy to allow confidentiality and integrity protection to be applied to link
layer frames.
EAP IEEE 802.1X [802.1X] provides port access control and transports EAP over Ethernet and
Wi-Fi. In WiMAX, PKMv2 (Privacy Key Management version 2) in IEEE 802.16e [802.16e]
transports EAP. PANA (Protocol for carrying Authentication for Network Access) [RFC5191]
transports EAP over UDP/IP. TNP (Trusted Network Connect) [TNC] is an open architecture to
enable network operators to enforce policies regarding endpoint integrity using the above
mentioned link-layer technologies. There are also ongoing efforts in ZigBee Alliance [ZigBee]
to define a network access authentication mechanism for ZigBee Smart Energy 2.0.
In a large-scale deployment, EAP is typically used in pass-through mode where an EAP server is
separated from EAP authenticators, and an AAA (Authentication, Authorzation and Accounting)
protocol such as RADIUS [RFC2865] is used by a pass-through EAP authenticator for
forwarding EAP messages back and forth between an EAP peer to the EAP server. The pass-
through authenticator mode introduces a three-party key management, and a number of security
considerations so called EAP key management framework [RFC5247] have been made. If an
AMI network makes use of EAP for enabling confidentiality and integrity protection at link-
layer, it is expected to follow the EAP key management framework.
D-34
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
REFERENCES
[RFC3748] B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson and H. Levkowetz, "Extensible
Authentication Protocol (EAP)", http://www.ietf.org/rfc/rfc3748.txt, June 2004.
[RFC5216] D. Simon, B. Aboba and R. Hurst, "The EAP-TLS Authentication Protocol", RFC
5216, http://www.ietf.org/rfc/rfc5216.txt, March 2008.
[802.1X] IEEE standard for local and metropolitan area networks ― port based network access
control, IEEE Std 802.1X-2004, December 2004.
[802.16e] IEEE Standard for Local and metropolitan area networks Part 16: Air Interface for
Fixed and Mobile Broadband Wireless Access Systems Amendment 2: Physical and Medium
Access Control Layers for Combined Fixed and Mobile Operation in Licensed Bands and
Corrigendum 1, IEEE Std 802.16e-2005 and IEEE Std 802.16^(TM)-2004/Cor1-2005, February
2006.
[RFC5191] D. Forsberg, Y. Ohba, B. Patil, H. Tschofenig and A. Yegin, "Protocol for Carrying
Authentication for Network Access (PANA)", http://www.ietf.org/rfc/rfc5191.txt, May 2008.
[TNC] http://www.trustedcomputinggroup.org/developers/trusted_network_connect
[ZigBee] http://www.zigbee.org/
[RFC2865] Rigney C, Willens S, Rubens A and Simpson W, "Remote authentication dial in user
service (RADIUS)", RFC 2865, http://www.ietf.org/rfc/rfc2865.txt, June 2000.
[RFC5247] B. Aboba, D. Simon and P. Eronen, "Extensible Authentication Protocol (EAP) Key
Management Framework", RFC 5247, http://www.ietf.org/rfc/rfc5247.txt, August 2008.
[LiuNing] Donggang Liu, Peng Ning, "Establishing Pairwise Keys in Distributed Sensor
Networks," in Proceedings of the 10th ACM Conference on Computer and Communications
Security (CCS '03), pages 52--61, Washington D.C., October, 2003.
[IOActive] Katie Fehrenbacher "Smart Meter Worm Could Spread Like a Virus",
http://earth2tech.com/2009/07/31/smart-meter-worm-could-spread-like-a-virus/.
D-35
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
APPENDIX E
STATE LAWS – SMART GRID AND ELECTRICITY DELIVERY
REGULATIONS
This is a non-exhaustive list of State laws and regulations associated with the electric sector. It is
hoped that this list will provide a good starting point for those looking for laws applicable in
particular states.
http://www.legislature.state.al.us/CodeofAlabama/1975/coatoc.htm
Alaska No information at this time.
Arizona 42-5063
Definition of Utility - Providing to retail electric customers ancillary
services, electric distribution services, electric generation services,
electric transmission services and other services related to providing
electricity.
E-1
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Chapter 366
http://www.leg.state.fl.us/statutes/index.cfm?App_mode=Display_Statute
&URL=Ch0366/titl0366.htm&StatuteYear=2009&Title=-%3E2009-
%3EChapter%20366
Hawaii http://www.capitol.hawaii.gov/site1/hrs/searchhrs.asp?query=public+utili
ty&currpage=1
66-1901-66-1903 http://www.kslegislature.org/legsrv-
statutes/statutesList.do
Kentucky Title 24 Public Utilities Generally http://www.lrc.ky.gov/KRS/278-
00/CHAPTER.HTM
E-2
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
E-3
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
E-4
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
E-5
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
E-6
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
APPENDIX F
GLOSSARY AND ACRONYMS
F-1
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
F-2
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
F-3
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
VVWS Volt-Var-Watt
WAMS Wide-Area Measurement System
WAN Wide Area Network
WASA Wide Area Situational Awareness
WLAN Wireless Local Area Network
WMS Work Management System
F-4
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
APPENDIX G
SGIP-CSWG MEMBERSHIP
This list is all participants in the Smart Grid Interoperability Panel–Cyber Security Working
Group (SGIP–CSWG), formerly the Cyber Security Coordination Task Group (CSCTG), and all
of the sub-groups.
Name Organization
1. Ackerman, Eric Edison Electric Institute
2. Akyol, Bora Pacific Northwest National Laboratory
3. Alexander, Roger Eka Systems, Inc.
4. Alrich, Tom ENCARI
5. Ambady, Balu Sensus
6. Anderson, Dwight Schweitzer Engineering Labs
7. Ascough, Jessica Harris Corporation
8. Bacik, Sandy Enernex
9. Baiba Grazdina Duke Energy
10. Barclay, Steve ATIS
11. Barnes, Frank University of Colorado at Boulder
12. Barnett, Bruce GE Global Research
13. Barr, Michael L-3 Communications Nova Engineering
14. Bass, Len Software Engineering Institute, Carnegie Mellon
University
15. Batz, David Edison Electric Institute
16. Bell, Ray Grid Net
17. Bell, Will Grid Net
18. Bender, Klaus Utilities Telecom Council
19. Benn, Jason Hawaiian Electric Company
20. Bennett, Bob Xcel Energy
21. Berkowitz, Don S&C Electric Company
22. Beroset, Ed Elster Group
23. Berrett, Dan E. DHS Standards Awareness Team (SAT)
24. Berrey, Adam General Catalyst Partners
25. Bhaskar, Mithun M. National Institute of Technology, Warangal
26. Biggs, Doug Infogard
27. Biggs, Les Infogard
28. Blomgren, Paul SafeNet Inc.
29. Bochman, Andy
30. Braendle, Markus ABB
31. Branco, Carlos Northeast Utilities
32. Brewer, Tanya NIST
G-1
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Name Organization
33. Brigati, David NitroSecurity
34. Brown, Bobby EnerNex Corporation
35. Brozek, Mike Westar Energy, Inc.
36. Bucciero, Joe Buccerio Consulting
37. Burnham, Laurie Dartmouth College
38. Butterworth, Jim Guidance Software
39. Camilleri, John Green Energy Corp
40. Campagna, Matt Certicom Corp.
41. Cam-Winget, Nancy Cisco Systems, Inc.
42. Caprio, Daniel McKenna Long & Aldridge LLP
43. Cardenas, Alvaro A. Fujitsu
44. Carlson, Chris Puget Sound Energy
45. Carpenter, Matthew InGuardians
46. Chaney, Mike Securicon
47. Chasko, Stephen Landis+Gyr
48. Chow, Edward U of Colorado at Colorado Springs
49. Cioni, Mark V. MV Cioni Associates, Inc.
50. Clements, Sam Pacific Northwest National Laboratory
51. Cleveland, Frances Xanthus Consulting International
52. Cohen, Mike Mitre
53. Coney, Lillie Electronic Privacy Information Center
54. Coop, Mike heyCoop, LLC
55. Cornish, Kevin Enspiria
56. Cortes, Sarah Inman Technology IT
57. Cosio, George Florida Power and Light
58. Cragie, Robert Jennic LTD
59. Crane, Melissa Tennessee Valley Authority
60. Cui, Stephen Microchip Technology
61. Dagle, Jeff Pacific Northwest National Laboratory
62. Dalva, Dave Cisco Systems, Inc.
63. Danahy, Jack Bochman & Danahy Research
64. Dangler, Jack SAIC
65. De Petrillo, Nick Industrial Defender
66. di Sabato, Mark
67. Dillon, Terry APS
68. Dinges, Sharon Trane
69. Dion, Thomas Dept of Homeland Security
70. Dodson, Greg Dominion Resources Services, Inc.
71. Doreswamy, Rangan
72. Dorn, John Accenture
G-2
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Name Organization
73. Downum, Wesley Telcordia
74. Dransfield, Michael National Security Agency
75. Drozinski, Timothy Florida Power & Light Company
76. Drummond, Rik Drummond Group
77. Dubrawsky, Ido Itron
78. Dupper, Jeff Ball Aerospace & Technologies
79. Duren, Michael Protected Computing
80. Dutta, Prosenjit Utilities AMI Practice
81. Earl, Frank Earl Consulting
82. Eastham, Bryant Panasonic Electric Works Laboratory of America
(PEWLA)
83. Edgar, Tom Pacific Northwest National Laboratory
84. Eggers, Matthew U.S. Chamber of Commerce
85. Eigenhuis, Scott M Accenture
86. Emelko, Glenn ESCO
87. Engels, Mark Dominion Resources Services, Inc.
88. Ennis, Greg Wi-Fi Alliance
89. Enstrom, Mark NeuStar
90. Eraker, Liz Samuelson Clinic at UC Berkeley
91. Estefania, Maria ATIS
92. Eswarahally, Shrinath Infineon Technologies NA
93. Ewing, Chris Schweitzer Engineering Labs
94. Fabela, Ronnie Lockheed Martin
95. Faith, Doug MW Consulting
96. Faith, Nathan American Electric Power
97. Famolari, David Telcordia Technologies
98. Fennell, Kevin Landis+Gyr
99. Fisher, Jim Noblis
100. Fishman, Aryah Edison Electric Institute
101. Franz, Matthew SAIC
102. Fredebeil, Karlton Tennessee Valley Authority
103. Freund, Mark Pacific Gas and Electric Company
104. Fuloria, Shailendra Cambridge University
105. Gailey, Mike CSC
106. Garrard, Ken Aunigma Network Solutions Corp.
107. Gerber, Josh San Diego Gas and Electric
108. Gerbino, Nick Dominion Resources Services, Inc.
109. Gering, Kip Itron
110. Gerra, Arun University of Colorado, Boulder
111. Ghansah, Isaac California State University Sacramento
G-3
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Name Organization
112. Giammaria, Claire American Civil Liberties Union
113. Gibbs, Derek SmartSynch
114. Gillmore, Matt CMS Energy
115. Givens, Beth Privacy Rights Clearinghouse
116. Glenn, Bill Westar Energy, Inc.
117. Goff, Ed Progress Energy
118. Golla, Ramprasad Grid Net
119. Gonzalez, Efrain Southern California Edison
120. Gooding, Jeff Southern California Edison
121. Goodson, Paul ISA
122. Gorog, Christopher Atmel Corporation
123. Grazdina, Baiba Duke Energy
124. Greenberg, Alan M. Boeing Defense, Space & Security
125. Greenfield, Neil American Electric Power, Inc.
126. Greer, David University of Tulsa
127. Grochow, Jerrold MIT
128. Gulick, Jessica SAIC
129. Gunter, Carl U. of Illinois
130. Gupta, Rajesh UC San Diego
131. Hague, David
132. Halbgewachs, Ronald D. Sandia National Laboratories
133. Hall, Tim Mocana
134. Hallman, Georgia Guidance Software
135. Hambrick, Gene Carnegie Mellon University
136. Hardjono, Thomas MIT
137. He, Donya BAE Systems
138. Herold, Rebecca Privacy Professor Rebecca Herold & Associates, LLC
139. Heron, George L. BlueFin Security
140. Herrell, Jonas University of California, Berkeley
141. Hertzog, Christine Smart Grid Library
142. Highfill, Darren SCE
143. Hilber, Del Constellation Energy
144. Histed, Jonathan Novar | Honeywell
145. Holstein, Dennis OPUS Consulting Group
146. Hoofnagle, Chris University of California, Berkeley
147. Houseman, Doug Capgemini Consulting
148. Huber, Robert Critical Intelligence
149. Hughes, Joe EPRI
150. Hurley, Jesse Shift Research, LLC
151. Hussey, Laura Schweitzer Engineering Laboratories, Inc.
G-4
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Name Organization
152. Huzmezan, Mihai General Electric
153. Ibrahim, Erfan EPRI
154. Iga, Yoichi NEC Electronics Corp.
155. Ilic, Marija Carnegie-Mellon University
156. Ivers, James SEI
157. Jaokar, Ajit Futuretext
158. Jepson, Robert Lockheed Martin Energy Solutions
159. Jin, Chunlian Pacific Northwest National Laboratory
160. Joffe, Rodney NeuStar
161. Johnson, Diana J. Boeing Defense, Space & Security
162. Johnson, Freemon NIST
163. Johnson, Oliver Tendril
164. Jones, Barry Sempra
165. Kahl, Steve North Dakota
166. Kanda, Mitsuru Toshiba
167. Kellogg, Shannon EMC
168. Kenchington, Henry DOE
169. Kerber, Jennifer Tech America
170. Khurana, Himanshu University of Illinois
171. Kim, Jin Risk Networks LLC
172. Kimura, Randy General Electric
173. King, Charlie BAE Systems
174. Kirby, Bill Aunigma Network Solutions Corp.
175. Kiss, Gabor Telcordia
176. Klein, Stanley A. Open Secure Energy Control Systems, LLC
177. Klerer, Mark
178. Kobayashi, Nobuhiro Mitsubishi Electric
179. Koliwad, Ajay General Electric
180. Kotting, Chris Public Utilities Commission of Ohio
181. Kube, Nate Wurldtech
182. Kulkarni, Manoj Mocana
183. Kursawe, Klaus Philips
184. Kuruganti, Phani Teja EMC2
185. Kyle, Martin Sierra Systems
186. Lakshminarayanan, General Electric
Sitaraman
187. LaMarre, Mike Austin Energy ITT
188. Lauriat, Nicholas A. Network and Security Technologies
189. Lawson, Barry NRECA
190. Lee, Annabelle NIST
G-5
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Name Organization
191. Lee, Cheolwon Electronics and Telecommunications Research
Institute
192. Lee, Gunhee Electronics and Telecommunications Research
Institute
193. Lee, JJ LS Industrial Systems
194. Lee, Virginia eComp Consultants
195. Lenane, Brian SRA International
196. Levinson, Alex Lockheed Martin Information Systems and Global
Solutions
197. Lewis, David Hydro One
198. Lewis, Rob Trustifiers Inc.
199. Libous, Jim Lockheed Martin Systems Integration – Owego
200. Lilley, John Sempra
201. Lima, Claudio Sonoma Innovation
202. Lintzen, Johannes Utimaco Safeware AG
203. Lipson, Howard CERT, Software Engineering Institute
204. Lynch, Jennifer University of California, Berkeley
205. Maciel, Greg Uniloc USA
206. Magda, Wally Industrial Defender
207. Magnuson, Gail
208. Manjrekar, Madhav Siemens
209. Manucharyan, Hovanes LinkGard Systems
210. Maria, Art AT&T
211. Markham, Tom Honeywell
212. Martinez, Catherine DTE Energy
213. Martinez, Ralph BAE Systems
214. Marty, David University of California, Berkeley
215. McBride, Sean Critical Intelligence
216. McComber, Robert Telvent
217. McCullough, Jeff Elster Group
218. McDonald, Jeremy Southern California Edison
219. McGinnis, Douglas IT Utility Solutions
220. McGurk, Sean Dept of Homeland Security
221. McKinnon, David Pacific Northwest National Laboratory
222. McQuade, Rae NAESB
223. Melton, Ron Pacific Northwest National Laboratory
224. Mertz, Michael Southern California Edison
225. Metke, Anthony Motorola
226. Miller, Joel Merrion Group
227. Mirza, Wasi Motorola
G-6
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Name Organization
228. Mitsuru, Kanda Toshiba
229. Molina, Jesus Fujitsu Ltd.
230. Molitor, Paul NEMA
231. Mollenkopf, Jim CURRENT Group
232. Moniz, Paulo Logica
233. Mulberry, Karen Neustar
234. Nahas, John ICF International
235. Navid, Nivad Midwest ISO
236. Noel, Paul ASI
237. Norton, Dave Entergy
238. Nutaro, James J. Southern California Edison
239. O’Neill, Ivan Southern California Edison
240. Ohba, Yoshihiro Toshiba
241. Okunami, Peter M. Hawaiian Electric Company, Inc.
242. Old, Robert Siemens Building Technologies, Inc.
243. Olive, Kay Olive Strategies
244. Overman, Thomas M. Boeing Defense, Space & Security
245. Owens, Andy Plexus Research
246. Pace, James Silver Spring Networks
247. Pal, Partha Raytheon BBN Technologies
248. Palmquist, Scott Itron
249. Papa, Mauricio University of Tulsa
250. Patel, Chris EMC Technology Alliances
251. Pearce, Thomas C. II Public Utilities Commission of Ohio
252. Peters, Mike FERC
253. Phillips, Matthew Electronic Privacy Information Center
254. Phillips, Michael Centerpoint Energy
255. Phiri, Lindani Elster Group
256. Polonetsky, Jules The Future of Privacy Forum
257. Powell, Terry L-3 Communications
258. Puri, Anuj IEEE
259. Pyles, Ward Southern Company
260. Qin, Jason Skywise Systems
261. Qiu, Bin E:SO Global
262. Quinn, Steve Sophos
263. Rader, Bodhi FERC
264. Radgowski, John Dominion Resources Services, Inc
265. Ragsdale, Gary L. Southwest Research Institute
266. Rakaczky, Ernest A. Invensys Global Development
267. Rao, Josyula R IBM
G-7
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Name Organization
268. Ray, Indrakshi Colorado State University
269. Reddi, Ramesh Intell Energy
270. Revill, David Georgia Transmission Corp.
271. Rick Schantz BBN
272. Riepenkroger, Karen Sprint
273. Rivero, Al Telvent
274. Roberts, Don Southern Company Transmission
275. Roberts, Jeremy LonMark International
276. Robinson, Charley International Society of Automation
277. Robinson, Eric ITRON
278. Rodriguez, Gene IBM
279. Rumery, Brad Sempra
280. Rutfield, Craig NTRU Cryptosystems, Inc.
281. Rutkowski, Tony Yaana Technologies
282. Sackman, Ronald W. Boeing Defense, Space & Security
283. Saint, Bob National Rural Electric Cooperative Association
284. Sambasivan, Sam AT&T
285. Sanders, William University of Illinois
286. Schantz, Rick Raytheon BBN Technologies
287. Scheff, Andrew Scheff Associates
288. Sconzo, Mike Electric Reliability Council of Texas
289. Scott, David IEEE
290. Scott, Tom Progress Energy
291. Searle, Justin InGuardians
292. Seo, Jeongtaek Electronics and Telecommunications Research
Institute
293. Shastri, Viji MCAP Systems
294. Shaw, Vishant Enernex
295. Shein, Robert EDS
296. Shetty, Ram General Electric
297. Shin, Mark Infogard
298. Shpantzer, Gal
299. Silverstone, Ariel Independent Business Security Consultant
300. Sinai, Nick Federal Communications Commission
301. Singer, Bryan Kenexis
302. Sisley, Elizabeth University of Minnesota
303. Skare, Paul Siemens
304. Slack, Phil Florida Power & Light Company
305. Smith, Brian EnerNex
306. Smith, Rhett Schweitzer Engineering Laboratories, Inc.
G-8
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Name Organization
307. Smith, Ron ESCO Technologies Inc.
308. Sood, Kapil Intel Labs
309. Sorebo, Gilbert SAIC
310. Souza, Bill GridWise and PJM Interconnection
311. Stammberger, Kurt Mocana
312. Stanley, Jay American Civil Liberties Union
313. Starr, Christopher H. General Dynamics Advanced Information Systems
314. Steiner, Michael IBM
315. Sterling, Joyce NitroSecurity
316. Stevens, James Software Engineering Institute
317. Stitzel, Jon Burns & McDonnell Engineering Company, Inc.
318. StJohns, Michael
319. Stouffer, Keith NIST
320. Strickland, Tom General Electric
321. Struthers, Brent NeuStar
322. Subrahmanyam. P.A. IEEE, Stanford, CyberKnowledge
323. Suchman, Bonnie Troutman Sanders LLP
324. Sullivan, Kevin Microsoft
325. Sung, Lee Fujitsu
326. Sushilendra, Madhava EPRI
327. Tallent, Michael Tennessee Valley Authority
328. Taylor, Malcolm Carnegie Mellon University
329. Thanos, Daniel General Electric
330. Thaw, David Hogan & Hartson
331. Thomassen, Tom Symantec
332. Thompson, Daryl L. Thompson Network Consulting
333. Thomson, Matt General Electric
334. Tien, Lee Electronic Freedom Foundation
335. Tiffany, Eric Liberty Alliance
336. Toecker, Michael Burns & McDonnell
337. Tolway, Rich APS
338. Truskowski, Mike Cisco
339. Uhrig, Rick Electrosoft
340. Urban, Jennifer Samuelson Clinic at UC Berkeley
341. Veltsos, Christophe Minnesota State University
342. Venkatachalam, R. S. Mansai Corporation
343. Vettoretti, Paul SBC Global
344. Wacks, Kenneth P. Massachusetts Institute of Technology
345. Walia, Harpreet Wave Strong Inc.
346. Wallace, Donald Itron
G-9
Second Draft NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements – Feb 2010
Name Organization
347. Walters, Ryan COO TerraWi Communications
348. Wang, Longhao Samuelson Clinic at UC Berkeley
349. Wang, Yongge University of North Carolina-Charlotte
350. Wei, Dong SIEMENS Corporation
351. Wepman, Joshua SAIC Commercial Business Services
352. West, Andrew C Invensys Process Systems
353. Weyer, John A. John A. Weyer and Associates
354. Whitaker, Kari LockDown, Inc.
355. White, Jim Uniloc USA, Inc.
356. Whitney, Tobias The Structure Group
357. Whyte, William Ntru Cryptosystems, Inc.
358. Williams, Terron Elster Electricity
359. Wingo, Harry Google
360. Witnov, Shane University of California, Berkeley
361. Wohnig, Ernest Booz-Allen Hamilton
362. Wolf, Dana RSA
363. Worden, Michael New York State Public Service Commission
364. Worthington, Charles Federal Communications Commission
365. Wright, Andrew N-Dimension Solutions
366. Wyatt, Michael ITT Advanced Technologies
367. Yao, Taketsugu Oki Electric Industry, Co., Ltd
368. Yardley, Tim University of Illinois
369. Yoo, Kevin Wurldtech
G-10