Читать книгу Building an Effective Security Program for Distributed Energy Resources and Systems - Mariana Hentea - Страница 11

Understanding Security for Smart Grid and Distributed Energy Resources and Systems

“If you want to find the secrets of the universe, think in terms of energy, frequency and vibration.” (Nikola Tesla, US Inventor)

The emergence of Smart Grid paradigm and distributed energy resources (DERs) applications requires innovation and deployment of new technologies, processes, and policies. DERs are typically smaller electricity generation or storage units located in a community, business, or home. They can serve consumers' energy needs locally and can provide support for the grid. All points of the power grid infrastructure will come under challenge, so it is critical that we fix the process and trust issues in DERs and future Smart Grid technologies.

The more sophisticated technologies and devices become, the greater the danger of them being stolen or adapted for misuse. The growing popularity of wireless technology used in several computing systems may have finally attracted enough hackers to make the potential for serious security threats a reality. In fact, the number and types of mobile threats – including viruses, spyware, malicious downloadable applications, phishing, and spam – have spiked in recent months. One can argue that device makers and wireless service providers have long focused on communications and other services, with security remaining an afterthought.

There is a growing concern about the security and safety of the control systems in terms of vulnerabilities, lack of protection, and awareness. In the past, control systems were isolated from other Information Technology (IT) systems. Historically, IT teams and industrial control systems or operational technology (OT) teams have been organized vertically based on the technology stack they managed. Connection to the Internet is new (early 1990s) and debatable among specialists. However, even without any connection to the Internet, these systems are still vulnerable to external or internal attackers that can exploit vulnerabilities in private communication networks and protocols, software such as operating systems, custom and vendor software, data storage software, databases, and applications.

Therefore, the increasing cyber attacks to energy sector and critical infrastructure are National concerns that require better security and privacy protection, an educated work force of Engineers in the area of security and privacy issues, and Security Professionals in the area of industrial control systems, particularly developing and implementing security protection for emerging Smart Grid applications and DER systems.

The security frameworks and initiatives surrounding the Smart Grid technology hence need to be provided and applied in a time‐critical fashion before larger implementations of Smart Grid roll out without good designs. Additionally, the electrical power community needs to critically consider applications of such frameworks to legacy power grid implementations to avoid security add‐ons that could be costly and inefficient.

While no single solution can be applied today to protect the power grid, this book (Volume 1), Understanding Security for Smart Grid and Distributed Energy Resources and Systems, provides an introduction of the fundamental concepts of cybersecurity, Smart Grid, DERs, power systems, and energy sector as a critical infrastructure. It discusses strategies, approaches, methods, frameworks, and standards that could help current work force in the electrical sector and power product manufacturers to:

 Understand the security problem as it applies to the power grid, energy sector, and electricity subsector.

 Understand the cybersecurity terms and evolution of terms.

 Understand the Smart Grid concepts, DERs, and system needs for protection against intentional or unintentional threats.

 Construct new engineering approaches to cybersecurity such as integrated organizational cooperation, strategic and tactical methods to be implemented, and increasing standards compliance requirements as well as fostering public trust that security is a high priority to those who provide these critical energy resources.

 Define trust in a dynamic, collaborative environment and understand what it means to provide trust throughout an interaction.

 Use a common framework for security policies and support of interoperability, ensuring security, and continuity.

 Recognize the importance of standards in the development of Smart Grid technologies and DER systems to develop a framework that includes protocols and model standards for information security management.

 Describe relevant cybersecurity standards or best practices that can be used for the specific applications.

 Understand the scope and limitations of the security controls.

 Identify the capability of the components or system to be updated to meet future cybersecurity requirements or technologies.

The key topics discussed in the book include:

 Smart Grid paradigm, DERs and systems, scope of security and privacy, computing and information systems for business and industrial applications, critical Smart Grid systems, overview of Smart Grid cybersecurity standards, and key players in Smart Grid standards development.

 Cybersecurity concepts and cybersecurity evolution, cybersecurity for electrical sector as a National Priority, emerging technologies, the needs for Smart Grid cybersecurity, solutions, security, and privacy programs.

 Principles of cybersecurity, characteristics of information, critical security characteristics of information and systems, information security models.

 Applying security principles to Smart Grid and DERs, Smart Grid infrastructure and technologies by considering IT systems infrastructure versus industrial control systems infrastructure with their differences and similarities including the IT and Operational convergence trends.

 Smart Grid vulnerabilities, threats, recent cyber attacks, security controls, and cybersecurity challenges.

 Critical infrastructure, critical infrastructure interdependencies, energy sector as a component of critical infrastructure, information security frameworks (NIST Cybersecurity Framework and NIST Privacy framework – generic frameworks), terrorism challenges addressing security of control systems, emerging technologies, and impacts to cybersecurity.

 Characteristics of Smart Grid and DER systems, power system services and operations, energy management system, electrical utilities evolution, Smart Grid conceptual models (NIST conceptual model, IEEE model, European Union conceptual model), power and smart devices, and Smart Grid key technologies.

 Analysis of power system characteristics (e.g. stability, partial stability), analysis of DER impacts, addressing issues (e.g. cybersecurity, reliability, resiliency, cyber‐physical systems), Smart Grid interoperability dimensions, interoperability framework, and addressing cross‐cutting issues.

 Distributed energy systems, DER technologies and security challenges, establishing information security governance, and examples of Smart Grid applications and cybersecurity expectations.

 Security management as a broad field of management, security management components and tasks, security program definition and functions, security management process, asset management, physical security and safety, security versus safety, information security management infrastructure, models and frameworks for information security management, privacy program functions, and approaches for building a security program and privacy program.

 Security management for Smart Grid systems – strategic, tactical, and operational views, unified view of security management based on risk management for both IT systems and control systems, systemic security management – comparison and discussion of models, efficient and effective management solutions, security models for electrical sector – electricity subsector cybersecurity capability maturity model (ES‐CM2), NIST framework, etc., implementation challenges on achieving security governance, and ensuring information assurance, certification, and accreditation.

The topics discussed in this book help to educate the Security Professionals, Power Control Engineers, management, regulators, service providers, and inform the public at large about the Smart Grid paradigm, DERs, and needs for Security and Privacy protection. Also, the book may be used to educate future graduates (e.g. engineers, computer science, IT graduates, business, and law) to gain skills and more knowledge on understanding and managing the security and privacy risks of Smart Grid and DERs as well as approaches for defining and maintaining a security and privacy program. For example, Law students can use the material from the book to understand the cybersecurity issues for critical infrastructure problems. Also, they can learn about the current regulations, the power and consumers' needs for new regulations in the future.

Research and academia communities could use the book to have a broader view of the cybersecurity problems for Smart Grid, critical infrastructure and energy sector.