Читать книгу Building an Effective Security Program for Distributed Energy Resources and Systems - Mariana Hentea - Страница 39
1.4.3 The Need for Security and Privacy
ОглавлениеSecurity has a wide base and addresses specific issues regarding computers, information, and organizations. The continuous growth of cybersecurity threats and attacks including the increasing sophistication of the malware is impacting the security of critical infrastructure, ICS, power grids, EMS, and SCADA control systems [Hentea 2007].
There is a growing concern about the security and safety of the control systems in terms of vulnerabilities, lack of protection, and awareness.
Besides security concerns, computer systems including control systems raise the issue of safety causing harm and catastrophic damage when they fail to support applications as intended. Therefore, information security management principles, processes, and security architecture need to be applied to smart power grid systems without exception [ENISA 2015a].
Smart Grid technologies and applications create new security and privacy risks and concerns in unexpected ways. Concerns of privacy of consumers and people are of vital importance in the energy sector. If there is any compromise of the personal data or security of the power service, it can undermine many services and applications. An incident would not only create a breach of privacy or confidentiality, integrity, or availability of the information, but it might also compromise the potential future markets the technology might have been able to create if it the service had been secure. Therefore, the vulnerability of the power system is not mainly a matter of electric system or physical system, but it is also a matter of cybersecurity. Attacks (such as attacks upon the power system, attacks by the power system, and attacks through the power system) to the Smart Grid applications could bring huge damage to the economy and public safety.
In complex interactive systems like Smart Grid whose elements are tightly coupled, the likelihood of targeted attack as well as failures from erroneous operations and natural disasters and accidents is quite high. Vulnerabilities and attacks can be at different levels – software controlling or controlled device, application, storage, data access, LAN, enterprise, private communication links, and public PSTN and Internet‐based communications.
The destruction of power grid systems and assets would have a debilitating impact on energy security, economic security, public health, or safety. With a system that handles power generation, transmission, and distribution, security responsibility extends beyond the traditional walls of the data center. An intruder can, intentionally or unintentionally, cause a power line to be energized that would endanger lives. Similarly, a power line may be de‐energized in such a way as to cause damage to transmission and control systems and possibly endanger the safety of employees and the public. Therefore, each organization should develop its own policy to protect assets, employees, and general public who are at risk when human (intentional or unintentional) threats or natural disasters occur.
Security controls (called also safeguards, measures, or countermeasures) are needed to ensure protection of an organization assets (tangible and intangible) and people as well as safety of people. Tangible assets are physical assets that include power equipment, computers, devices, facilities, and supplies. Intangible assets include data, information, reputation, intellectual property, copyrights, trade secrets, business strategies, and any other information valuable to any organization.
It is recognized that as new capabilities are included in the Smart Grid, potential privacy issues may occur [NISTIR 7628]. A privacy policy framework for the Smart Grid and for smart homes is suggested in [GridWise 2011]. This framework is limited and addresses only consumer privacy issues that arise from the collection, use, and retention of such data no matter from what source it is collected.