Cybersecurity threats challenge the reliability, resiliency and safety of the electric grid. As the smart grid develops and today’s electrical grid interconnects with distributed generation and less tangible information technology components such as networks, software and the internet, the need to address cybersecurity at utilities takes center stage. Enter NARUC. With funding from DOE, NARUC recently issued a Primer on Cybersecurity for State Regulators. The well-written primer does not simply address cybersecurity regarding the physical distribution and transmission grids, substations and offices, but also equipment and systems that communicate, store and act on data. The challenge for regulators will be that cybersecurity must encompass not only utility-owned systems, but some aspects of customer and third party components that interact with the grid, such as advanced meters, devices behind the meter and human elements such as system operators, customers and “bad guys” interacting at all levels of a system. Although written for regulators, the primer will be helpful to all utilities and the vendors that support the utilities. Below are just a few of the questions presented in the primer:
- Is cybersecurity integrated between business systems and control systems? For the existing grid and for the smart grid?
- Have logical and physical connections to key systems been evaluated and addressed?
- Does the company maintain standards and expectations for downtime during the upgrade and replacement cycle?
- Does the company have equipment dependent on remote upgrades to firmware or software, or have plans to implement such systems?
- Does the company have a plan in place to maintain system cybersecurity during statistically probable upgrade failures?
- Is there a schedule for required password updates from default vendor or manufacturer passwords?
- Has cybersecurity been identified in the physical security plans for the assets, reflecting planning for a blended cyber / physical attack?
- What network protocols (IP, proprietary, etc.) are used in remote communications? Is the potential vulnerability of each protocol considered in deployment?
I recently saw an informative video by Cisco that provides a nice description of the Cisco Connected Grid FAN Solution which I believe will help many utilities address the issues raised in the primer. According to Cisco’s whitepaper, benefits of the Cisco Connected Grid FAN Solution include reduced system vulnerability to physical attack or cyber attack, operating resiliency against security disruptions, secure access and data privacy for smart grid information and a framework for meeting regulatory compliance requirements.