This three-volume report presents an analytical framework that organizations can use to develop effective cyber security strategies tailored to their particular combinations of Smart Grid-related characteristics, risks, and vulnerabilities. Organizations in the diverse community of Smart Grid stakeholders — from utilities to providers of energy management services to manufacturers of electric vehicles and charging stations — can use the methods and supporting information presented in this report as guidance for assessing risk and identifying and applying appropriate security requirements. This approach recognizes that the electric grid is changing from a relatively closed system to a complex, highly interconnected environment. Each organization’s cyber security requirements should evolve as technology advances and as threats to grid security inevitably multiply and diversify.
This initial version of the Guidelines was developed as a consensus document by the Cyber Security Working Group (CSWG) of the Smart Grid Interoperability Panel (SGIP), a public-private partnership launched by the National Institute of Standards and Technology (NIST) in November 2009. The CSWG now numbers more than 475 participants from the private sector (including vendors and service providers), manufacturers, various standards organizations, academia, regulatory organizations, and federal agencies. A number of these members are from outside the United States.
Volume I Edit
The first volume of the report describes the analytical approach, including the risk assessment process, used to identify high-level security requirements. It also presents a high-level architecture followed by a logical interface architecture used to identify and define categories of interfaces within and across the seven Smart Grid domains. High-level security requirements for each of the 22 logical interface categories are then described. The first volume concludes with a discussion of technical cryptographic and key management issues across the scope of Smart Grid systems and devices.
Volume II Edit
The second volume is focused on privacy issues within personal dwellings. It provides awareness and discussion of such topics as evolving Smart Grid technologies and associated new types of information related to individuals, groups of individuals, and their behavior within their premises and electric vehicles; and whether these new types of information may contain privacy risks and challenges that have not been legally tested yet.
Additionally, the second volume provides recommendations, based on widely accepted privacy principles, for entities that participate within the Smart Grid. These recommendations include things such as having entities develop privacy use cases that track data flows containing personal information in order to address and mitigate common privacy risks that exist within business processes within the Smart Grid; and to educate consumers and other individuals about the privacy risks within the Smart Grid and what they can do to mitigate these risks.
Volume III Edit
The third volume is a compilation of supporting analyses and references used to develop the high-level security requirements and other tools and resources presented in the first two volumes. These include categories of vulnerabilities defined by the working group and a discussion of the bottom-up security analysis that it conducted while developing the guidelines.
A separate chapter distills research and development themes that are meant to present paradigm changing directions in cyber security that will enable higher levels of reliability and security for the Smart Grid as it continues to become more technologically advanced. In addition, the third volume provides an overview of the process that the CSWG developed to assess whether standards, identified through the NIST-led process in support of Smart Grid interoperability, satisfy the high-level security requirements included in the report.