NIST logo
*

Cybersecurity for Smart Grid Systems

Summary:

Smart grid cybersecurity must address not only deliberate attacks, such as from disgruntled employees, industrial espionage, and terrorists, but also inadvertent compromises of the information infrastructure due to user errors, equipment failures, and natural disasters. The Smart Grid Interoperability Panel (SGIP) Cybersecurity Committee (SGCC), which is led and managed by the NIST Information Technology Laboratory (ITL), Computer Security Division, is moving forward in FY14 to address the critical cybersecurity needs in the areas of Advanced Metering Infrastructure (AMI) security requirements, cloud computing, supply chain, and privacy recommendations related to emerging standards. This project will provide foundational cybersecurity guidance, cybersecurity reviews of standards and requirements, outreach, and foster collaborations in the cross-cutting issue of cybersecurity in the smart grid.

Description:

Objective: To advance the development and standardization of cybersecurity, including privacy, policies, measures, procedures, and resiliency in the electric smart grid by 2016. 

What is the new technical idea? As a result of deployment of new smart grid technologies, the electric power industry is faced with new and changing threats, vulnerabilities, and requirements for the smart grid in general and in specific areas such as privacy, smart grid architecture, and Advanced Metering Infrastructure (AMI). Efforts to address similar issues have been underway in other sectors, such as banking, federal systems, defense networks, and industrial control systems. The new technical idea is to adapt existing cybersecurity best practice methodologies and tools and to understand how to apply them in the electric sector, while identifying gaps and unique requirements for the grid that require new methodologies and tools. The SGIP Smart Grid Cybersecurity Committee (SGCC)1  will address these challenges through collaborations with federal agencies, academia, and industry, through the evaluation of cybersecurity policies and measures in industry standards, and through the development of guidance documents. 

What is the research plan? To conduct research that will enable the development of industry standards and guidance in order to successfully implement secure Smart Grid technologies.  

  • Technical leadership of the SGCC: Providing cybersecurity expertise, technical leadership, and oversight required to manage the SGCC.
  • Review identified standards and Smart Grid interoperability requirements against the high-level security requirements in NIST Interagency Report (IR) 7628 Revision 1, Guidelines for Smart Grid Cyber Security to identify any cybersecurity gaps and provide recommendations for further work to mitigate gaps.  
  • Lead in the area of AMI cybersecurity: Collaborate with SGIP, Electric Power Research Institute (EPRI), American National Standards Institute (ANSI), and others to develop cybersecurity requirements for inclusion in ANSI C12.19, Utility Industry End Device Data Tables. Collaborate with Brazil’s National Institute of Metrology, Quality and Technology (Inmetro) on their AMI security requirements project. 
  • Secure Content Automation Protocol (SCAP) extension to cover Smart Grid systems: Research the Department of Energy (DOE)/EPRI Lemnos project for Secure Content Automation Protocol (SCAP) applicability which would provide a standardized, measurable, automated method of continuous monitoring for smart grid components, increasing efficiency and accuracy, reducing costs of secure implementations, and improving capability and interoperability in implementations. 
  • Cybersecurity Smart Grid Test Lab: Coordinate with EL on the development of a Cybersecurity Smart Grid Test Lab. Collaborate with ITL Software and Systems Division on cybersecurity related tests in relation to the IEEE 1588 standard on time synchronization.
  • Participate in the National Cybersecurity Center of Excellence Electricity Sector use case. Leverage the use case for further testing and measurement within the Cybersecurity Smart Grid Test Lab.  
  • Further development and refinement of specific smart grid areas – security architecture, privacy, and cloud services. 
  • Supply Chain Awareness Guide: Collaborate with DOE, Federal Energy Regulatory Commission (FERC), Department of Homeland Security (DHS), and SGCC members to develop a smart grid supply chain awareness guide directed at electricity sector executives.

1 The National Institute of Standards and Technology (NIST) established the Smart Grid Interoperability Panel (SGIP) SGCC in support of the Energy Independence and Security Act of 2007 to address the cross-cutting issue of cybersecurity.  The primary goal of the SGCC is to develop a cybersecurity risk management strategy for the Smart Grid to enable secure interoperability of solutions across different domains and components.

Major Accomplishments:

Technology Transfer Outcomes:
  • NIST published its Draft NISTIR 7823 Advanced Metering Infrastructure Smart Meter Upgradeability Test Framework. The Draft NISTIR 7823 proposes an example test framework and conformance test requirements for the firmware upgradeability process for the Advanced Metering Infrastructure (AMI) Smart Meters. The conformance test requirements in the Draft NISTIR 7823 are derived from the National Electrical Manufacturers Association (NEMA) Requirements for Smart Meter Upgradeability standard, which defines requirements for Smart Meter firmware upgradeability in the context of an AMI system for industry stakeholders such as regulators, utilities, and vendors. Draft NISTIR 7823 identifies test procedures that the vendors and testers can voluntarily use to demonstrate a system’s conformance with the NEMA standard. 
Potential Technology Transfer Impacts:
  • NISTIR 7628 Guidelines for Cyber Security (Volumes 1, 2, and 3) publication has achieved wide recognition and use for utilities, vendors, and regulators, and is also cited internationally. With input from the SGIP Smart Grid Cybersecurity Committee, NIST has completed and posted the first draft of (revised) NISTIR 7628 Guidelines for Smart Grid Cyber Security, Revision 1 for SGCC review and comment, with an additional public comment period planned before a final version is published
Realized Technology Transfer Impacts:  
  • NISTIR 7628 Guidelines for Cyber Security (Volumes 1, 2, and 3) publication has achieved wide recognition and use for utilities, vendors, and regulators, and is also cited internationally. With input from the SGIP Smart Grid Cybersecurity Committee, NIST has completed and posted the first draft of (revised) NISTIR 7628 Guidelines for Smart Grid Cyber Security, Revision 1 for SGCC review and comment, with an additional public comment period planned before a final version is published.