NIST logo
*
Bookmark and Share

Cybersecurity for Smart Grid Systems

Summary:

Smart grid cybersecurity must address not only deliberate attacks, such as from disgruntled employees, industrial espionage, and terrorists, but also inadvertent compromises of the information infrastructure due to user errors, equipment failures, and natural disasters. The Smart Grid Interoperability Panel (SGIP) Cybersecurity Committee (SGCC), which is led and managed by the NIST Information Technology Laboratory (ITL), Computer Security Division, is moving forward in FY14 to address the critical cybersecurity needs in the areas of Advanced Metering Infrastructure (AMI) security requirements, cloud computing, supply chain, and privacy recommendations related to emerging standards. This project will provide foundational cybersecurity guidance, cybersecurity reviews of standards and requirements, outreach, and foster collaborations in the cross-cutting issue of cybersecurity in the smart grid.

Description:

Objective - To develop the measurement science needed to advance the development and standardization of cybersecurity, including privacy, policies, measures, procedures, and resiliency, in the smart electric grid.

What is the new technical idea? As a result of deployment of new smart grid technologies, the electric power industry is faced with new and changing cybersecurity threats, vulnerabilities, and the need for requirements applicable to the smart grid, both broadly and in specific areas such as applied cryptography, and cybersecurity for microgrids. The new technical idea is to adapt existing cybersecurity best practice methodologies and tools and to understand how to apply them in the electric sector, while identifying gaps and unique requirements for the grid that require new methodologies and tools. NIST will address these challenges through research conducted in the NIST Smart Grid Testbed facility, leading the Smart Grid Interoperability Panel (SGIP) Cybersecurity Committee (SGCC) to evaluate of cybersecurity policies and measures in industry standards, and develop relevant guidance documents for the smart grid cybersecurity community.

What is the research plan? The research plan is to conduct research that will enable the development of industry standards and guidance in order to successfully implement secure Smart Grid technologies, including through the following:

  • Technology Transfer – Technical leadership of the SGCC: Providing cybersecurity expertise, technical leadership, and oversight required to manage the SGCC.
  • Technology Transfer – Review identified standards and Smart Grid interoperability requirements against the high-level security requirements in NIST Interagency Report (IR) 7628, Guidelines for Smart Grid Cyber Security to identify any cybersecurity gaps and provide recommendations for further work to mitigate gaps. [This milestone is pending the discussion between NIST SG Leadership and SGIP]
  • Technology Transfer – Collaboration with CEN-CENELEC-ETSI Smart Grid Coordination Group (SG-CG) Smart Grid Information Security (SG-IS): Collaborate with the European Union's SG-CG SG-IS to develop a white paper on the relationship between the SG-IS Security Levels and NIST Interagency Report 7628 Rev. 1, Guidelines for Smart Grid Cybersecurity.
  • Technology Transfer – Cybersecurity Frameworks Case Study: Work with utilities to develop a case study on how different voluntary cybersecurity guidance frameworks (e.g., Cybersecurity Capability Maturity Model, Framework for Improving Critical Infrastructure Cybersecurity, NISTIR 7628) are implemented. The case study will highlight different methodologies for implementing the frameworks, goals, results, benefits, and lessons learned. Contribute to the SGIP Open Field Message Bus (FMB) Project by identifying cybersecurity recommendations for the Distributed Intelligence Platform.
  • Fundamental and Applied Research – Cybersecurity Smart Grid Testbed: Collaborate with ITL Software and Systems Division on cybersecurity related research in relation to the IEEE 1588 standard on time synchronization. Conduct research on smart grid applications of cryptography for constrained environments and delayed authentication. Conduct research on providing cybersecurity for legacy systems. 

Major Accomplishments:

Technology Transfer Outcomes:
  • NIST published its Draft NISTIR 7823 Advanced Metering Infrastructure Smart Meter Upgradeability Test Framework. The Draft NISTIR 7823 proposes an example test framework and conformance test requirements for the firmware upgradeability process for the Advanced Metering Infrastructure (AMI) Smart Meters. The conformance test requirements in the Draft NISTIR 7823 are derived from the National Electrical Manufacturers Association (NEMA) Requirements for Smart Meter Upgradeability standard, which defines requirements for Smart Meter firmware upgradeability in the context of an AMI system for industry stakeholders such as regulators, utilities, and vendors. Draft NISTIR 7823 identifies test procedures that the vendors and testers can voluntarily use to demonstrate a system’s conformance with the NEMA standard. 
Potential Technology Transfer Impacts:
  • NISTIR 7628 Guidelines for Cyber Security (Volumes 1, 2, and 3) publication has achieved wide recognition and use for utilities, vendors, and regulators, and is also cited internationally. With input from the SGIP Smart Grid Cybersecurity Committee, NIST has completed and posted the first draft of (revised) NISTIR 7628 Guidelines for Smart Grid Cyber Security, Revision 1 for SGCC review and comment, with an additional public comment period planned before a final version is published
Realized Technology Transfer Impacts:  
  • NISTIR 7628 Guidelines for Cyber Security (Volumes 1, 2, and 3) publication has achieved wide recognition and use for utilities, vendors, and regulators, and is also cited internationally. With input from the SGIP Smart Grid Cybersecurity Committee, NIST has completed and posted the first draft of (revised) NISTIR 7628 Guidelines for Smart Grid Cyber Security, Revision 1 for SGCC review and comment, with an additional public comment period planned before a final version is published.