NIST Issues Expanded Draft of Smart Grid Cyber Security Strategy For Public Review and Comment
For Immediate Release: February 3, 2010
The Commerce Department’s National Institute of Standards and Technology (NIST) issued today the second draft of its Smart Grid Cyber Security Strategy and Requirements, which now identifies more than 120 interfaces that will link diverse devices, systems and organizations engaged in two-way flows of electricity and information and classifies these connections according to the level of damage that could result from a security breach.
Prepared by the NIST-led Cyber Security Working Group, which has more than 350 members, the new draft report expands upon an earlier preliminary version, which was released by Commerce Secretary Gary Locke last September and underwent 60 days of public review. It incorporates responses to the more than 350 individual comments received.
The updated draft also includes new or more detailed technical inputs stemming from the working group’s continuing assessment of what will be required to ensure the security and reliability of the entire modernized power system and to protect the integrity and confidentiality of information exchanged during energy-related transactions on the Smart Grid.
The 300-page second draft of the Smart Grid cyber security document also will undergo public review, ending on April 2, 2010. After reviewing the comments received and completing ongoing analyses of requirements and relevant standards, the working group will finalize the Smart Grid cyber security strategy. NIST expects to issue a completed report by early summer.
Compared with the initial version, the draft cyber security report issued today contains significantly expanded sections on privacy, vulnerability categories, analyses of the potential security issues, and the overall approach to achieving Smart Grid cyber security.
The new draft classifies Smart Grid interfaces according to the level of impact—or scale and scope of damage—that could result from a compromise in security. Security requirements are established for multiple logical interface categories of the Smart Grid. In all, the new draft identifies more than 120 interfaces that pertain to high-priority Smart Grid applications, including electric transportation, electric storage, advanced metering infrastructure, distribution grid management, energy management in homes and businesses, and grid management.
Under the Energy Independence and Security Act (EISA) of 2007, NIST is directed to “coordinate the development of a framework that includes protocols and model standards for information management to achieve interoperability of smart grid devices and systems.” EISA also established “modernization of the nation's electricity transmission and distribution system” as a U.S. policy goal, and it emphasized the importance of maintaining the reliability and security of the electricity infrastructure.
Smart Grid Cyber Security Strategy and Requirements (Draft NISTIR 7628) is a companion document to the NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 1.0 (NIST SP 1108), which NIST issued on Jan. 19, 2010. The framework and roadmap report describes a high-level conceptual reference model for the Smart Grid, identifies 75 existing standards that are applicable (or likely to be applicable) to the ongoing development of an interoperable Smart Grid, specifies a set of high-priority standards-related gaps and issues (in addition to cyber security).
The new cyber security draft describes the process that the working group is using to determine whether relevant security requirements are adequately addressed in standards that support Smart Grid interoperability. It also includes a new chapter on research needed to achieve desired levels of cyber security for the evolving Smart Grid.
Continuing work by the cyber security working group is carried out cooperatively under the umbrella of the Smart Grid Interoperability Panel (SGIP). NIST launched the panel in mid-November as a collaborative means for private and public sector stakeholders to provide input that will help NIST progress quickly toward meeting its EISA-assigned responsibilities. NIST senior cyber security strategist Annabelle Lee chairs the working group.
A notice requesting public review and comment on the second draft of NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements will soon be published in the Federal Register.
To download the second draft , go to http://www.nist.gov/smartgrid/