Building an Effective Security Program for Distributed Energy Resources and Systems. Mariana Hentea

Чтение книги онлайн.

СКАЧАТЬ others.

       Privacy of personal communications is the right to communicate without undue surveillance, monitoring, or censorship.

      Privacy as a strategy for Smart Grid applications should include all four dimensions [NISTIR 7628r1]. Most Smart Grid entities directly address the personal information dimension, but the other dimensions are not included. There is a gap in the laws and regulations. Therefore, the other dimensions should also be considered in the Smart Grid context because new types of energy use data may be created and communicated. Unique electric signatures for consumer electronics and appliances could be compared against some common appliance usage profiles to develop detailed, time‐stamped activity reports within personal dwellings. Charging station information might reveal the detailed whereabouts of an EV/PEV/PHEV. This data did not exist before the application of Smart Grid technologies. Smart Grid applications may reveal details (energy usage patterns or other type of activities), either explicitly or implicitly, about an individual’s household dwelling or other type of premises.

      Although many of the types of data items accessible through the Smart Grid are not new, there is now the possibility that other parties, entities, or individuals will have access to those data items, and there are now many new uses for and ways to analyze the collected data, which may raise substantial privacy concerns. The reputation of an energy service provider might also be impacted by gaps in customer data privacy protection.

      1.4.3 The Need for Security and Privacy

      Security has a wide base and addresses specific issues regarding computers, information, and organizations. The continuous growth of cybersecurity threats and attacks including the increasing sophistication of the malware is impacting the security of critical infrastructure, ICS, power grids, EMS, and SCADA control systems [Hentea 2007].

      There is a growing concern about the security and safety of the control systems in terms of vulnerabilities, lack of protection, and awareness.

Besides security concerns, computer systems including control systems raise the issue of safety causing harm and catastrophic damage when they fail to support applications as intended. Therefore, information security management principles, processes, and security architecture need to be applied to smart power grid systems without exception [ENISA 2015a].

      Smart Grid technologies and applications create new security and privacy risks and concerns in unexpected ways. Concerns of privacy of consumers and people are of vital importance in the energy sector. If there is any compromise of the personal data or security of the power service, it can undermine many services and applications. An incident would not only create a breach of privacy or confidentiality, integrity, or availability of the information, but it might also compromise the potential future markets the technology might have been able to create if it the service had been secure. Therefore, the vulnerability of the power system is not mainly a matter of electric system or physical system, but it is also a matter of cybersecurity. Attacks (such as attacks upon the power system, attacks by the power system, and attacks through the power system) to the Smart Grid applications could bring huge damage to the economy and public safety.

      In complex interactive systems like Smart Grid whose elements are tightly coupled, the likelihood of targeted attack as well as failures from erroneous operations and natural disasters and accidents is quite high. Vulnerabilities and attacks can be at different levels – software controlling or controlled device, application, storage, data access, LAN, enterprise, private communication links, and public PSTN and Internet‐based communications.

      The destruction of power grid systems and assets would have a debilitating impact on energy security, economic security, public health, or safety. With a system that handles power generation, transmission, and distribution, security responsibility extends beyond the traditional walls of the data center. An intruder can, intentionally or unintentionally, cause a power line to be energized that would endanger lives. Similarly, a power line may be de‐energized in such a way as to cause damage to transmission and control systems and possibly endanger the safety of employees and the public. Therefore, each organization should develop its own policy to protect assets, employees, and general public who are at risk when human (intentional or unintentional) threats or natural disasters occur.

      Security controls (called also safeguards, measures, or countermeasures) are needed to ensure protection of an organization assets (tangible and intangible) and people as well as safety of people. Tangible assets are physical assets that include power equipment, computers, devices, facilities, and supplies. Intangible assets include data, information, reputation, intellectual property, copyrights, trade secrets, business strategies, and any other information valuable to any organization.

      It is recognized that as new capabilities are included in the Smart Grid, potential privacy issues may occur [NISTIR 7628]. A privacy policy framework for the Smart Grid and for smart homes is suggested in [GridWise 2011]. This framework is limited and addresses only consumer privacy issues that arise from the collection, use, and retention of such data no matter from what source it is collected.

1.5 Computing and Information Systems for Business and Industrial Applications

      Business firms and other organizations rely on information systems to carry out and manage their operations, interact with their customers and suppliers, and compete in the marketplace. An information system is composed of many components that include hardware, software, data, people, procedures, and networks necessary to use information as a resource in an organization [Whitman 2011]. An information system is an organized assembly of computing and communication resources and procedures – e.g. equipment and services, together with their supporting infrastructure, facilities, and personnel – that create, collect, record, process, store, transport, retrieve, display, disseminate, control, or dispose information to accomplish a specified set of functions [RFC 4949].

      An information system aims to support operations, management, and decision making. In a broad sense, the term is used to refer not only to the ICT that an organization uses but also to the way in which people interact with this technology in support of business processes. At the center of any computing or information system is data and information.

      1.5.1 Information System Classification

Figure 1.17 shows different types of information systems. Distinct types of information systems include the following [O’Brien 2011]:

       Management information systems are used to analyze and facilitate strategic and operational activities. They utilize systems to generate information to improve efficiency and effectiveness of decision making, providing critical information tailored to the information needs of executives (e.g. decision support).

       Operations support information systems refer to the interconnected databases and applications implemented for the ongoing central maintenance of electronic operational data. Operations information system process data generated by business operations, maintain records about the exchanges, handle routine (yet critical) tasks, monitor, and control industrial processes.

Figure 1.17 Information systems classification.

      Source: [O’Brien 1999]. © 1999, McGraw‐Hill.

      As depicted in this diagram, both categories СКАЧАТЬ