Building an Effective Security Program for Distributed Energy Resources and Systems. Mariana Hentea
Чтение книги онлайн.

Читать онлайн книгу Building an Effective Security Program for Distributed Energy Resources and Systems - Mariana Hentea страница 45

СКАЧАТЬ

       Advancing threat capabilities by implementing enhanced security capabilities to protect energy delivery systems against threats that are becoming increasingly innovative, complex, and sophisticated.

       Emphasizing a culture of security that includes training people for developing and implementing the best available security policies, procedures, and technologies tailored to the energy delivery systems operational environment.

      In its broadest sense, cybersecurity for the power industry covers all issues involving automation and communications that affect the operation of electric power systems, the functioning of the utilities that manage them, and the business processes that support the customer base.

      Actions to develop the Smart Grid architecture include the coordinated advancement of standards across the electric power system, including device characteristics, communication requirements, security, and other system aspects [DOE 2015a].

      Implementation of cybersecurity can occur through a variety of mechanisms, including use of standards and recommendations, enforcement of regulations, and voluntary compliance in response to business incentives. The energy sector, specifically electrical sector organizations, can use several mechanisms for designing and implementation of security and protection of energy systems. In addition, utilities, vendors, consultants, national laboratories, higher education institutions, governmental entities, and other organizations continuously contribute and participate in the standards and guidance of the electricity sector.

      A global survey was conducted on security governance, specifically on how boards of directors and senior management are governing the security of their organizations' information, applications, and networks. The survey respondents included 75% participants from critical infrastructure companies and represented [Westby 2012]:

       Energy and utilities companies.

       Financial sector.

       Healthcare.

       Industrials.

       IT and telecommunication companies.

      The survey reveals issues related to security pasture of compared industries as follows:

       Boards still are not undertaking key oversight activities related to cyber risks, such as reviewing budgets, security program assessments, and top‐level policies; assigning roles and responsibilities for privacy and security; and receiving regular reports on breaches and IT risks.

       Utilities are one of the least prepared organizations when it comes to risk management [Westby 2012].

       Utilities/energy sector and the industrial sector came in last in numerous areas – surprising is that these companies are part of critical infrastructure.

       All industry sectors surveyed are not properly assigning privacy responsibilities.

       Energy/utilities and IT/telecom respondents indicated that their organizations never (0%) rely upon insurance brokers to provide outside risk expertise, while the industrials sector relies upon them 100%.

      Another report [GAO 2011] reveals that several security issues are missing including:

       An effective mechanism for sharing information on cybersecurity and other issues.

       Cybersecurity awareness.

       Security features built into Smart Grid systems.

       Metrics to measure cybersecurity.

      In addition, the vulnerability of the power system is not mainly a matter of electric system or physical system, but is also a matter of cybersecurity. Attacks (such as attacks upon the power system, attacks by the power system, and attacks through power system) to the Smart Grid infrastructures could bring huge damages on the economy and public safety.

      Smart Grid technologies and applications like smart meters, smart appliances, or customer energy management systems create new privacy risks and concerns in unexpected ways. Concerns of privacy of consumers and people are of vital importance in the energy sector. If there is any compromise of the personal data or security of the power service, it can undermine many services and applications. An incident would not only create a breach of privacy or confidentiality, integrity, or availability of the information, but it might also compromise the potential future markets the technology might have been able to create if it the service had been secure. Therefore, information security management principles, processes, and security architecture need to be applied to smart power grid systems without exception. All these objectives need to be included in the security program.

      2.7.1 Security Program

      The destruction of power grid systems and assets would have a debilitating impact on energy security, economic security, public health, or safety. With a system that handles power generation, transmission, and distribution, security responsibility extends beyond the traditional walls of the data center. An intruder can, intentionally or unintentionally, cause a power line to be energized that would endanger lives. Similarly, a power line may be de‐energized in such a way as to cause damage to transmission and control systems and possibly endanger the safety of employees and the public. Therefore, each organization should develop its own policy to protect assets, employees, and general public who are at risk when human (intentional or unintentional) threats or natural disasters occur. Each organization should develop its own cybersecurity strategy for the implementation of a security program. Cybersecurity must address not only deliberate attacks launched by disgruntled employees, agents of industrial espionage, and terrorists but also inadvertent compromises of the information infrastructure due to user errors, equipment failures, and natural disasters [NISTIR 7628].

      Security program is a plan or outline that must cover security governance, planning, prevention, operations, incident response, and business continuity. Variants of Smart Grid implementations have already been rolled out in various jurisdictions across the United States as well as the rest of the world for several years. The window of opportunity to integrate security into the Smart Grid from the beginning is shrinking fast. However, it is also necessary to understand the interdependency and mutual vulnerability of the wholesale electric grid and the wholesale electric market in maintaining the security and stability of the smart power grid. Market participants require to ensure protection of their critical cyber assets and to support an appropriate security program.

      A security program needs to be built using the security engineering approach. This requires focus on building systems to remain dependable in the face of malice, error, or mischance [Anderson 2008]. Also, the successful implementation of a security program requires certain basic functions that should be included in any budget allocation СКАЧАТЬ