Risk assessment

Annabelle Lee explains the National Institute of Standards and Technology’s role in creating a safe and reliable telecommunications infrastructure.

“We need to figure out how to include security without requiring the different organizations to replace all of their equipment”
-Annabelle Lee

As utilities countrywide begin implementing the early phases of their programs on to the grid, security of information is becoming increasingly important. Following the Energy Independence and Security Act of 2007 it is the responsibility of the National Institute of Standards and Technology’s (NIST) to develop the framework of information for the interoperability of a smart grid system, and with the support of the Obama Administration’s American Recovery and Reinvestment Act, the institute has been assigned $10 million to ensure successful implementation. Security of information is essential to safeguarding natural attacks or those from hackers and ensuring seamless operability of the system.

Security focus
As Senior Cyber Security Strategist, Annabelle Lee has the responsibility for organizing a team to develop the grid's safety. Her team was first formed following the 2007 legislation. during a time when NIST had no real focus on security. She established the Cyber Security Coordination Task Group, which only had its first teleconference in March this year. Lee explains that her first task was laying out a strategy defining a set of security requirements for the overall grid, which was done using a high-level risk assessment framework, looking at threats, vulnerabilities and impacts.

"I put a call out to all of the people here at NIST to request participation in this task group from anybody who is interested in cyber security. The current participation list is unbelievable - around 240 people. It is from all three sectors: the electric sector, IT and telecommunications and all levels up to chief technologies and chief security officers. We also have representatives from federal agencies, from state regulatory agencies and from academia; so it covers all people who are interested in this area. Our schedule, like all of the NIST work, was with our new administration and the significant push on the smart grid."

The group is a collection of individuals committed to the development of smart grid security - everyone volunteers and there is no additional salary involved. It published its first draft document in September and was the creation of an overall strategy. Security being an area involving multiple cost resources, the report is a risk assessment justifying the requirements and explaining the importance of these.

"There's one section that looks at vulnerabilities, and we utilized a lot of the work from the IT and telecommunications sectors," says Lee. "We looked at a lot of the material that's available from NIST, other federal agencies and other standards bodies, and came up with a set of vulnerability categories that we will use when we put together our requirements to make sure we've addressed them. We want individuals who are implementing their systems within the smart grid to be able to use that material."

The big issue in implementing the report is the overlaying of these new requirements and countermeasures on top of the existing electric infrastructure - certain pieces of equipment are almost 40 years old. "They have limited or no security, so we need to figure out how to include security without requiring the different organizations to go out and replace all of their equipment, which would be incredibly expensive.

"The time frame for some of these large transformers is a couple of years. You can't just go out and get it tomorrow, so we are going to be looking at some potentially compensating controls or a way you can address this, recognizing that some of this old equipment doesn't have security in it. That will be interesting and we'll have to wait and see how that works out."

She continues by explaining the report's responsibility for educating those who will be following is guidelines - a bottom up group is in charge of looking at very specific issues starting from the very low level. "They've put together another excellent list that will be used in assessing the requirements but that can also be used by individuals implementing systems. So those two sections are unique, as we will use them in our document but we also want to make them available to individuals who actually have to implement security in the smart grid.

"In the document itself we have an overall risk framework and then we have a section on privacy - if there are more capability and intelligent devices in individuals' homes, then there's going to be data that will provided to utilities and other third-party organizations. How do you protect that information?"

Each of the various groups working on the report has a weekly teleconference. When they believe their developments have reached a certain level of quality, they then distribute them to the entire task group. The groups also work alongside affiliations to provide more accurate requirements.

"On the logical interfaces, there were previous NIST workshops for the smart grid; the Federal Energy Regulatory Commission identified four areas that they believed should be emphasized first under NIST's work. So we took those four areas and there were two additional ones: the advanced metering infrastructure and distribution grid management. The working groups at the workshops put together diagrams, identified all of the interfaces and did a couple more reviews of them and then put the interfaces in categories.

"We have to identify requirements at the interface level, so if we took every interface individually we'd have to come up with 200 or 300 sets of requirements. That's not realistic. We can group those interfaces into categories, and we have just had our first teleconference to look at these categories - we have 15 or 16 now, but the number will probably go up and down as we work a little further. We will identify the security requirements for interface categories, which will make it a lot easier," says Lee.

One group that Lee's team worked very closely with was the Advanced Security Acceleration Project smart grid, a project partially funded by DOE as well as by several private sector utilities. They're focusing on the AMI and many of their members participate in NIST's task group, and as a result many of their requirements have been included in Lee's document.

For its starting point NIST is using a document that was produced by Homeland Security, 'Special Publication 853', and was tailored for control systems that slightly differ from a typical IT system. As well as this, NIST is also collaborating with the North American Electric Reliability Corporation (NERC) and the Critical Infrastructure Protection (CIPS), looking at documents and standards that are already published and implementing requirements from these.

The combination of this selective information has been carefully processed into the first draft of NIST's document, which was placed on the website for a 60-day review, with the intention to have another on the next draft. The first draft is a functional architecture, to be followed by a security architecture in the December second draft. The schedule for the finalized version of the document is due to be released in March, and with such a short time frame Lee's team are working hard to keep up with the pace at which smart grid technology is moving, and ensure that security is included in its deployment.

Annabelle Lee is a Senior Cyber Security Strategist at the National Institute of Standards and Technology.