Building an Effective Security Program for Distributed Energy Resources and Systems - Mariana Hentea

Скачать книгу

and telecommunication companies.

      The survey reveals issues related to security pasture of compared industries as follows:

       Boards still are not undertaking key oversight activities related to cyber risks, such as reviewing budgets, security program assessments, and top‐level policies; assigning roles and responsibilities for privacy and security; and receiving regular reports on breaches and IT risks.

       Utilities are one of the least prepared organizations when it comes to risk management [Westby 2012].

       Utilities/energy sector and the industrial sector came in last in numerous areas – surprising is that these companies are part of critical infrastructure.

       All industry sectors surveyed are not properly assigning privacy responsibilities.

       Energy/utilities and IT/telecom respondents indicated that their organizations never (0%) rely upon insurance brokers to provide outside risk expertise, while the industrials sector relies upon them 100%.

      Another report [GAO 2011] reveals that several security issues are missing including:

       An effective mechanism for sharing information on cybersecurity and other issues.

       Cybersecurity awareness.

       Security features built into Smart Grid systems.

       Metrics to measure cybersecurity.

      In addition, the vulnerability of the power system is not mainly a matter of electric system or physical system, but is also a matter of cybersecurity. Attacks (such as attacks upon the power system, attacks by the power system, and attacks through power system) to the Smart Grid infrastructures could bring huge damages on the economy and public safety.

      Smart Grid technologies and applications like smart meters, smart appliances, or customer energy management systems create new privacy risks and concerns in unexpected ways. Concerns of privacy of consumers and people are of vital importance in the energy sector. If there is any compromise of the personal data or security of the power service, it can undermine many services and applications. An incident would not only create a breach of privacy or confidentiality, integrity, or availability of the information, but it might also compromise the potential future markets the technology might have been able to create if it the service had been secure. Therefore, information security management principles, processes, and security architecture need to be applied to smart power grid systems without exception. All these objectives need to be included in the security program.

      2.7.1 Security Program

      The destruction of power grid systems and assets would have a debilitating impact on energy security, economic security, public health, or safety. With a system that handles power generation, transmission, and distribution, security responsibility extends beyond the traditional walls of the data center. An intruder can, intentionally or unintentionally, cause a power line to be energized that would endanger lives. Similarly, a power line may be de‐energized in such a way as to cause damage to transmission and control systems and possibly endanger the safety of employees and the public. Therefore, each organization should develop its own policy to protect assets, employees, and general public who are at risk when human (intentional or unintentional) threats or natural disasters occur. Each organization should develop its own cybersecurity strategy for the implementation of a security program. Cybersecurity must address not only deliberate attacks launched by disgruntled employees, agents of industrial espionage, and terrorists but also inadvertent compromises of the information infrastructure due to user errors, equipment failures, and natural disasters [NISTIR 7628].

      Security program is a plan or outline that must cover security governance, planning, prevention, operations, incident response, and business continuity. Variants of Smart Grid implementations have already been rolled out in various jurisdictions across the United States as well as the rest of the world for several years. The window of opportunity to integrate security into the Smart Grid from the beginning is shrinking fast. However, it is also necessary to understand the interdependency and mutual vulnerability of the wholesale electric grid and the wholesale electric market in maintaining the security and stability of the smart power grid. Market participants require to ensure protection of their critical cyber assets and to support an appropriate security program.

      A security program needs to be built using the security engineering approach. This requires focus on building systems to remain dependable in the face of malice, error, or mischance [Anderson 2008]. Also, the successful implementation of a security program requires certain basic functions that should be included in any budget allocation [Whitman 2014].

      2.7.2 Privacy Program

      As new capabilities are included in the Smart Grid, potential new privacy concerns will emerge for which no legal mitigation currently exists. A significant number of privacy breaches occur not because of an attack but through noncompliance with privacy policy or having no policy. For example, a laptop that has a copy of PII data becomes a privacy breach if the laptop is improperly disposed of, lost, or stolen. Hence, measures for protection of privacy have to be designed and implemented too. Thus, a privacy program should be planned, designed, implemented, and maintained. Factors that should be considered in design of a security program include the following:

       Privacy rights continue to evolve by legislation, litigation, and regulation, and the data gathered will be subject to the relevant jurisdiction(s).

       AnonymizationIf private information is not properly anonymized, even data like electrical appliance usage or electric vehicle charging schedules may constitute a privacy violation. In electrical sector, the ownership and rights associated with PII varies by jurisdiction. In some jurisdictions, the person owns their data, while in other jurisdictions, ownership is less clear. For example, a utility that gathers contact and other information for billing purposes may be restricted in use of the PII for any other purposes without consent of the customer – possession of the data is not the same as ownership.

       Technologies and capabilitiesThe advancing of technologies such as data mining and pattern recognition can be used on identifying the identity of persons when customer data and energy data is analyzed. Recognizing electric signatures of smart appliances and developing detailed, time‐stamped activity reports, utilities, or third‐party service providers can determine lifestyle details that could be legitimately characterized as PII in most jurisdictions.

        Dedicated privacy group with its own managementAlthough in many organizations, security group is supporting the privacy requirements, the future commands for more responsibility and accountability for the implementation of data privacy specifically in smaller‐size enterprises, and need for establishment of a dedicated privacy group with its own management [Shei 2013]. The organizations have to understand that security is only one aspect of privacy and privacy protection implies organization and business decisions.

      Ensuring privacy requires a bundle of technologies, policies, culture, regulations, and harmony between many business units from security to legal to human resources to employees [Shei 2013]. Examples of guidelines and recommendations for the protection of privacy data and harmonization of disparities in national privacy regulations are documented in [OECD 2013].

      Currently, many countries, organizations, and associations support efforts to empower and educate people to protect their privacy, control their digital footprint, and make the protection of privacy and data a great priority in their lives. In the United States, National Cyber Security Alliance mandates that [NCSA 2014]:

      Everyone

Скачать книгу