A draft smart grid cyber security strategy and requirements for the United States has been released setting out for consultation an overall cyber security strategy for the nation’s smart grid and a suite of security documents that will be used as the base for the selection and tailoring of security requirements.

The report is the work of the more than 200 member Smart Grid Cyber Security Coordination Task Group (CSCTG) set up by the National Institute of Standards and Technology (NIST), and is a companion to the Framework and Roadmap Release 1.0 document released last week (see Framework and roadmap for U.S. smart grid interoperability standards released).

The report states that the implementation of a cyber security strategy for the smart grid requires the development of an overall cyber security risk management framework. This framework establishes the processes for combining impact, vulnerability, and threat information to produce an assessment of risk to the smart grid and to its domains and subdomains, such as homes and businesses.

In implementing the risk assessment both top-down and bottom-up approaches are being used – the top-down approach focusing on the use cases and the overall smart grid functionality, and the bottom-up approach focusing on well understood problems that need to be addressed, such as authenticating and authorizing users to substation intelligent electronic devices, key management for meters, and intrusion detection for power equipment.

The first part of the report focuses on privacy and it identifies a preliminary set of principles pertaining to the collection and use of “personally identifiable information” (PII) that need to be addressed.

While most states have general laws in place regarding privacy protections, the report says the lack of consistent and comprehensive privacy policies, standards, and supporting procedures throughout the states, government agencies, utility companies, and supporting entities that will be involved with smart grid management and information collection and use creates a privacy risk that needs to be addressed.

The principles are accountability and training; notice and purpose for PII use; choice and consent to use PII; collection of PII; use and retention of PII; individual access; disclosure and limiting use of PII; security and safeguards; accuracy and quality of PII; and openness, monitoring and challenging compliance.

The second part of the document reviews “logical interfaces” in the smart grid, identifying the logical data flows at each interface and the associated security constraints and issues.

Approximately 200 interfaces are identified in the smart grid priority areas – advanced metering infrastructure, distributed grid management, demand response, industry-to-grid demand response, electric storage, electric transportation, and wide-area situational awareness – with examples including between SCADA and field equipment, between a customer information system and a meter data management system, between a temperature sensor on a transformer and its receiver, and between a submeter and a meter.

These in turn are categorized into one of 15 logical interface categories based on similarity of networks, constraints, and types of information. Some examples are control systems with high data accuracy and high availability, as well as media and compute constraints; B2B connections; interfaces between sensor networks and controls systems; and interface to the customer site.

In the third part of the document AMI security requirements are reviewed. These were developed by the Advanced Security Acceleration Project – Smart Grid initiative, and address system and communication protection; information and document management; system development and maintenance; incident response; system and information integrity; access control; and audit and accountability.

The document is open for comment until November 25, 2009. Thereafter it will be revised with a second draft, also including the overall smart grid architecture and the security requirements, scheduled to be published in December 2009.

The final version of the document, with the final set of security controls and final security architecture, is scheduled to be published in March 2010.

The CSCTG is led by Annabelle Lee of the Computer Security Division of NIST’s Information Technology Laboratory.