Cybersecurity for Demand Response

Growing concerns around data breaches and cybersecurity are more prevalent than ever. Cybersecurity is top of mind not only for utilities with demand response programs, it’s pervasive in public media (examples: Target, Home Depot, Sony)…and with progressive technology comes progressive threats. Cybersecurity is a concern for consumer and enterprise customers alike as threats come in many shapes and sizes. These can be conscious or not-so-conscious. For example, a conscious threat could come from a computer hacker, thief or disgruntled employee. A not-so-conscious threat could be a poorly trained system operator or distracted system operator. According to the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), there have been 245 reported cybersecurity incidents in 2013/2014. Of these incidents, the energy sector was targeted 32% of the time with threats emanating from many adversaries such as Nation States, hackers, cyberterrorists, industrial competitors or careless/poorly trained employees.

Addressing these concerns, smart grid cybersecurity is broken up into three areas. There is operational technology which consist of field and utility devices as well as devices that are part of the electricity grid. There is information technology (IT) which consists of software and hardware and then there is personal identifiable information (PIN), more commonly referred to as consumer information such as name, address and lifestyle.

Cybersecurity implementation focuses on three key areas; people, processes and technology. For example, new employee job training should include cybersecurity concepts and preventative measures as part of the HR lifecycle. From a processes perspective, risk management and policy standards must be followed. Finally, third party software security firms must be enlisted to perform technology penetration testing and vulnerability code scans for every new software release. This third party validation is crucial and provides utilities unbiased confirmation that their DR program vendor is compliant with the National Institute of Standards and Technology (NIST) guidelines. One must note that according to the National Institute of Standards and Technology Interagency Report (NISTIR 7628), there is no such thing as 100% security. All cybersecurity approaches have inherent vulnerabilities and is not a black or white issue. It is a process and a continuum. The National Rural Electric Cooperative Association (NRECA) has designed a cybersecurity and risk mitigation plan that is broken down into three components; identifying risks, understanding the likelihood and impact on the business and putting in place cybersecurity controls that mitigate risk to a level acceptable to the organization. Again, although risks are identified, they may not be mitigated 100% of the time. However, applying a process to identify, classify and determine appropriately how to best mitigate to address individual risks are part of cybersecurity preventative measures.

Referencing cybersecurity risk identification above, the Common Scoring Weakness System identifies and classifies risk into separate categories; the potential impact of a risk, what is the likelihood of the risk being exploited and what are other mitigations that would prevent a risk from becoming an issue. The purpose of classifying risks is to understand which are most important, would cause the greatest harm to the utility and mitigate to the best of its ability. At the same time, it is important to recognize the lower impact risks and develop an appropriate plan to address these as well. To address risk, varying layers of a “defense in depth” strategy with multiple layers of security protection are employed. These multiple layers consist of applications, platform, infrastructure, physical, training and system development lifecycle (SDLC). Complementing the “defense in depth” strategy is a “defense in breadth” strategy across the entire DRMS platform including software, hardware, services and integration partners.