Cybersecurity must address not only deliberate attacks launched by disgruntled employees, agents of industrial espionage, terrorists, and other adversaries, but also inadvertent compromises of the information infrastructure due to user errors, equipment failures, and natural disasters. Security must be included in all phases of the system development life cycle, from design phase through implementation, maintenance, and disposition. Systems for critical applications need to withstand cybersecurity events with no loss of critical function.
Since 2004, the U.S. Department of Energy (DOE) has been involved in roadmapping activities with asset owners and operators, government agencies, and other stakeholders to address threats in cybersecurity and identify steps to build, deploy, and improve the cyber resilience of the nation’s computer-based systems that manage operational processes in electric power and other energy industries. DOE has also built the National SCADA Test Bed which provides testing environments to help industry and government identify and correct vulnerabilities in SCADA equipment and control systems.
DOE has been advancing cybersecurity of the grid through its Cybersecurity for Energy Delivery Systems program. Cybersecurity is also a top priority of the SGIG and SGDP programs. Each of the projects was required to submit a Cybersecurity Plan to DOE for approval before proceeding with their projects. In addition, DOE conducts annual site visits with each of the projects to review progress with budgets, timelines, and milestones and also to review activities associated with implementation of the project’s cybersecurity plans. In August 2011, DOE held a meeting with SGIG and SGDP recipients to discuss the available tools for accomplishing cybersecurity, identify additional needs, and exchange information on lessons learned and best practices.
As a key element of the Recovery Act, DOE is leading an interagency team to develop the cybersecurity requirements that are needed for the Smart Grid. This Cyber Security Working Group (CSWG), a subgroup of the Smart Grid Interoperability Panel (SGIP), has producing cybersecurity guidelines that were published in the National Institute of Standards and Technology Interagency Report 7628 (NISTIR 7628), a three-volume report released in August 2010 (see the additional resources box). Utilities can use these guidelines to institute secure practices and to set security requirements for their vendors. The CSWG continues to develop cybersecurity guidelines for the Smart Grid.
In May 2011, the SGDP project managed by the National Rural Electric Cooperative Association (NRECA) released a set of practical guides, together comprising its "Guide to Developing a Cybersecurity and Risk Mitigation Plan". Many utilities are using these guides to develop their own cybersecurity plans. These documents can be found in "Additional Resources" below.