NEMA October 2009 ElectroIndustry - 10

Cyber Security in Smart Grid— A Standard of Standards from NIST Requirements for Federal Information and Information Systems, March 2006 • FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, February 2004 • North American Electric Reliability Corporation (NERC), Security Guidelines for the Electricity Sector: Vulnerability and Risk Assessment, 2002 • National Infrastructure Protection Plan, 2009 • IT, telecommunications, and energy sector specific plans, published in 2007 and updated annually • ANSI/ISA-99, Manufacturing and Control Systems Security, Part 1: Concepts, Models and Terminology, 2007 and Part 2: Establishing a Manufacturing and Control Systems Security Program, 2009 • The Advanced Metering Infrastructure System Security Requirements, 2008 The challenge for CSCTG, and for the Smart Grid in general, will be to develop a consensus on when to apply which standards. The members of the task group will examine each of these standards to determine applicability and develop recommended security practices. Given the degree of differences between the various utility company deployments of Smart Grid, it may be impossible to establish a single rule set for cyber security. As with the Internet and IT industries, our only option may be to identify the best practices that can be deployed in certain situations. ei Paul Molitor, Smart Grid Director | paul.molitor@nema.org We’re all familiar with a system of systems, but we are now going to see the concept applied to standards for cyber security in Smart Grid. One of the working groups organized by the National Institute of Standards and Technology (NIST) is the Cyber Security Coordination Task Group (CSCTG). Meeting on a weekly basis, the group has been researching security techniques and technologies that will become features of Smart Grid. In June, CSCTG released a draft of the NIST Interagency Report (NISTIR) on cyber security. Highlighting the increasing interconnectivity between components of the grid and information technology (IT), the report addresses the security needs associated with deliberate attacks as well as possible “inadvertent compromises of the information infrastructure due to user errors, equipment failures, and natural disasters.” Some of the high-level security standards cited in the document include: • NIST Special Publication 800-39 Draft, Managing Risk from Information Systems: An Organizational Perspective, April 2008 • Federal Information Processing Standard (FIPS) 200, Minimum Security NEMA electroindustry • October 09
NEMA October 2009 ElectroIndustry

Table of Contents for the Digital Edition of NEMA October 2009 ElectroIndustry
