By Jacqueline Clover and Ezra Steinhardt
In December 2012, the European Network and Information Security Agency (ENISA) published a set of (non-binding) Guidelines titled, “Appropriate security measures for smart grids; Guidelines to assess the sophistication of security measures implementation”. The Guidelines are intended to help EU Member States and smart grid stakeholders improve the resilience of smart grid cyber security systems against cyber threats and attacks, and follow on from a pair of European Commission initiatives that have called for improved security of European electricity networks: the Commission’s Standardization Mandate to support European Smart Grid Deployment, released in March 2011, and the Commission’s Recommendation on the roll-out of smart metering systems, released in March 2012. The latter document encourages EU Member State electricity network providers to consult the ENISA Guidelines when implementing smart grid security measures.
The Guidelines stress the importance of data privacy for smart grid stakeholders, and note that many such stakeholders “still have little experience in these areas”. The Guidelines do not set out to address data privacy concerns per se, but the information security measures proposed by the Guidelines will also be of use to controllers, who must take adequate organizational and technical measures to protect personal data under European data protection law.
The Guidelines aim to harmonise and establish minimum cyber security standards and best practices for European smart grids. The Guidelines identify ten smart grid security issue areas and make security recommendations for each area. To take into account different smart grid characteristics, such as the size of the grid or the types of services provided, and correspondingly different risk profiles, the Guidelines accommodate varying degrees of security measure implementation (“sophistication levels”). Some security measures (or security issues) discussed by the Guidelines include:
- Protection of sensitive information processing facilities;
- Encryption methods for sensitive data during storage and transmission;
- Controlling access to critical asset information, and the use of secure remote access methods;
- Precautions against malware and viruses;
- Timely technical upgrades to smart grid information systems;
- Segregation of information services and information systems into groups and networks;
- Protection of security audit information;
- Security policies and monitoring of grid information systems;
- Staff cyber security training programs, personnel risk assessments, and staff security responsibilities and oversight;
- Third party agreements (e.g., with external suppliers and contractors) and monitoring of third parties to preserve confidentiality;
- Communication with relevant authorities and cyber security interest groups (i.e., to stay ahead of the latest vulnerabilities and threats);
- Maintaining updated inventories of all smart grid components and systems;
- Management of authentication credentials, user names, etc.; and
- Policies for secure disposal of smart grid components and systems.
The smart grid provider should conduct a risk assessment when determining how to implement and maintain the above measures.