Addressing the impacts and the drawbacks
BY ELIZAVETA MALASHENKO, CHRIS VILLARREAL, & J. DAVID ERICKSON, California Public Utilities Commission
With grid modernization or “Smart Grid” efforts underway, cyber security is being recognized as an increasingly important factor in ensuring resiliency, reliability and safety of the electrical system. In recent years, cyber security has become a top national security issue and, as a result, safeguarding the cyber security of the electrical grid is becoming vital. Cyber security is also critical for guaranteeing privacy of energy consumers and for capturing grid modernization benefits. As the electrical grid is modernized through deployment of “smart” devices, communication networks and control systems, cyber security has to become a foundational consideration.
From a regulatory perspective, grid cyber security has been addressed most actively at the federal level. Cyber security for the grid is handled through the North American Electric Reliability Corporation (NERC)
and the non-profit organization’s Critical Infrastructure Protection (CIP) standard requirements. These requirements provide a framework for protecting the reliability of the North American utility industry’s bulk electric system by identifying and protecting critical cyber-assets whose security directly affects utility operations.
However, the NERC-CIP framework has important limitations. First, NERC-CIP primarily covers only generation and transmission assets that qualify as “critical assets” or “critical cyber-assets”. With grid modernization, this identification is becoming increasingly problematic as many assets, such as advanced meters, do not fall under NERC-CIP but can have a major impact on grid reliability, safety and customer privacy. Estimates ranging from 80 percent to over 90 percent of grid assets are outside NERC-CIP’s
Second, NERC-CIP is primarily a compliance-based policy. Compliance is an important component of addressing cyber security, but it is not enough to ensure that the rapidly evolving risks are adequately considered and acted upon effectively. There are a number of cyber security standards and requirements from various entities, in addition to NERC-CIP, but individual utilities and the technology providers often lack a business case to justify spending on cyber security beyond minimal compliance. A risk management-based approach is needed to move beyond minimal compliance and mitigate cyber security risks as they arise.Read the full article in our digital magazine