Whitepapervault Com
Cybersecurity White Paper Cyril W. Draffin, Jr. Project Advisor, MIT Energy Initiative MIT ENERGY INITIATIVE UTILITY OF THE FUTURE
This document consolidates and slightly augments the cybersecurity, resilience, and privacy sections found in the Executive Summary and Chapters 1, 3, 4, 5, and 9 of the MIT Utility of the Future report issued December 2016. The Appendices of this document provide information not included in the MIT Utility of the Future report. MIT Utility of the Future Study: Cybersecurity
Executive Summary………………………………………………………….. 3 Chapter 1: Introduction: A Power Sector in Transition…………………… 5 Chapter 2: Envisioning a Future with Distributed Energy Resources: Cybersecurity, Resilience, and Privacy………………………… ….……….7 Chapter 3: The Future of the Regulated Network Utility Business Model: Chapter 4: A Comprehensive and Efficient Systems of Prices and Regulated Charges for Electricity Services: Cybersecurity ……..……..22 Chapter 5: Policy and Regulatory Toolkit for the Power System of the Future: Cybersecurity and Data……..…………………………………… 23 Appendix A: Cybersecurity Goals for Electric Power Systems….………25 Appendix B: Cybersecurity Threats and Vulnerabilities…………………2 8 Appendix C: Regulatory Organizations, Coordinating Organizations, and Standards for Cybersecurity………………………………… .…….…34 Appendix D: Resiliency to Achieve High Reliability…….……….……….44 References……………………………………………………… .…………..45 MIT Utility of the Future Study: Cybersecurity
Executive Summary Information and communications technologies are rapidly decreasing in cost and becoming ubiquitous, enabling more flexible and efficient consumption of electricity, improved visibility of network use, and enhanced control of power systems. These technologies are being deployed amidst several broad drivers of change in power systems, including growth in the use of variable renewable energy sources such as wind and solar energy; efforts to decarbonize the energy system as part of global climate change mitigation efforts; and the increasing interconnectedness of electricity grids and other critical infrastructure, such as communications, transportation, and natural gas networks. Widespread connection of Distributed Energy Resources (e.g. demand response, generation including from wind and solar, energy storage, and energy control devices) will increase digital complexity and attack surfaces, and therefore require more intensive cybersecurity protection. A multi-pronged approach to cybersecurity preparedness is required. System operators must have the capacity to operate, maintain, and recover a system that will never be fully protected from cyber-attacks. Relevant issues that need to be addressed include cloud security, machine-to-machine information sharing, advanced cybersecurity technologies, outcome-based regulation to avoid prolonged outages and increase system resilience, and international approaches to cybersecurity. Widespread connection of distributed energy resources, smart appliances, and more complex electricity markets increases the importance of cybersecurity and heightens privacy concerns. Robust regulatory standards for cybersecurity and privacy are needed for all components of an interconnected electricity network. To keep pace with rapidly evolving cybersecurity threats against large and complex electric power systems, electric utilities, vendors, law enforcement authorities, and governments should share current cyber threat information and solutions quickly and effectively. Maintaining a data hub or data exchange would serve several purposes: securely storing metered data on customer usage, telemetry data on network operation and constraints, and other relevant information; allowing non-discriminatory access to this data to registered market participants; and providing end consumers with timely and useful access to data on their own usage of electricity services. Responsibility for this function should also be carefully assigned, with priority given to data security and consumer privacy considerations. Utilities will need resilience and will need to be prepared to contain and minimize the consequences of cyber incidents. Future power systems with high penetration of DERs are envisioned to have features that are favorable for their resilient operation. For instance, microgrids, with DERs, are helpful for MIT Utility of the Future Study: Cybersecurity
resilience, and with “islanding” operations can assist in “black-start” or continued operations if the broader grid goes down due to a cyber or physical incident. Privacy is also a growing concern, as ever expanding private personal and corporate information is gathered and stored by utilities and their affiliated companies. With expanding connection of electric and telecommunications devices, vastly more information will become available. Data analytics and the opportunity for outside organizations to have access to large quantities of data will increase the amount of information held by electric utilities and their affiliated partners. If electric utility companies expand their services beyond just delivering electricity, by interacting with DER aggregators, for example, specific procedures to protect data breaches and exfiltration of information will be needed. In summary, key points to consider: Industry needs to adopt cybersecurity best practices and develop a risk management culture; cybersecurity regulations are important, but because there is a delay in developing and implementing them, regulations lag behind evolving threats Important to rapidly share information about cyber threats, while respecting privacy guidelines Good cybersecurity requires skilled teams to understand baseline operations, detect and respond to anomalous cyber activity, reduce the “dwell time” of cyber attackers, and implement layered cyber defenses Need to understand and increase system resilience to avoid prolonged outages and recover from cyber attacks In the future, utilize advanced cybersecurity technologies, international approaches to cybersecurity, and machine-to-machine information sharing so response to cyber incidents is in milliseconds and not in months
