Securing the smart grid: protecting national security and privacy through mandatory, enforceable interoperability standards.

• Author: Bosch, Christopher
• Position: Introduction through II. The Cybersecurity Threat, p. 1349-1376

Introduction I. The Evolving Electric Grid A. The Traditional Grid 1. Composition 2. Utilities as Natural Monopolies. B. The Smart Grid 1. Distinguishing Features 2. Benefits C. Transition Issues II. The Cybersecurity Threat A. Recent Attacks B. Profile of the Attackers C. Data, Privacy, and the Impact on Cybersecurity 1. Smart Grid Privacy Concerns 2. The "Illusion of Choice" in Smart Meter Installation. III. Efforts to Address Cybersecurity: The Current Legislative and Regulatory Environment A. FERC, NERC, and the Mandatory Reliability Standard Development Process B. NIST and the Interoperability Standard Development Process C. Subsequent Legislative and Executive Efforts to Address Electric Grid Cybersecurity, and the Likelihood of Successful Future Legislation. IV. The Problems that Arise from Voluntary Standards: PCI DSS as an Industry-Developed Standard Analogue. V. Shaping a Solution A. Mandatory Federal Standards Governing Smart Grid Information Systems Are Necessary 1. The Current System for Development of Interoperability Standards Is Inadequate 2. The High Stakes Nature of an Industry Based on the Nation's Electric Grid Warrants Mandatory Enforceable Federal Standards 3. A Uniform Federal Approach to Cybersecurity Would Benefit All Smart Grid Stakeholders B. NIST Should Be Given Statutory Responsibility and Authority to Establish Mandatory Federal Standards that Apply to All Smart Grid Participants 1. Federal Jurisdiction Over All Smart Grid Participants is Appropriate. 2. Proposed Legislative Action: NIST Should Be Granted the Authority to Issue Mandatory Enforceable Interoperability Standards Conclusion INTRODUCTION

The United States electrical grid is a marvelous feat of engineering, with the National Academy of Engineering naming "Electrification" the "Greatest Engineering Achievement of the 20th Century."1 The extent of the United States electrical grid infrastructure is vast, representing over $1 trillion in assets and 360,000 miles of transmission lines connecting over 6000 power plants.2 Electricity has been integrated into the daily lives of U.S. citizens in innumerable ways.

While the electrical grid is undoubtedly an impressive human innovation worthy of great respect, it is also outdated. (3) Some equipment that makes up the physical infrastructure has already passed its expected life span. (4) Failing grid equipment was the cause of nearly twenty percent of sustained power outages from 2008 to 2011. (5) In light of the Obama Administration's commitment to developing sources and distribution of renewable energy, (6) some have called into question the ability of the aging grid to suit the demands of today's society, identifying the need to improve the efficiency of power delivery and the incorporation of renewable energy technologies as necessary requisites for the electrical grid of tomorrow. (7)

This "grid of tomorrow" will rely upon the near-instantaneous communication of information made possible by the Internet. Wiring the antiquated grid to the Internet, however, will expose existing vulnerabilities and create entirely new ones.8 Recent attacks on other utilities around the world, as well as institutions traditionally perceived as being secure from cyber attacks such as banks and stock markets, underscore the reality and imminence of these threats.9 Cyber attackers can remotely engage in wrongdoing from anywhere in the world using Internet connections, and their profiles are diverse, ranging from lone hackers to ominous, well-funded government institutions." (10)

While the United States has undertaken efforts to address cybersecurity through legislation and executive action, those efforts have been inadequate in establishing standards for how communications between devices and systems in the complex "Smart Grid" (11) will be secured. (12) Current legislation directs federal agencies to establish these "interoperability standards." (13) However, no mandatory standards have been established and it is unclear from relevant statutory language if the applicable agencies have any true enforcement authority. (14) Implementation of interoperability standards by Smart Grid participants is currently performed on a purely voluntary basis. (15)

The Internet connection required to enable the real-time information exchange that the Smart Grid's devices, technologies, and services will rely upon allows for new digital access points to our nation's electrical grid that might be exploited by cyber attackers. (16) The prospect of such infiltration poses a substantial risk to national security. The same Smart Grid features will also allow for the collection of massive amounts of private consumer data that can detail how, when, and where power is consumed in the home. Illicit interception of this data raises significant personal security and privacy concerns. Allowing the standards that would minimize these national security, personal security, and privacy concerns to remain voluntary and unenforceable leaves the electrical grid and citizens vulnerable to harm. This Note explores these dangers and discusses why granting the appropriate regulatory entities the authority to develop and institute mandatory, enforceable interoperability standards is the most appropriate means to achieving effective Smart Grid cybersecurity.

Part I of this Note describes the key characteristics of the "Traditional Grid" (17) and the Smart Grid, and sets forth the reasoning behind the transition to the Smart Grid and the key concerns the transition raises. Part II discusses the cybersecurity threats to the Smart Grid by reviewing recent cyber attacks that have affected a broad array of industries. It also considers the various types of cyber attackers and how important data and privacy concerns are implicated in the Smart Grid. Part III reviews legislation and executive action that has played a key role in establishing the Smart Grid cybersecurity landscape thus far, as well as the regulatory roles and authorities this legislation has created. After Part III demonstrates that the industry is currently operating in a voluntary environment free from mandatory government regulations as it relates to the implementation of interoperability standards, Part IV discusses an industry-developed standard analogue that is used to illustrate the possible justifications for, and pitfalls of, such a standard, ultimately concluding that a voluntary standard regime is an inappropriate solution for the Smart Grid. Finally, Part V asserts that a system of federal mandatory enforceable standards applicable to all Smart Grid participants is the best path to defending the important national security and privacy interests endangered by the cyber threats discussed in Part II. It argues that the National Institute of Standards and Technology (NIST) (18) is the appropriate federal entity to develop and issue these mandatory standards. Acknowledging that legislation reconfiguring and reassigning responsibilities and authorities in the Smart Grid will be necessary to follow that recommended path, Part V concludes with key elements of a legislative proposal and a depiction of how the resulting regulatory environment might operate to effectuate better Smart Grid cybersecurity.

1. THE EVOLVING ELECTRIC GRID

   Before analyzing the benefits and challenges of the substantial transition from the antiquated Traditional Grid to the prospective Smart Grid, it is important to first assess the composition of each, as well as their significant points of difference.

   1. The Traditional Grid

      The Traditional Grid is a phrase used in this Note to depict the electrical grid as it existed before the recent modernization efforts that characterize the Smart Grid. While it is conceptually helpful to conceive of the Traditional Grid as distinct from the Smart Grid in this manner so that the Smart Grid's contributions and impact can be more clearly identified, it is important to note that much of the Traditional Grid's infrastructure and regulatory environment persists today as the foundation upon which change is being enacted. Therefore, establishing a working understanding of the Traditional Grid's composition and unique regulatory features is critical before expounding the Smart Grid's novel features and the transitional issues to which they give rise.

      1. Composition

         In the Traditional Grid, the path of electricity is comprised of three main activities: generation, transmission, and distribution. (19)

         At "generation stations," electricity is generated through the use of various fuel sources. (20) Sometimes these stations are owned by the same utilities that serve the end customer, while others are owned by Independent Power Producers (IPPs), or the customer itself. (21) While electric utility companies today still enjoy status as permissible "natural monopolies," prior to the enactment of the Public Utilities Regulatory Policy Act of 1978 (PURPA), utilities were significantly more...