for cyber threats to occur and make our national infrastructure vulnerable to people who want to disrupt the electrical grid, or specific critical buildings vital to our national and economic security. Examples of these security leaks include a major banking and finance company’s laptop computer that was found in India with critical infrastructure drawings on it, transportation drawings found in a trash can outside a major transportation hub, and most recently, the New York City Freedom Tower drawings found in the trash. The occurrence of these situations can compromise corporate and national safety and security if these documents fall into the wrong hands. Business officials traveling abroad are also a major target for information theft. Spyware installed on electronic devices and laptops can open communications with outside networks, exposing information stored on them. In the environment we live in today, we need a steadfast plan to secure invaluable information such as critical drawings, procedures, and business processes. The following items should be considered when you are evaluating your internal security:
Security Questions:
1 Have you addressed physical security concerns?
2 Have all infrastructures been evaluated for the type of security protection needed (e.g., card control, camera recording, key control)?
3 If remote dial‐in or Internet access is provided to any infrastructure system, have you safeguarded against hacking, or do you permit read‐only functionality?
4 How frequently do you review and update access permission authorization lists?
5 Are critical locations included in security inspection rounds?
Network and Access:
1 Do you have a secure network between your facility’s IT installations?
2 Do you have an individual on your IT staff responsible for managing the security infrastructure of your data?
3 Do you have an online file repository? If so, how is the use of the repository monitored, logged, and audited?
4 How is data retrieved from the repository and then kept secure once it leaves the repository?
5 Is your file repository available through the public Internet?
Techniques for addressing information security:
1 Enforce strong password management for properly identifying and authenticating users.
2 Authorize user access to only permit access needed to perform job functions.
3 Encrypt sensitive data.
4 Effectively monitor changes on mainframe computers.
5 Physically identify and protect computer resources.
Enhancements that can improve security and reliability:
Periodic assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems.
Policies and procedures that:Are based on risk assessments.Cost‐effectively reduce risks.Ensure that information security is addressed throughout the life cycle of each system.Ensure compliance with applicable requirements.
Plans for providing adequate information security for networks, facilities, and systems.
Security awareness training to inform personnel of information security risks and of their responsibilities in complying with agency policies, procedures, and practices, performed.
A process for planning, implementing, evaluating, and documenting remedial action to address deficiencies in information security policies, procedures, or practices.
Plans and procedures to ensure continuity of operations for information systems.
Recommendations for executive action:
Update policies and procedures for configuring mainframe operations to ensure that they provide the necessary detail for controlling and documenting changes.
Identify individuals with significant security responsibilities and ensure they receive specialized training.
Expand scope for testing and evaluating controls to ensure more comprehensive testing.
Enhance contractor oversight to better ensure that contractors’ noncompliance with information security policies is detected.
Update remedial action plans to ensure that they include what, if any, resources are required to implement corrective actions.
Identify and prioritize critical business processes as part of contingency planning.
Test contingency plans at least annually.
2.7 Smart Grid
The Smart Grid is the convergence of electric distribution systems and modern digital information technology. Whereas our current electric grid was designed for the one‐way, centralized source‐to‐load flow of energy, the Smart Grid will allow bi‐directional energy flow and two‐way digital communication over the same distribution system. Such communication potential would allow utilities to overhaul their pricing plans and provide time‐of‐day metering, charging more for electricity consumed during peak hours. This would encourage consumers to program their appliances to operate during off‐peak periods that have lower electric rates, thereby saving money. While the consumer is using lower‐priced electricity, the utility is encouraging load shifting into periods of lower electric demand, thereby reducing peak period electric usage that will defer major utility capital improvements, such as distribution system upgrades and the construction of additional generation capacity. The challenge here is when EV technology matures and becomes more widespread, battery charging load during “off‐peak” hours will create a new peak demand curve. Smart Meters should also provide greater grid accessibility for distributed generation equipment through the net metering capabilities built into these meters. And instead of relying entirely on costly peaking plants to handle peak loads, the Smart Grid will facilitate the participation of customer‐owned load shedding equipment and on‐site generation in demand response programs.
Security is a key component for the development of the smart grid. In June 2019, the highly dangerous ‘Triton’ Hackers, responsible for the lethal 2017 oil refinery cyber‐attack, probed the US Power Grid. Such a scenario is becoming increasingly more likely as utilities and system operators become more dependent on digital technology and the Internet to control their assets. With new solutions come new challenges – for example, should data from smart meters be leaked, it could give would‐be criminals an indication that a home is unoccupied, making utility customers more susceptible to break‐ins. The Smart Grid must be designed with inherent security, robust enough to prevent unauthorized access, or at least capable of providing early warning of tampering attempts so that damage can be minimized. The National Institute of Standards and Technology (NIST) issued a road map for developing Smart Grid deployment standards, with security being a top priority as can be seen in IEEE 2030 2‐2015 Security and Privacy. It remains to be seen what action the federal government will take with regard to this issue, but many expect military‐grade security to be a necessity for critical portions of the Smart Grid.
In summary, the generalized conception of the Smart Grid includes the installation of communication links, high voltage switches, and “smart electric meters,” which would enable:
Automatic switches which detect system faults and open to isolate just the faulted areas, keeping the major portion of the grid intact
Real‐time load flow information to identify system load pockets for local generation dispatch
Creation of pricing mechanisms and rate structures based upon actual power supply costs,