New Guidelines for Smart Grid Cyber Security: An Emerging Legal Standard
Energy Law Alert
September 28, 2010
The National Institute of Standards and Technology issued its Guidelines for Smart Grid Cyber Security, a three-volume, 577-page work, earlier this month. While the Guidelines contain a vast amount of technical information on many aspects of the developing smart grid, they also lay the ground work for establishing the legal standard of care applicable to electric utilities and their boards of directors and executive management.
The installation of an increasing number of smart meters and other digital devices, and the transmission of new streams of data, introduce new privacy and security risks. Those risks are to the integrity of the grid and the confidentiality of information of the utility and its business and residential customers. The Guidelines list a number of "adversaries" to the system that should be considered, including nation states, hackers, cyber terrorists, organized crime, industrial competitors and disgruntled employees. "Vulnerabilities might allow an attacker to penetrate a network, gain access to control software, and alter load conditions to destabilize the grid in unpredictable ways." Guidelines, vol. I, p. 1.
The Guidelines describe in some detail the policies and procedures a utility needs to prepare, implement and review on an ongoing basis to mitigate the increased cyber security risks. Among other things, the organization needs to establish an adequate cyber security awareness program and associated employee training, a well documented and implemented risk management plan, a disaster recovery plan, and a well documented risk assessment process. The NERC Critical Infrastructure Protection (CIP) Reliability Standards also address cyber security measures.
The Guidelines encourage "visible and periodic board member endorsement of intrinsic security policies..." and state that "[p]enalties for non-compliance must be defined, communicated and enforced from the board level down." Guidelines, vol. III, p. 51 . "A result of these activities [management's reports to the board] should include Board Members validating/ratifying the key assets they want protected and confirming that protection levels and priorities are appropriate to a recognized standard of care." Guidelines, vol. III, p. 52. "Legal responsibility, by default, extends up the command structure and ultimately resides with Senior Management and the Board of Directors." Guidelines, vol. III, p. 52.
While the Guidelines are not binding regulations, they are likely to drive future regulations and the standard of care courts apply in future cases.
Stephen R. Hunting