action:
Update policies and procedures for configuring mainframe operations to ensure that they provide the necessary detail for controlling and documenting changes.
Identify individuals with significant security responsibilities and ensure they receive specialized training.
Expand scope for testing and evaluating controls to ensure more comprehensive testing.
Enhance contractor oversight to better ensure that contractors’ noncompliance with information security policies is detected.
Update remedial action plans to ensure that they include what, if any, resources are required to implement corrective actions.
Identify and prioritize critical business processes as part of contingency planning.
Test contingency plans at least annually.
2.7 Smart Grid
The Smart Grid is the convergence of electric distribution systems and modern digital information technology. Whereas our current electric grid was designed for the one‐way, centralized source‐to‐load flow of energy, the Smart Grid will allow bi‐directional energy flow and two‐way digital communication over the same distribution system. Such communication potential would allow utilities to overhaul their pricing plans and provide time‐of‐day metering, charging more for electricity consumed during peak hours. This would encourage consumers to program their appliances to operate during off‐peak periods that have lower electric rates, thereby saving money. While the consumer is using lower‐priced electricity, the utility is encouraging load shifting into periods of lower electric demand, thereby reducing peak period electric usage that will defer major utility capital improvements, such as distribution system upgrades and the construction of additional generation capacity. The challenge here is when EV technology matures and becomes more widespread, battery charging load during “off‐peak” hours will create a new peak demand curve. Smart Meters should also provide greater grid accessibility for distributed generation equipment through the net metering capabilities built into these meters. And instead of relying entirely on costly peaking plants to handle peak loads, the Smart Grid will facilitate the participation of customer‐owned load shedding equipment and on‐site generation in demand response programs.
Security is a key component for the development of the smart grid. In June 2019, the highly dangerous ‘Triton’ Hackers, responsible for the lethal 2017 oil refinery cyber‐attack, probed the US Power Grid. Such a scenario is becoming increasingly more likely as utilities and system operators become more dependent on digital technology and the Internet to control their assets. With new solutions come new challenges – for example, should data from smart meters be leaked, it could give would‐be criminals an indication that a home is unoccupied, making utility customers more susceptible to break‐ins. The Smart Grid must be designed with inherent security, robust enough to prevent unauthorized access, or at least capable of providing early warning of tampering attempts so that damage can be minimized. The National Institute of Standards and Technology (NIST) issued a road map for developing Smart Grid deployment standards, with security being a top priority as can be seen in IEEE 2030 2‐2015 Security and Privacy. It remains to be seen what action the federal government will take with regard to this issue, but many expect military‐grade security to be a necessity for critical portions of the Smart Grid.
In summary, the generalized conception of the Smart Grid includes the installation of communication links, high voltage switches, and “smart electric meters,” which would enable:
Automatic switches which detect system faults and open to isolate just the faulted areas, keeping the major portion of the grid intact
Real‐time load flow information to identify system load pockets for local generation dispatch
Creation of pricing mechanisms and rate structures based upon actual power supply costs, updated by the hour or even by the minute, to encourage customers to shift power use to system off‐peak times
Dispatch on or off of customer‐owned generation units to better match system needs
“IP Addressable” electric meters for customers allowing two‐way communication between the electric meter and the utility. This will enable the interchange of unique pricing, voltage, and power quality information on a meter‐by‐meter basis.
The utility will be able to remotely turn electric service on or off, assuming smart meters have this capability. Turning off a meter for non‐payment, or if an electrical fault is sensed within the building electric service, would be possible.
The smart meter may be able to generate “alerts” to customers, or real‐time electric load information that will enable building load management systems to automatically schedule non‐critical equipment operations such as shutting down, or delayed starting of air conditioning compressors, resulting in more effective peak shaving.
There are major cost hurdles to be overcome in the design, planning, and implementation of any “smart grid.” To the extent that the federal government has endorsed its development and provided some funding, it is starting to take shape. Exactly what this will mean for mission critical facilities remains to be seen, but it is likely that it will, at a minimum, allow greater flexibility in installing on‐site power generating devices and facilitate the shifting of discretionary loads from peak periods to off‐peak periods that have lower electric rates.
2.8 Conclusion
It is important to address the physical and cyber security needs of critical infrastructures, including systems, facilities, and assets. Security requirements may include capabilities to prevent and protect against both physical and digital intrusion, hazards, threats, and incidents, and to expeditiously recover and reconstitute critical services. Personnel should be trained and made aware of security risks and consequences, ensuring that sensitive information will not be leaked and lead to a security breach.
A sensible and cost‐effective security approach can provide a protection level achieved through design, construction, and operation that mitigates adverse impact to systems, facilities, and assets. This can include vulnerability and risk assessment methodologies that identify prevention, protection, monitoring, detection, and sensor systems to be deployed in the design. Also, less frequent, but greater consequence risks must be taken into consideration. No longer are accidents, the only risks to be expected, but deliberate attacks must be accounted for as well.
The increased use of advanced information technology coupled with the prevalence of hacking and unauthorized access to electronic networks requires physical security to be complemented by cyber security considerations. Hacking techniques are becoming more sophisticated, and before enabling remote access for monitoring and/or control of critical infrastructure systems, cyber security protection must be assured. Major damage can be done remotely, and the greatest effort should be made to prevent illicit access to critical networks.
For mission critical facilities, this cements the need for the design of backup power systems – including UPS, generators, transfer switches, etc. – to be on par with the challenges facing us as today’s digital society evolves and necessitates the digitalization of the power grid. The importance of ongoing and technical maintenance programs, coupled with strong training and education, should also be stressed. Without these elements, no business recovery plan will be successful.
2.9 Energy Security and Its Effect on Business Resiliency ‐ Questions to Consider
