The Smart Grid Interoperability Panel–Cyber Security Working Group (SGIP-CSWG) was formerly known as the Cyber Security Coordination Task Group (CSCTG). The SGIP-CSWG was established as a permanent working group within the Smart Grid Interoperability Panel. It is now called the Grid Interoperability Panel-Smart Grid Cybersecurity Committee.
The CSWG has members from a wide range of organizations and industries, including utilities, state utility commissions, privacy advocacy groups, academia, Smart Grid appliance and applications vendors, information technology (IT) engineers, and information security (IS) practitioners. This diversity of disciplines and areas of interest among the group’s participants helps to ensure all viewpoints are considered when looking at privacy and security issues, and it brings a breadth of expertise both in recognizing inherent privacy risk areas and in identifying feasible ways in which those risks might be mitigated while at the same time supporting and maintaining the value and benefits of the Smart Grid.
The CSWG membership collaborated to deliver the NIST Interagency Report (NISTIR) 7628, Guidelines for Smart Grid Cyber Security, in August 2010. Since then the group has focused on specific topics such as risk management processes, key management in the Smart Grid, the Smart Grid security architecture, security testing and certification, Advanced Metering Infrastructure (AMI) security, and privacy in the Smart Grid. In addition, the group is conducting security reviews of many Smart Grid-related standards and beginning to develop a User's Guide for NISTIR 7628.
During the development of NISTIR 7628, CSWG subgroups performed detailed technical analyses on an array of security-related topics, and then documented the research, issues, and guidance in specific sections. The CSWG creates and disbands subgroups in order to meet present needs.
Since the NISTIR 7628 publication, some of the CSWG subgroups have merged, while others are regrouping as they determine their next set of tasks. The CSWG currently consists of the following subgroups:
- The Architecture subgroup focuses on the enhancement of the logical security architecture for the Smart Grid. This group's work is used as input to the SGIP Architecture Committee;
- The High-Level Requirements subgroup addresses the procedural and technical security requirements of the Smart Grid to be addressed by stakeholders in Smart Grid security. To create the initial set of security requirements in NISTIR 7628, this subgroup adapted industry-accepted security source documents for the Smart Grid;
- The NISTIR 7628 User's Guide subgroup will provide an easy-to-understand tool that utilities and other entities involved in implementing Smart Grid-based systems can use to navigate NISTIR 7628 to identify and select the security requirements needed to help protect those systems;
- The Privacy subgroup continues to investigate privacy concerns between utilities, consumers, and nonutility third parties;
- The Standards subgroup assesses standards and other documents with respect to the cybersecurity and privacy requirements from NISTIR 7628. These assessments are performed on the standards contained in NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 1.0, or in support of the SGIP's Priority Action Plans (PAPs); and
- The Testing and Certification subgroup establishes guidance and methodologies for cybersecurity testing of Smart Grid systems, subsystems, and components.
The SGIP-CSWG has worked since June 2009 to research privacy issues within the existing and planned Smart Grid environment. Its research to date has focused on privacy concerns related to consumers' personal dwellings and use of electric vehicles. In July and August of 2009, the privacy subgroup performed a comprehensive privacy impact assessment (PIA) for the consumer-to-utility portion of the Smart Grid.
- There may also be privacy concerns for individuals within business premises, such as hotels, hospitals, and office buildings, in addition to privacy concerns for transmitting Smart Grid data across country borders. However, because the existing collection of NIST use cases does not cover business locations or cross border data transmission, and in view of its time constraints, the Privacy subgroup has not researchws business premises or cross border privacy issues.