Smart Power Grid Security: A Unified Risk Management Approach

Power grid information security and protection has aspects of both Industrial Control Systems (ICS) as well as Information Technology (IT) Systems. Although both ICS and IT systems require information security services to combat malicious attacks, the specifics of how these services are used for the power grid depend upon appropriate risk assessment and risk control. Distinct types of attacks targeting ICS and IT systems as well as different performance requirements of these systems determine a specific priority order of the security services implemented for each system. Threat profiles of the power transmission and distribution management functions, where availability is paramount to all other security services, differ significantly from threat profiles of IT functions such as utility customer billing where confidentiality is a greater concern - hence warranting different security posturing. This paper discusses different approaches for security risk management in the context of the smart power grid. Methodologies proposed for risk assessment include threat and vulnerability modeling schemes which help in identifying and categorizing the threats, as well as in analyzing their impacts, and subsequently prioritizing them. Risk management planning techniques as they apply to both ICS and IT systems are also discussed.