Table 10.4.
Examples of security policy and requirements for the Smart Microgrid
| Policy statements | Requirements |
|---|---|
| The system shall implement strong access controls to ensure Confidentiality of system content |
The system shall implement Mandatory Access Control The system shall enforce multifactor authentication The system shall enforce a strong password policy with automated strength checking The system shall enforce strong user account management The system shall implement Role-Based Access Control with fine-grained access to resources (Principle of Least Privilege) |
| The system shall implement a layered defense to maximize Confidentiality and Integrity of system content |
The system shall implement security controls at the system periphery, Microgrid LAN, Supervisory Control, application software, database, and Microgrid Device levels [Specific controls at each level should be specified] |
| The system shall protect data at rest, in transit, and in use |
The system shall encrypt all data in storage The system shall implement VPNs for all external data communications, including with the PG The system shall employ application software that prevents unauthorized exposure of data |