Tuesday, May 31, 2011

Reading the Smart Grid Tea Leaves in the Era of Abundant Natural Gas, Falling Renewables Prices, and Perpetual Cyber Attack

Heck, these aren't tea leaves, these are clear direction signals, neon lights flashing what's coming in letters 100 feet high. The late-night rantings of some cellar dwelling blogger? Far from it, everything below was on the May 31, 2011 front page of the Wall Street Journal when I made my customary pilgrimage to wsj.com over the first coffee of the morning:
Renewables costs are falling and will continue to do so. For this we leave the Journal and turn to a guest blog at Scientific American:
The cost of solar, in the average location in the U.S., will cross the current average retail electricity price of 12 cents per kilowatt hour in around 2020, or 9 years from now. In fact, given that retail electricity prices are currently rising by a few percent per year, prices will probably cross earlier, around 2018 for the country as a whole, and as early as 2015 for the sunniest parts of America.
10 years later, in 2030, solar electricity is likely to cost half what coal electricity does today. Solar capacity is being built out at an exponential pace already. When the prices become so much more favorable than those of alternate energy sources, that pace will only accelerate.
This is even better, from ABC News in Australia: Renewable energy will only get cheaper: study.

Question 1: Can the current grids handle the projected levels of natural gas and intermittent renewable power in Germany and elsewhere? Part of the solution may be GE's new highly efficient and fast ramping turbine that should make natural gas a better renewables backstop. But surely it'll take more than this.

Question 2: Can we build out the new grid in ways that make it reliable and secure enough to handle all this change? That remains to be seen, and remains the ongoing subject of this blog.

OK, time for more coffee!

Thursday, May 26, 2011

Insane in the Brain - Why your Smart Meter may soon be on the Most Wanted List

Words fail me (which is weird, right?). Way too many radiating radio waves for comfort:
Although smart meters are too new to form definitive conclusions regarding their long-term risk, data from several studies show about twice the risk of a rare kind of brain tumour in those who've used a cellphone half an hour a day for 10 years. These tumours normally take 40 years to develop.
If the so-called nuclear expert from California, referenced in this article, is right, you need to get out of your house immediately, wireless, wired or no Smart Meter. And don't go outdoors either ... far too many radio waves out there as well, not to mention the sun. And wolverines.

Hmm, that's funny, sounds like a cave is your best bet. Which is where I said you should consider going in the previous post. I'm detecting an early trend.

It's going to be ok, though. Our ancestors did some of their best work in caves, as you can see in Werner Herzog's latest film.


Re: Cyber Threats and the US, CNBC says Go Crazy Folks, Go Crazy

CBS' 60 Minutes has done this to us before. Now you can thank CNBC for next round of cyber hysterics, driven home with whiz-bang graphics and ominous, brooding orchestration. Here's the preview of tonight's show ... you can't say you weren't warned.



I recommend seeking shelter immediately. In a cave. For decades. Oh, and you'll need to leave you iPad at home.

More info on "Code Wars: America's Cyber Threat" can be found HERE.

"Go Crazy Folks" courtesy of late, great sportscaster Jack Buck

Monday, May 23, 2011

How SCADA/ICS Security Sausage is Made

And like regular sausage making, the process is not always pretty to behold. The company whose computers were targeted by the Stuxnet worm has been working hard on solutions that will better protect its customers going forward. But as in any arms race, it's up to antagonists to show the company is question hasn't done enough yet, or isn't moving fast enough, or both.

In the cyber security business, fortunately, some of the best opponents are faux opponents. Such seems to be the case with NSS Labs' Dillon Beresford (LinkedIn profile). This from today's darkREADING Advanced Threats page, on a presentation that didn't happen in Texas:
In posts to the SCADASec security mailing list, Beresford noted that while he is free to give his presentation at any time, he'll wait until it's safe to do so given the potential ramifications. He said in a post today that "until the products are fixed and the patches have been carefully validated the presentation will remain out of the public domain. As for a definitive timetable on patches, who knows..."
The full article is HERE. Thanks to the established dynamic of this industry, with crack penetration testers challenging suppliers to show they've made necessary security fixes, the truth will out. And eventually, sooner or later (hopefully sooner), utility asset owners will have SCADA/ICS systems that are harder to hack.

Friday, May 20, 2011

Webcast Alert: Virtual Energy Forum - Cyber Security No FUD Zone

As our friend Massoud likes to say, "at the risk of self promotion," would like to let you know that I'll be doing a live presentation on Wednesday, May 25.  I'll have both my IBM and blogger hats on at the same time, so will be discussing topics from the SGSB, as well as describing how IBM is organized and organizing to help electric utility customers improve their security and privacy posture.

Feel free to heckle if you must. Details are below.

Featured Presentation
Andy Headshot May 25th at 12:00PM EDTLessons from the Smart Grid Cyber Security No FUD Zone

Andy Bochman
Energy Security Lead
IBM Software Group/Rational


Presentation Abstract - The mainstream media gives us daily reminders of the risks anticipated from the emerging Smart Grid. From Smart Meter-related health concerns, to new privacy issues, to perceived exposure to higher monthly electric bills, not to mention new threats to critical infrastructure from solar flares, EMP and Stuxnet. This presentation will give attendees the other side of the story. We'll cover what utilities, regulators, and vendors including IBM are doing to ensure the successful roll out of a safe and secure Smart Grid, essential for enabling the Smarter Planet and our collective energy future.

Click HERE to register.

Tuesday, May 17, 2011

FERC's Director of Reliability Speaks Out on Grid Gaps


While you were relaxing and celebrating Cinco de Mayo with cervezas y margaritas and such, FERC's Joe McClelland was on the job (as always), testifying before a Senate committee on what he sees as the current gaps in coverage in grid protections and what should be done about them.

For starters, he laid it out quite simply:
The Commission (FERC) currently does not have sufficient authority to require effective protection of the grid against cyber or physical attacks. If adequate protection is to be provided, legislation is needed and my testimony discusses the key elements that should be included in legislation in this area.
Then proceeded with something you should know about if you didn't it already ... about US cities and 2 entire states:
Currently, the Commission’s jurisdiction and reliability authority is limited to the “bulk power system,” as defined in the Federal Power Act (FPA), and therefore excludes Alaska and Hawaii, including any federal installations located therein.  The current interpretation of “bulk power system” also excludes some transmission and all local distribution facilities, including virtually all of the grid facilities in certain large cities such as New York, thus precluding Commission action to mitigate cyber or other national security threats to reliability that involve such facilities and major population areas.
And beyond the geographic dead-zones he called out above, and the fact that the CIPs miss the majority of the grid by entirely missing the distribution network, there's also the temporal issue ... the current process is slow ... way too slow depending on the nature of the threats to be countered:
The procedures used by NERC ... can be an impediment when measures or actions need to be taken to address threats to national security quickly, effectively and in a manner that protects against the disclosure of security-sensitive information. The current procedures ... do not provide an effective and timely means of addressing urgent cyber or other national security risks to the bulk power system, particularly in emergency situations. Certain circumstances, such as those involving national security, may require immediate action, while the reliability standard procedures take too long to implement efficient and timely corrective steps.
I could go on citing McClelland's sharp observations and recommendations, but maybe it's better for you to get the rest in the complete context. There's a lot more to take in so click HERE for the full transcript. If you're like me, you've got to be glad Joe is on the job.

Photo credit: yngrich on Flickr.com

Friday, May 13, 2011

Girding the Grid for Renewables


Economic cycles wax and wane, rebates and tariffs come and go, but guided by clear heads and pure hearts (not to mention lured by the prospect of future profits), technology-driven innovators march on.

These two indicators indicate that the grid's going to have a lot more renewables to manage in coming years:
So we'd better keep building out the new grid so it can handle all of this intermittency, right? Storage technology will play a key role and needs to get a lot better than it is today.

And we also might want to make the entire thing secure while we're at it. Banks can (and now, quite frequently, do) refund fraudulent charges made to your hijacked accounts, but it's not clear how utilities will make businesses or homeowners whole when cyber attacks disrupt power delivery.

Photo credit: Jumanji Solar on Flickr.com

Wednesday, May 11, 2011

Smart Grid Privacy (and More) may be Coming Soon ... Especially if you Live in California


This just in from Smart Grid guru Christine Hertzog. California, tethered (some might say lashed) to the bow of the national Smart Grid ship by its own aggressive renewables targets, is moving first on formalizing privacy rules for its 3 big investor owned utilities. Here's how Hertzog relayed the recent CPUC ruling:
... the California IOUs must deliver pricing, usage and cost data to residential customers, including bill-to-date, bill forecast data, projected month-end tiered rate, a rate calculator, and notifications to customers as they cross rate tiers. The IOUs must also improve customer access to wholesale electricity prices.
Hmm, that sounds very portal-ish. I recently asked a rep of my home state PUC about when time of use/realtime pricing might be coming to our area and he just laughed. Hertzog continues:
California takes another step closer to realtime pricing with the requirement that the IOUs must initiate studies within 6 months on how to provide this information to customers. And the IOUs must start pilots that provide consumers with direct access to the information in smart meters and support for HAN-enabled devices. These are all exciting developments to accelerate new service offerings that help consumers manage their energy consumption and demonstrate the value of the ongoing investments in smart meters and other Smart Grid technologies.
I remember discussing the costs and benefits of being a first mover with my colleague and SGSB co-blogger Jack Danahy, and while I opined that a slow roll approach might be best, he weighed in that you've got to get your hands dirty up front if you're going to lead. Well, that's exactly what CPUC and its big 3 utils are doing.

I'm rooting for them, and recommend the community doesn't give them too much grief when they don't get something exactly right the first time. It's great they're doing what they're doing!

Click HERE for the rest of the article.

Photo of Laguna Beach at night credit: Kenneth Lu on Flickr.com

Monday, May 9, 2011

NERC and NIST Ramp Up Risk Management Collaboration

There are security-related ISO, IEC and IEEE electric grid standards galore, but these are technical standards. I know it's more complicated than this, but I submit that the easiest way to tell regular folks about grid and Smart Grid security standards is to say there are really only two that matter in 2011, and they are:
  • NERC CIPs, version 3
  • NISTIR 7628, version 1
The first covers cyber security protections of only the most critical generation and transmission assets in the bulk electric system (BES) and has little to do with protecting new Smart Grid systems, most of which deploy in the distribution network, far from the BES. The second boldly attempts to describe how to secure the whole enchilada, albeit at a high level. In short, there isn't a heck of lot the two standards/guidance documents have in common.

We've described each ad nauseum on this blog, so let's look at something more soothing. With the next version of the above standards still over the horizon, let's consider the nascent collaborative effort between NERC and NIST, confirmed by language pulled from a draft budget document submitted by an SGSB reader:
... NERC is collaborating with DOE and the National Institute of Standards and Technology (NIST) to develop comprehensive cyber security risk management process guidelines for the entire electric grid, including the bulk power and distribution systems. This initiative is particularly important with the increasing availability of smart grid technologies. While the majority of technology associated with the smart grid is found within the distribution system, vulnerabilities realized within the distribution system could potentially impact the bulk power system.
So, it seems that some folks in high places have realized the disconnect, and seek to build a risk management bridge between the CIPs and the NISTIR. This is good news, right? Here's the draft NERC 2012 business plan and budget, if you're into this kind of thing.

Tuesday, May 3, 2011

FERC and NERC: Who Blinks First on Bright-Lines?

This post continues a series where we try to get a fix on where the next versions of the CIPs are going, and exactly when they're coming (see previous posts on this topic from March and April of this year).

You know, if there was some sex or violence, or even a little Ian flemming-esque international intrigue involved, the quest for the next version of the NERC CIPS might merit its own slot on prime time. As it is, however, it can best be called a regulatory reality show.

As this new open letter (registration required) from security consultancy Matrikon reveals, the producer, FERC, seems to be tiring of its wayward plot and may begin inserting a script more to its own liking.

While a full accounting of recent events gets quickly quite complicated, much of the kerfuffle centers on the so-called "bright line criteria" (aka, the rules) used to determine which additional electrical generation and transmission assets will get CIP scrutiny when the long awaited version 4 finally arrives.

I'm over simplifying things, of course, but in a nutshell, FERC wants more bulk power assets monitored, while utilities want fewer. And poor NERC is caught in between, taking too long, and is hamstrung by the rules its actions.

The open letter paints a pretty good picture of this dynamic, and while never claiming certain knowledge of how things will ultimately play out, I think this paragraph imparts the tension of the present impass:
Earlier in the NERC/FERC relationship, FERC would have simply disapproved Version 4 and sent it back to NERC to rewrite, submit for new comments and ballot(s), redo the survey with whatever changes came out of the balloting and then make a new filing to FERC. This would probably take close to a year. Our guess is this will not happen. FERC has been losing patience with the NERC standards process for a while, and they (and members of Congress) have repeatedly stated that the security of the BES is at risk given the current coverage of critical assets in NERC CIP.
Seems like the ball is in FERC's court. All we can do is stay tuned. And of course, if I've misrepresented the current situation in some way, please let me know so I can help get the right knowledge out there.

Monday, May 2, 2011

Anonymous Now Calling its Shots: Middle East Troublemaker in the Corner Pocket


How many hackers, Babe Ruth-like, are brazen enough to broadcast what they're going to do, and to whom they're going to do it, ahead of time?

Seems like the US and Anonymous are on the same side ... for the moment, anyway. Not sure web site defacements are going to get the Ahmadinejad dictatorship off the Iranian people's back, but it's better than nothing. Here's some CNET coverage on this.

Oh, and happy No More Bin Laden day to you!

It's been a long time coming.

Image credit: Sinistra Ecologia Liberta on Flickr.com