New England (and Connecticut in Particular) Showing PUC Leadership on Security

NARUC has been issuing cybersecurity guidance to the 50 US public utility commissions (PUCs) since 2010. And NASEO's been guiding other state government orgs.  California's PUC has been very active, showing leadership with its multiple publications on security and privacy. Until recently, PUC Texas had a true cybersecurity pro on staff.

But now I'm going to tell you about my part of the world: New England.  Last fall the organization that brings the six northeastern PUCs together, NECPUC, put out an RFP for security consulting for the six and some of their utilities. Won by EnergySec, I've heard only positive news about what that six month engagement has produced. In addition, the Massachusetts AG recently released an RFP seeking 3rd part evaluations of cybersecurity preparedness of the distribution companies serving the state.

Where do Today's Electric Utility CEOs come from, and what do their Origins Mean for Grid Security?

I remember once thinking, naively perhaps, that most utility CEOs must have come up through the ranks, like generals in the military, with hands-on operational engineering experience garnering them the respect of their peers and subordinates along the way.

When I shared that concept last year with a 40-year industry veteran who'd done his time in generation and T&D, he schooled me saying that while that used to be the case, it's not the norm today.  He said more often you'll find someone with a finance background, often imported from sectors outside power.

Special Conference Alert: Risk Management-Focused NARUC Annual Meeting

This NARUC Annual Meeting is called "Managing Risk: Protecting Consumers and Critical Assets" and yours truly will have the honor of participating as a panelist.

As per usual, here are basics:

• Where: Orlando Hilton Bonnet Creek, FL
• When: 17-20 November 2013
• To Register: click HERE

Here's a press release for more flavor, and here's the agenda.

The Sunday afternoon panel I'm on is called: "Risk Management in Action: Challenges and Opportunities for Implementation", and here's the narrative description of what we'll be discussing:

There’s a lot of talk about the benefits of risk management processes to address cybersecurity, but how familiar are we with the actual implementation of these processes? Come hear panelists discuss the resources necessary to implement and maintain risk management processes for cybersecurity of our critical infrastructure. What are the bottom line impacts on owners’ and operators’ resources for implementing risk management? Hear from subject matter experts about the opportunities and challenges.

Should be great.  Hope some of you can make it.

Photo credit: TripAdvisor.com

RFP Alert: Security Advisor Sought for New England Utility Commissions

No sooner had I posted on the need for more state utility commissions to ensure access to quality cyber security guidance, when an RFP with this exact goal in mind came across my desk (figuratively speaking). So without further delay, your attention please:

The region of 6 northeastern US states collectively referred to as "New England" and boasting the highest per-capita concentration of Dunkin Donuts is seeking one very well qualified energy and cyber security professional to help guide them for a six month period commencing in mid September.

The New England Conference of Public Utilities Commissioners, Inc. (NECPUC) has issued an RFP for which responses are due NLT 5 pm August 8, 2013. I provide the URL to the RFP below but to save you an unnecessary trip, here are the qualifications required if you or your small firm want to even be considered for the job:

• Background and knowledge of utility sector industrial control system and business operations
• Knowledge and expertise in computer systems security and related physical security issues
• Certified Information Systems Security Professional or similar computer security management certification preferred
• U.S. Government security clearance of “Secret” or higher preferred

To Secure Your State Grid, First Know Your Public Utility Commission (UPDATED)

19 July 2013 UPDATE: Significant clarification just in from Terry Jarrett, Commissioner of Missouri's Public Service Commission and Chairman of the Committee on Critical Infrastructure at NARUC:

Actually, the NARUC Critical Infrastructure Committee's main focus has been cyber security for the past two years that I have been chairman. Last fall at our annual meeting, incoming NARUC president Phil Jones declared cyber security to be one of the themes of his presidency. To say that cyber will be given more attention in Denver than in the past simply is not factual. 

Thank you Terry.  I'll leave the original post below intact so you can see to what Terry was referring, but please keep his clarification in mind as you do.  ab

-- -- -- -- --

The Advanced Energy Economy Institute (AEE) has a great new site for helping you navigate your way around any of the 50 US states' energy landscapes, including commission leadership, energy portfolio mix, legislation and more. One topic you won't read much about, however, at least not without doing some substantial digging, is cyber security preparedness.

As readers of the SGSB may recall, we've done shout outs to California and Texas, both states having cyber security knowledgable professionals on their Public Utility Commission (PUC) staff, and there are a couple of other states now similarly equipped. Many other states, however, haven't yet made a modest level of cyber security capability a requirement.

With the Business Roundtable (BRT) issuing guidance earlier this year for how organizations should better organize themselves to meet the rising cyber security risks they face, to a recent report drawn from mega-insurer Lloyds of London's survey of CEOs and Board of Directors at the world's top companies showing they now consider cyber security among the top three risks facing their companies, you could say it's well past time for all organizations, and particularly those with public authority and responsibility like state utility commissions, to ensure they are well informed.

Lastly, you should note that the national body representing the interests of state commissions in Washington, NARUC, has demonstrated excellent leadership producing not just one, but two versions of practical cyber security guidance for commissions in the past year. NARUC will be holding its annual summer meetings in Denver next week and I understand cyber security is going to be given much more attention than it's received in the past.  Hmm, maybe this is a good chance to jump-start your commission's cyber security program ....

CPUC's Villarreal is the Real Deal for Grid Security from the US States' Perspective

From cybersecurity to privacy, the Green Button and security metrics, this recent deck from the California Public Utility Commission's (CPUC's) Chris Villarreal covers the entire grid security waterfront from a (very big) state's point of view.

This is well worth your time if you're a regulator in another state, a regulated entity in any state, or you just want to get a better feel for the way this process is evolving.

Note links on last slide to excellent CPUC security white paper by Chris and his security savvy colleagues, Liza Malashenko and J. David Erickson, and to NARUC's excellent "Cybersecurity for State Regulators 2.0" guide. There are other states upping their cybersecurity game as well, but California and Texas have been the two trailblazers. Of that there is no doubt.

----------------------------

URL for this deck, which accompanied Erfan Ibrahim's SG Educational Series webinar:

https://docs.google.com/file/d/0B83Q27_xggOTV3JpVTlSNnRGNGM/edit?usp=sharing

URL for another nice write-up on the work of Chris and his colleagues, from Greentech Media's Jeff St. John:

http://www.greentechmedia.com/articles/read/smart-grid-cybersecurity-the-california-way

One Step Closer: Announcing NARUC's Cybersecurity Guide for State Regulators 2.0

My last post on NARUC*, from June of 2012, was on the first version of their cybersecurity guide for state regulators, and the somewhat sprawling piece ended thusly:

I would like to end by saying that this was a document that could never fully please everyone, and if we remember it's a 1.0 version, then in that context it's an ambitious and excellent start. Let's start providing feedback now so that 2.0 can be even better.

Well guess what readers? Some of you and maybe some others provided feedback, so well and fully in fact that we find ourselves fewer than 9 months later with a new and improved 2.0 version, just released by NARUC after announcing it at its Winter Meetings (note sublime, almost hypnotic snowflake animation on landing page).

The Evolving Role of State Regulation in Grid Cybersecurity

Led by Elizaveta Malashenko, the grid cybersecurity team at California's Public Utility Commission, makes a good case for increased PUC involvement in cybersecurity matters, particularly those affecting distribution elements:

State regulators have not traditionally played a large role in cybersecurity. However, this is beginning to change with the recognition that Federal compliance-based models may not be sufficient to ensure grid resiliency, reliability and safety, as well as customer data privacy. With grid modernization on the way, there is an important role that State regulators need to step into, as much of this new infrastructure will be located on the distribution grid, which is currently outside of NERC authority. There is also a possibility that the Federal government could preemptively move to regulate in this area if there is no action at the State level.

You can (and should) read this grid planning and reliability policy paper here: Cybersecurity and the Evolving Role of State Regulation: How it Impacts the California Public Utilities Commission.

The State of the States and Smart Grid Security

Readers, working your way through this comprehensive yet non alarmist EPIC PIECE of Smart Grid security journalism will take some time, because author and former NH PUC commissioner Nancy Brockway has done her homework and then some.

And unlike some unschooled energy security bloggers I know, she knows all the business angles. To whit:

Utilities might argue that they need pre-approval and current recovery of cybersecurity costs. Utilities and their smart grid industry partners sometimes claim that without such cost recovery, a utility will lack the ability and resources to pursue cybersecurity with vigor, presumably because in and of themselves, cybersecurity investments don’t generate revenue. However, the industry has it backwards.

See what I mean? OK, here's the cybersecurity funding smackdown:

If a utility executive says the firm won’t vigorously pursue cybersecurity absent a tracker to recover its costs outside the normal ratemaking treatment, the utility is signalling that it might not have fully embraced the goal of such security. And a utility that tries to reassure the commission that such guaranteed revenues can be clawed back on a later finding of imprudence might be hoping the commissioners are naive about how prudence reviews work.

Hold on; one more volley and it's over:

There’s a huge difference between pre-approving and providing extra-rate-case recovery of utility investments in cybersecurity, and making it clear that the commission understands the need to change out obsolete equipment and technology, beef up staff, and make investments to protect the grid. But if a utility cares so little about cybersecurity that it won’t pursue the smart grid or the cybersecurity component of the smart grid absent guaranteed, dollar-for-dollar, few-questions-asked revenues awarded outside of normal cost recovery, this should be a red flag to the commission about letting that utility install the connectivity inherent in the smart grid.

About the only point Ms. Brockway seems to have missed re: State actions is the recent publication of a pretty decent and helpful guide by NARUC, which we posted on earlier and you can view HERE. Didn't seem like you could comment on the article, but I'll be very interested to hear what folks make of her positions on these matters, particularly the funding aspects.

NARUC Releases a Timely Cybersecurity Guide

I didn't like the tone of my original piece on this so have made a few mods. Content is essentially the same.

Here's a LINK to the National Association of Regulatory Utility Commissioners (NARUC)'s new Cybersecurity for State Regulators

Before I begin to comment on and critique some of the contents, I just want to say I have no ax to grind against NARUC. From my interaction with its members, including several of the folks named as authors of this document, these folks do a fantastic job, state by state by state, keeping the gigantic and sprawling US grid, reliably and economically up and running.

And let's continue with a little more praise. Very few state regulators have hands-on experience with cybersecurity. Giving them a guide that both teaches them, at an intro level, and arms them with good starting-point questions, is a wonderful and necessary thing. Major kudos for that.

However, this paraphrase from an article introducing the guide gave me initial pause:

NARUC advised state commissioners to work with utilities to increase their investment in cybersecurity protections for the smart grid.

This statement makes it sound like someone knows what the right amount of spending is. And that would suggest that that same someone knows a lot about the evolving threats, as well as the requirements for the right types of correctly deployed and configured technical and human protections, and has converted them to USDs (money). These are all things the energy sector security community is working on, but quantifying down to the right level of dollars spent is beyond us still, I think.

Now here's a direct quote from the guide:

Regulators have to determine whether the amount being invested is insufficient or excessive and whether it is allocated appropriately.

I know it's their job in general, but also think that specific to cybersecurity, this is a burden (on the regulators themselves) too far. Determining appropriate allocation is definitely a worthy pursuit, and the matter has great import for all stakeholder including customers. But man, without some commonly agreed frameworks or metrics to measure against, it's a tough one.

Now I'll do a quick pass at a couple of the proposed questions in the appendix.The first one is about budget:

Q26. Is cybersecurity budgeted for? What is the current budget for cybersecurity activities relative to the overall security spending?

Good stuff generally, and really core when it comes time to rate case justification. But I'd also want to know how is the budget arrived at? Like an elementary school teacher, I want you to step up to the board and show me the math. And not sure the second question is all that relevant ... is there a correct or helpful answer to that one?

Q27. Are individuals specifically assigned cybersecurity responsibility? Do you have a Chief Security Officer and do they have explicit cybersecurity responsibilities?

I hope that in even the smallest utilities (and some are mighty small) the answer to the first question is yes. And I know that in even the largest utilities, the answer to the second question is almost always no.

Now here are a couple of other questions I might have suggested." In addition to Q27, I would have liked to see questions that poke into other governance issues, like:

• QAB1: Related to applications: How many applications do you have? What are the top 10 most important ones? Who owns them? Who developed them? Who patches them? How are they secured? When was the last time they were tested and how did they do? Who tested them?
• QAB2: Related to data: Have you inventoried your data assets? Developed a classification scheme? Identified data owners? Developed data lifecycle and protection policies? Practiced responding to a data breach? Who owns Privacy?
• QAB3: Related to money (again): Beyond pen testing, how do you evaluate the effectiveness of your cybersecurity policies and programs? Related to Q26, what methods do you use for prioritizing your cybersecurity expenditures?

OK, I'll leave off there. This is simply going too long. But would like to end by saying that this was a document that could never fully please everyone, and if we remember it's a 1.0 version, then in that context it's an ambitious and excellent start. Let's start providing feedback now so that 2.0 can be even better.