But now I'm going to tell you about my part of the world: New England. Last fall the organization that brings the six northeastern PUCs together, NECPUC, put out an RFP for security consulting for the six and some of their utilities. Won by EnergySec, I've heard only positive news about what that six month engagement has produced. In addition, the Massachusetts AG recently released an RFP seeking 3rd part evaluations of cybersecurity preparedness of the distribution companies serving the state.
Where Smart = Secure
Showing posts with label regulation. Show all posts
Showing posts with label regulation. Show all posts
Friday, April 18, 2014
New England (and Connecticut in Particular) Showing PUC Leadership on Security
NARUC has been issuing cybersecurity guidance to the 50 US public utility commissions (PUCs) since 2010. And NASEO's been guiding other state government orgs. California's PUC has been very active, showing leadership with its multiple publications on security and privacy. Until recently, PUC Texas had a true cybersecurity pro on staff.
Tuesday, February 25, 2014
Where do Today's Electric Utility CEOs come from, and what do their Origins Mean for Grid Security?
I remember once thinking, naively perhaps, that most utility CEOs must have come up through the ranks, like generals in the military, with hands-on operational engineering experience garnering them the respect of their peers and subordinates along the way.
When I shared that concept last year with a 40-year industry veteran who'd done his time in generation and T&D, he schooled me saying that while that used to be the case, it's not the norm today. He said more often you'll find someone with a finance background, often imported from sectors outside power.
Tuesday, August 20, 2013
Motivation through Compensation: Paying Utilities to Upgrade Cyber Defenses
Now we're getting somewhere! The long submerged topic of "who should pay" for electric utility cyber security improvements has just breached the surface and is now bobbing up and down in clear daylight.
Else, I have a nice cave I'd like to show you. And no, it doesn't have wifi.
A recent article in Bloomberg documents several large US utilities' efforts to recover current and future cyber security investments the same way they get paid for other infrastructure programs: by getting clearance from their state utility commissions to approve these expenses in their rate cases.
Actually rate payers (aka electricity customers) will pay one way or another, as they should, for the essential service that makes our modern lifestyles possible. Possible methods of payment include:
This concept was articulated more formally by Michael Daniel, special assistant to the President on Cybersecurity, when he included rate recovery as one of a number of cyber incentive strategies for critical infrastructure providers:
- Absorbing the costs to their businesses and their lives associated with brown outs or black outs or electricity quality issues stemming from successful attacks on control centers or systems
- Paying more every month to cover some, most or all (TBD) of their utilities' cyber-protection expenses
- Or, as Pepco CIO Doug Myers said, as cited in the Bloomberg article, allowing utilities to be reimbursed through federal grants
Rate Recovery for Price Regulated Industries — Agencies [DHS, Commerce, Treasury] recommended further dialogue with federal, state, and local regulators and sector specific agencies on whether the regulatory agencies that set utility rates should consider allowing utilities recovery for cybersecurity investments related to complying with the Framework and participation in the Program.As this blog often reiterates, we have to acknowledge and accept the costs of living in a technology-enabled world, where the impulse to cyber secure important services must become every bit as natural as physically securing our more tangible valuables.
Else, I have a nice cave I'd like to show you. And no, it doesn't have wifi.
Saturday, July 20, 2013
RFP Alert: Security Advisor Sought for New England Utility Commissions
No sooner had I posted on the need for more state utility commissions to ensure access to quality cyber security guidance, when an RFP with this exact goal in mind came across my desk (figuratively speaking). So without further delay, your attention please:
The region of 6 northeastern US states collectively referred to as "New England" and boasting the highest per-capita concentration of Dunkin Donuts is seeking one very well qualified energy and cyber security professional to help guide them for a six month period commencing in mid September.
The New England Conference of Public Utilities Commissioners, Inc. (NECPUC) has issued an RFP for which responses are due NLT 5 pm August 8, 2013. I provide the URL to the RFP below but to save you an unnecessary trip, here are the qualifications required if you or your small firm want to even be considered for the job:
The region of 6 northeastern US states collectively referred to as "New England" and boasting the highest per-capita concentration of Dunkin Donuts is seeking one very well qualified energy and cyber security professional to help guide them for a six month period commencing in mid September.
The New England Conference of Public Utilities Commissioners, Inc. (NECPUC) has issued an RFP for which responses are due NLT 5 pm August 8, 2013. I provide the URL to the RFP below but to save you an unnecessary trip, here are the qualifications required if you or your small firm want to even be considered for the job:
- Background and knowledge of utility sector industrial control system and business operations
- Knowledge and expertise in computer systems security and related physical security issues
- Certified Information Systems Security Professional or similar computer security management certification preferred
- U.S. Government security clearance of “Secret” or higher preferred
Thursday, May 23, 2013
House of Reps Report Reams Utilities on Cybersecurity
Was trying to capture spirit of Jesse Berst's headline on the same subject:
Moving on! The Wall Street Journal's Rachel King did a fine write-up of recent testimony from the CEO of the American Gas Association (AGA), Dave McCurdy. King began by noting that:
Utilities to FERC: Take your security measures and shove itThat's not very nice, is it? I think they toned it down with a later change, but this headline was what was in my inbox in this morning's SmartGridNews.com newsletter. The subject is a recent report published by the House of Representatives that's highly critical of electric utilities behavior to date re: grid cybersecurity.
Moving on! The Wall Street Journal's Rachel King did a fine write-up of recent testimony from the CEO of the American Gas Association (AGA), Dave McCurdy. King began by noting that:
The oil and gas sector faces many of the same cyber security challenges as the electric industry. Yet, there’s one major difference between the industries, both of which need to secure software-based industrial control systems from intruders. There are no regulations governing cyber security among the oil and gas companies.
Tuesday, June 19, 2012
NARUC Releases a Timely Cybersecurity Guide
I didn't like the tone of my original piece on this so have made a few mods. Content is essentially the same.
Here's a LINK to the National Association of Regulatory Utility Commissioners (NARUC)'s new Cybersecurity for State Regulators
Now I'll do a quick pass at a couple of the proposed questions in the appendix.The first one is about budget:
Now here are a couple of other questions I might have suggested." In addition to Q27, I would have liked to see questions that poke into other governance issues, like:
Here's a LINK to the National Association of Regulatory Utility Commissioners (NARUC)'s new Cybersecurity for State Regulators
Before I begin to comment on and critique some of the contents, I just want to say I have no ax to grind against NARUC. From my interaction with its members, including several of the folks named as authors of this document, these folks do a fantastic job, state by state by state, keeping the gigantic and sprawling US grid, reliably and economically up and running.
And let's continue with a little more praise. Very few state regulators have hands-on experience with cybersecurity. Giving them a guide that both teaches them, at an intro level, and arms them with good starting-point questions, is a wonderful and necessary thing. Major kudos for that.
However, this paraphrase from an article introducing the guide gave me initial pause:
Now here's a direct quote from the guide:
However, this paraphrase from an article introducing the guide gave me initial pause:
NARUC advised state commissioners to work with utilities to increase their investment in cybersecurity protections for the smart grid.This statement makes it sound like someone knows what the right amount of spending is. And that would suggest that that same someone knows a lot about the evolving threats, as well as the requirements for the right types of correctly deployed and configured technical and human protections, and has converted them to USDs (money). These are all things the energy sector security community is working on, but quantifying down to the right level of dollars spent is beyond us still, I think.
Now here's a direct quote from the guide:
Regulators have to determine whether the amount being invested is insufficient or excessive and whether it is allocated appropriately.I know it's their job in general, but also think that specific to cybersecurity, this is a burden (on the regulators themselves) too far. Determining appropriate allocation is definitely a worthy pursuit, and the matter has great import for all stakeholder including customers. But man, without some commonly agreed frameworks or metrics to measure against, it's a tough one.
Now I'll do a quick pass at a couple of the proposed questions in the appendix.The first one is about budget:
Q26. Is cybersecurity budgeted for? What is the current budget for cybersecurity activities relative to the overall security spending?Good stuff generally, and really core when it comes time to rate case justification. But I'd also want to know how is the budget arrived at? Like an elementary school teacher, I want you to step up to the board and show me the math. And not sure the second question is all that relevant ... is there a correct or helpful answer to that one?
Q27. Are individuals specifically assigned cybersecurity responsibility? Do you have a Chief Security Officer and do they have explicit cybersecurity responsibilities?I hope that in even the smallest utilities (and some are mighty small) the answer to the first question is yes. And I know that in even the largest utilities, the answer to the second question is almost always no.
Now here are a couple of other questions I might have suggested." In addition to Q27, I would have liked to see questions that poke into other governance issues, like:
- QAB1: Related to applications: How many applications do you have? What are the top 10 most important ones? Who owns them? Who developed them? Who patches them? How are they secured? When was the last time they were tested and how did they do? Who tested them?
- QAB2: Related to data: Have you inventoried your data assets? Developed a classification scheme? Identified data owners? Developed data lifecycle and protection policies? Practiced responding to a data breach? Who owns Privacy?
- QAB3: Related to money (again): Beyond pen testing, how do you evaluate the effectiveness of your cybersecurity policies and programs? Related to Q26, what methods do you use for prioritizing your cybersecurity expenditures?
Thursday, March 1, 2012
High Impact Cyber Security Legislation Looming for Utilities
My previous post referenced a recent preliminary report documenting how companies from all sectors are moving slowly to elevate security matters to the CEO and Board of Directors level. And hardly a day goes by where I don't suggest having more than a few empowered CSOs in our industry might start to turn the actual cyber security strategy tide as well as signal a culture change to all the grid's many stakeholders.
Like Congress for example.
Congress in 2011 seemed pretty sure that utilities and their regulators needed a few additional sticks to goad them into tightening up the overall security posture of the grid. That was the GRID Act, and when it passed the House but didn't get a Senate vote, the stage was set for a sequel.
And so here it is: the cross-sector Cybersecurity Act of 2012.
If you're a utility with too much on your plate today what with modernization initiatives, aging workforce and aging equipment issues, PUCs starting to impose new rules on how you handle and protect customer data, NERC CIP version 3 looking like it's going to morph into a much more burdensome version 4 or 5 soon, the last thing you need is another oversight agency asking you to demonstrate compliance with new regulations.
Well, that's exactly what the DHS-centered new act is. And if it passes in anything like its current form, utilities are likely to like it about as much as you'd think they would. According to Jody Westby writing in Forbes ... not much. For example:
Like Congress for example.
Congress in 2011 seemed pretty sure that utilities and their regulators needed a few additional sticks to goad them into tightening up the overall security posture of the grid. That was the GRID Act, and when it passed the House but didn't get a Senate vote, the stage was set for a sequel.
And so here it is: the cross-sector Cybersecurity Act of 2012.
If you're a utility with too much on your plate today what with modernization initiatives, aging workforce and aging equipment issues, PUCs starting to impose new rules on how you handle and protect customer data, NERC CIP version 3 looking like it's going to morph into a much more burdensome version 4 or 5 soon, the last thing you need is another oversight agency asking you to demonstrate compliance with new regulations.
Well, that's exactly what the DHS-centered new act is. And if it passes in anything like its current form, utilities are likely to like it about as much as you'd think they would. According to Jody Westby writing in Forbes ... not much. For example:
With overtones of Sarbanes-Oxley, the bill also requires the owners of these systems to either certify annually to DHS and their sector agency whether they have implemented security measures to satisfy the performance requirements or submit a third-party assessment. Even if a company subject to the provisions of the bill can obtain an exemption by demonstrating that it is sufficiently secured or in compliance with the risk-based performance requirements, it must undergo this process every three years.I recommend you read her whole Forbes article, take 4 Advil, and call me in the morning. Or better yet, email, if you think Westby is making a mountain out of a legislative molehill. Or vice versa.
Thursday, September 8, 2011
The Importance of Context when discussing Smart Grid Security
Sometimes those of us who speak with the press end up finding that our intended meaning, stripped of context, can become distorted beyond recognition in articles which then spread more darkness than light. What follows is an open letter, just released, from former NERC CSO Michael Assante to you, and all the members of the community that seeks to keep the US and other global grids (as) safe (as possible) from cyber attackers.
I recently had an opportunity to learn about the importance of context. I tried to help someone understand the challenges of regulation and cyber security in the context of smart grid technology deployments and electric infrastructure, and learned once again how polarized this topic can become. Certainly many can appreciate the challenge of communicating with clarity on this topic, as it can be nuanced, highly-technical, process-laden, and mired in the details of a little-followed piece of history and U.S. federal and state law.
Let me begin by providing some of the context, or background, that explains why I work hard to help develop a better understanding of how cyber security impacts operational technology in critical infrastructures. As a boy I was fascinated with the engineering required to generate and deliver electricity. To me, the power system represented a grand achievement that demonstrated what dedicated men and women could accomplish.
My father worked for a utility and was rightfully proud of the public service his company delivered to homes, schools, manufacturing plants, and hospitals. He worked with impressive machines that excavated coal, and cutting edge control centers with analog light displays. But the thing that made the biggest impact on me was the dedication with which my father and his colleagues performed jobs, and their uniform sense of mission, as they clearly understood that what they did made people’s lives better. I was quick to appreciate the vision, investment, and effort that enabled vast natural resources like coal and hydro-power to be turned into electricity, which was then transported and delivered over vast distances to every household and business.
The success of the electricity industry in designing, building and maintaining an incredible system of systems, continues to inspire children and adults alike. It has grown to become a critical infrastructure that underpins modern society. The delivery of highly-affordable and reliable electricity has paved the way for the industrial and technological revolutions that have transformed global economies. It is ironic that over the last forty years of progress, we have also created a significant set of challenges that need to be addressed as a consequence of our continued innovation.
The rapid advancement and application of digital technology has improved electric system operations, reliability, and process efficiency. But it carries with it a heavy responsibility. We must now safeguard this increasingly ubiquitous element of the grid from those who would seek to disrupt technology and cause harm.
This dilemma of digital technology is that, like electricity, it enables great things but can cause great damage if not managed properly. There is one very important difference, though. The nature of electricity is understood sufficiently to prudently manage the risks it can present, whereas cyber threats are constantly evolving and are co-adaptive (the threat will consider the protections you have employed and find ways to circumvent or compromise them). This has led me to conclude that many of the difficulties we experience addressing cyber security come less from how the electricity industry behaves, and originate more from the complex nature of digital technology and the unique risks it engenders.
Many of you know that I have often shared my thoughts on the difficulties of managing cyber risk in the complex and vast systems that comprise power grids. There are a number of necessary constraints, such as the golden rule of “first, do no harm” (do not negatively impact system reliability and safety). Other challenges have more to do with state of industrial control system technology and the tough job of keeping up with the rapid changes in technology and the evolving capabilities of would-be cyber attackers.
NERC and the industry have pioneered the use of mandatory reliability standards as one tool to manage risks to reliability across the complex weave of entities that comprise the bulk power system in North America. I am confident that progress will continue to be made by NERC and the industry, but it takes time to learn what works well when dealing with the scale of the bulk power system and specifically, when trying to address the difficult-to-bound risk that comes from cyber threats. I, like many others, understand that we must continually evaluate the processes we use to develop and manage the CIP standards. We must consider the effectiveness of the standards requirements when compared to how digital systems are being compromised by current cyber attackers. Cognizant of the risks of unintended consequences, we need to fully understand the behaviors we are promoting by using standards that require strict compliance. Finally, we need to be mindful of the spirit and goal of the standards and the importance of providing enough flexibility so that utility security programs can adapt to best confront the threats they face.
I have had the pleasure of working alongside of some of the most gifted experts in power engineering and industrial control system security over the years. The power industry has a rich collection of experts often passionately inclined to work together as a community to solve complex problems. Their expertise is essential in determining how to best apply cyber defenses in the highly-specialized environments of power generation, transmission, and distribution. We would also, however, benefit from the experience and learnings of other industries’ cyber professionals who themselves labor to defend highly-targeted networks. I have grown to appreciate the adaptive nature of cyber threats and importance of maintaining a current understanding of how systems are compromised. NERC has engaged with the U.S. government to benefit from its understanding and should continue to look for opportunities to learn from government and cyber security experts from other industries bent on tackling this common problem.
Context matters in how we think about these problems, in how we frame our concerns, and in how we formulate new approaches so that we may attain the many benefits of new technologies while managing the risk. I am confident that we will begin to engineer away the worst consequences, continually find more effective practices and develop the necessary skills to better address sophisticated and ever changing cyber threats. This is a difficult task that will continue to require our best efforts, to include regulation. It is a task that demands a prudent approach as the effectiveness of our investments needs to be measurable and demonstrable. We must continue to innovate if we're to fully enjoy the many benefits of affordable and reliable electricity.
Michael can be reached at michael.assante@nbise.org
I recently had an opportunity to learn about the importance of context. I tried to help someone understand the challenges of regulation and cyber security in the context of smart grid technology deployments and electric infrastructure, and learned once again how polarized this topic can become. Certainly many can appreciate the challenge of communicating with clarity on this topic, as it can be nuanced, highly-technical, process-laden, and mired in the details of a little-followed piece of history and U.S. federal and state law.
Let me begin by providing some of the context, or background, that explains why I work hard to help develop a better understanding of how cyber security impacts operational technology in critical infrastructures. As a boy I was fascinated with the engineering required to generate and deliver electricity. To me, the power system represented a grand achievement that demonstrated what dedicated men and women could accomplish.
My father worked for a utility and was rightfully proud of the public service his company delivered to homes, schools, manufacturing plants, and hospitals. He worked with impressive machines that excavated coal, and cutting edge control centers with analog light displays. But the thing that made the biggest impact on me was the dedication with which my father and his colleagues performed jobs, and their uniform sense of mission, as they clearly understood that what they did made people’s lives better. I was quick to appreciate the vision, investment, and effort that enabled vast natural resources like coal and hydro-power to be turned into electricity, which was then transported and delivered over vast distances to every household and business.
The success of the electricity industry in designing, building and maintaining an incredible system of systems, continues to inspire children and adults alike. It has grown to become a critical infrastructure that underpins modern society. The delivery of highly-affordable and reliable electricity has paved the way for the industrial and technological revolutions that have transformed global economies. It is ironic that over the last forty years of progress, we have also created a significant set of challenges that need to be addressed as a consequence of our continued innovation.
The rapid advancement and application of digital technology has improved electric system operations, reliability, and process efficiency. But it carries with it a heavy responsibility. We must now safeguard this increasingly ubiquitous element of the grid from those who would seek to disrupt technology and cause harm.
This dilemma of digital technology is that, like electricity, it enables great things but can cause great damage if not managed properly. There is one very important difference, though. The nature of electricity is understood sufficiently to prudently manage the risks it can present, whereas cyber threats are constantly evolving and are co-adaptive (the threat will consider the protections you have employed and find ways to circumvent or compromise them). This has led me to conclude that many of the difficulties we experience addressing cyber security come less from how the electricity industry behaves, and originate more from the complex nature of digital technology and the unique risks it engenders.
Many of you know that I have often shared my thoughts on the difficulties of managing cyber risk in the complex and vast systems that comprise power grids. There are a number of necessary constraints, such as the golden rule of “first, do no harm” (do not negatively impact system reliability and safety). Other challenges have more to do with state of industrial control system technology and the tough job of keeping up with the rapid changes in technology and the evolving capabilities of would-be cyber attackers.
NERC and the industry have pioneered the use of mandatory reliability standards as one tool to manage risks to reliability across the complex weave of entities that comprise the bulk power system in North America. I am confident that progress will continue to be made by NERC and the industry, but it takes time to learn what works well when dealing with the scale of the bulk power system and specifically, when trying to address the difficult-to-bound risk that comes from cyber threats. I, like many others, understand that we must continually evaluate the processes we use to develop and manage the CIP standards. We must consider the effectiveness of the standards requirements when compared to how digital systems are being compromised by current cyber attackers. Cognizant of the risks of unintended consequences, we need to fully understand the behaviors we are promoting by using standards that require strict compliance. Finally, we need to be mindful of the spirit and goal of the standards and the importance of providing enough flexibility so that utility security programs can adapt to best confront the threats they face.
I have had the pleasure of working alongside of some of the most gifted experts in power engineering and industrial control system security over the years. The power industry has a rich collection of experts often passionately inclined to work together as a community to solve complex problems. Their expertise is essential in determining how to best apply cyber defenses in the highly-specialized environments of power generation, transmission, and distribution. We would also, however, benefit from the experience and learnings of other industries’ cyber professionals who themselves labor to defend highly-targeted networks. I have grown to appreciate the adaptive nature of cyber threats and importance of maintaining a current understanding of how systems are compromised. NERC has engaged with the U.S. government to benefit from its understanding and should continue to look for opportunities to learn from government and cyber security experts from other industries bent on tackling this common problem.
Context matters in how we think about these problems, in how we frame our concerns, and in how we formulate new approaches so that we may attain the many benefits of new technologies while managing the risk. I am confident that we will begin to engineer away the worst consequences, continually find more effective practices and develop the necessary skills to better address sophisticated and ever changing cyber threats. This is a difficult task that will continue to require our best efforts, to include regulation. It is a task that demands a prudent approach as the effectiveness of our investments needs to be measurable and demonstrable. We must continue to innovate if we're to fully enjoy the many benefits of affordable and reliable electricity.
Michael can be reached at michael.assante@nbise.org
Monday, June 6, 2011
Electric Utility Leadership calls for more Industry Attention to Security
I'm always campaigning for more utilities to hire or otherwise install more senior level security personnel (e.g., CSOs, CISOs) to elevate the security and privacy requirements using business language more accessible to C-level executives, the Board of Directors, and other senior stakeholders.
Well, one big company, namely Atlanta-based Southern Company, has leapfrogged that goal and has a vocal CEO articulating the essential need for the industry to do better on security. THIS POST by fellow energy sector security blogger (and very active leader and member of cyber security working groups) Mike Ahmadi gives you more perspective on this.
And alerts you to a key initiative re: certification of systems and products where Southern is leading the way. One thing I can say for sure: you'll be hearing more about the proposal on this known as IEC 62443 2-4, so stay tuned.
Well, one big company, namely Atlanta-based Southern Company, has leapfrogged that goal and has a vocal CEO articulating the essential need for the industry to do better on security. THIS POST by fellow energy sector security blogger (and very active leader and member of cyber security working groups) Mike Ahmadi gives you more perspective on this.
And alerts you to a key initiative re: certification of systems and products where Southern is leading the way. One thing I can say for sure: you'll be hearing more about the proposal on this known as IEC 62443 2-4, so stay tuned.
Tuesday, March 1, 2011
Smart Grid Security East - Underway on Day One with a NISTIR 7628 Progress Report
My but how this conference has grown since its preprocessor in San Jose last year. Hundreds of folks in the hall this morning to hear Erich Gunther's welcome message, and now we've got these folks on stage talking 7628:
- Bill Hunteman, DOE
- Annabelle Lee, EPRI
- Daniel Thanos, GE
- Sandy Bacik, Enernex
- Mike Coop, ThinkSmartGrid (moderator)
Annabelle mentioned she likes Daniel's phrase - thinking about securing the grid from "toasters to turbines." I'm paraphrasing here, but Daniel, hesitant to put all our security eggs in the NISTIR 7628 (or any other regulatory) basket, got the following across:
Security is a very dynamic space. Regulation can actually degrade security. It freezes our approaches to a moment in time, while threats continue to change so quickly. Rather we should seek to help folks think better so they can adapt to threats as they evolve.Then Bill said (my paraphrase again):
I challenge each of you coming to collaborate - let's see if we can reach an agreement, as a community, on what it means to protect the grid. Everyone back in DC still doesn't have a common definition on what this means, and that's really hampering progress.Someone then asked a question on how we are measuring (and therefore demonstrating) progress to leadership in Washington and elsewhere, while noting that the previous point on not having a common definition to work from is a factor. The answer to that wasn't that completely clear, and my bet is it's likely the question on measurement will be asked again before this conference is through.
To be continued ...
Wednesday, February 2, 2011
January was a Rough Start for 2011 Smart Grid Security Regulation Report Cards
Hopefully the baby Smart Grid will do better in its security courses later this year and next, but it scored about a D average on its first two big US Federal tests of the year when results were reported last month.
First came the Government Accountability Office (GAO) report titled “Electricity Grid Modernization: Progress Being Made on Cybersecurity Guidelines, but Key Challenges Remain to be Addressed” which highlighted security shortcomings in the 1.0 version NISTIR 7628. Much of what it reported was not new news to those of us in the community, as it pointed out what NIST had already revealed itself: that it hadn’t been able to address every topic it originally intended by the 1 September 2010 deadline, and was working now to remedy the situation. One of these topics included strategies to defend against combined cyber and physical attacks. It also critiqued FERC’s lack of authority to regulate grid security beyond large generation and transmission systems.
Later in January, the Department of Energy’s IG office issued its report “Federal Energy Regulatory Commission's Monitoring of Power Grid Cyber Security” in which it found FERC cyber security standards (as implemented by NERC) and overall approach for the regulating the national grid quite lacking, saying current standards "were not adequate to ensure that systems-related risks to the nation’s power grid were mitigated or addressed in a timely manner." The IG also gave FERC a bit of a break when it acknowledged, "We found that these problems existed, in part, because the Commission had only limited authority to ensure adequate cyber security over the bulk electric system."
My take away? Both of these reports are telling us what we already know: that the current Federal regulatory approach and authority over grid security matters is far from optimal, and that no one, especially Congress, is quite sure yet what to do about it. Meanwhile, as seen here at the mighty Distributech Conference in San Diego, the Smart Grid marches on just the same.
Image credit: igloobrew on photobucket.com
Tuesday, December 7, 2010
FERC and NERC Down the 2010 Cyber Security Standards Home Stretch
Been saying it all year: tension is building between those who want to tighten up security standards faster and those who was to take a gentler, but more predictable path. FERC and NERC have been the primary protagonists in this struggle, as described a few months ago HERE.
For those who are paying attention, a few items that have surfaced as the year winds down, and here's a short summary for you:
First we have the so-called "bright line" ruling in which FERC says we (especially NERC) need a new and crisper definition of the bulk electric system (BES). Here's an excerpt in their own words:
Today's final rule directs NERC to revise its definition of the term “bulk electric system” to ensure that the definition encompasses all facilities necessary for operating an interconnected electric transmission network .... FERC said the ultimate goal ... is to eliminate inconsistencies across regions, eliminate the ambiguity created by the current characterization of the 100 kilovolt (kV) threshold as a general guideline, provide a backstop review to ensure that any variations do not compromise reliability, and ensure that facilities that could significantly affect reliability are subject to mandatory rules.So the ball's in NERC's court on that one. A few days after that press was released, FERC Commssioner Jon Wellinghof spoke out on security and the Smart Grid for Forbes.com. Seems like he really wishes things could go a lot further and a lot faster than they have so far, and that Congress hasn't come through yet:
... there have been a number of legislative proposals put forward, none of which have been passed….Without mentioning it by name, he also plugs the GRID Act which is still stuck half-way through Congress:
We do believe that there’s some additional authority necessary with respect to cyber-security, especially with respect to an imminent threat or vulnerability. We think FERC needs the authority to issue an order to the utilities to take a specific action. Right now we don’t have that authority. It all has to go through the National Electric Reliability Corporation…. It’s kind of a cumbersome process now, that takes a lot longer than you would want if you knew of some immediate threat or vulnerability….Which brings us to some analysis of what's on deck for 2011 in the NERC CIP world. From NERC CIP compliance experts Abidance Consulting, here's their well informed take on which way this will likely play out in version 4 of the CIPs:
The NERC CIP Standards are being reviewed and updated by various NERC committees to include the Standards & Development Team .... The new version(s) will categorize Critical Assets and Critical Cyber Assets based on impact assessment as “High”, "Medium" and "Low". The new methodology will not use the current Critical Assets and Critical Cyber Assets. [Rather], CIP standards will be customized to each category based on their impact on the BES ....That's a heck of a lot of change. Too much for some, though others would call it long overdue. And here's a big (and good) one:
The new version of CIP will expose several assets to CIP compliance requirements unlike today as the serial connection will no longer be able to provide immunity from compliance.This change, if and when it takes effect, will reverse a trend that some analysts have used to argue that the CIPs actually weaken grid security.
We could go on, but this is a blog and our job is to keep these posts short and tasty. Kind of like tappas. Speaking of which, there's plenty of action on the menu for 2011 for utility security pro's and everyone in the community who wants to see them succeed. Looking forward to it!
Photo credit: Erik Fitzpatrick on Flickr.com
Tuesday, September 21, 2010
The Pulse Quickens as the Plot Thickens: FERC/NERC continue to Skirmish re: Grid Security Standards
Industry sonar and radar detect nothing but collision ahead as these orgs plow ahead on their respective vectors: FERC wants more security faster for utilities; NERC wants to hold steady with slow, incremental changes. There's some method to each approach, though they're clearly not compatible. I summarized thusly in this week's HuffPo article:
The case for going faster rests on a couple of basic facts and observations. Here are just a few:
- Attacks on energy systems are increasing in tempo and sophistication (for those who haven't heard of it yet, the recently emerging Stuxnet virus has provided a real wake up call for industry in terms of attackers' advanced capabilities
- Other industries/sectors have much more substantial security controls and governance already in place and have only benefitted from them
- Emphasizing security early in the Smart Grid window will yield benefits including cost savings and much better efficacy
- Oh yeah, and one more little thing: and our entire economy and the well being of our nation depend on secure and reliable power infrastructure
- Cultural challenges inside utility co's will hinder attempts to make them change too much too quickly
- Regulatory impediments need to be resolved before the whole system can be secured. For example, the fact that the Feds only have jurisdiction over generation and high-voltage transmission assets, while policy for low-voltage distribution is left to the states, and there's little/no standardization of state policy at present) Security standards are still taking shape. NERC's CIP standards are still in their infancy, and NIST just released the 1.0 version of its "Smart Grid Cyber Security Strategy and Requirements"
- Lastly, it costs money to significantly ratchet up the security posture of any complex system, not to mention the one that's been called the greatest engineering achievement of the 20th Century
Photo credit: Rosmary on Flickr.com
Tuesday, September 7, 2010
Clock is Winding Down on NERC CIP 002-4 Mandatory Data "Request"
FYI: Utilities had until today, 7 Sep 2010 to respond to four not-so-simple questions/directives:
1. What is the number of elements in your Existing Critical Asset List?
2. For each element in the list above, use the criteria in the enclosed Attachment 1 (not provided here) to determine how it would be categorized. Each element on the list must be counted only one time. If a particular element could be qualified as multiple criteria, please choose the one that applies most to the element. The sum of the elements included in the answers to question 2 should equal the number of elements provided in the answer in question
3. Use the criteria in Attachment 1 to estimate the Critical Assets and each Critical Assets’ impact level that your Registered Entity would report for its share of the Bulk Electric System. Please count each Critical Asset only once. If a particular Critical Asset could be qualified as multiple criteria, please choose the one that applies most to the Critical Asset. It is understood that, given the time frame, this is a rough estimate and is not necessarily the exact number that you would report given enough time to perform a detailed analysis of your system.
4. Enter all of the NERC Compliance Registry (NCR) numbers that you are reporting on an enterprise-wide basis for.
Will be very interesting to see what comes of this activity. We should begin to get a feel for the version 4-driven increase in scope and complexity for NERC CIPS preparation, auditing and reporting pretty soon.
The NERC survey page can be seen HERE.
Photo credit: laffy4k / Chris Metcalf on Flickr.com
Tuesday, April 20, 2010
Pushmi-pullyu: Utilities and Regulators Tussle over Forward-looking Projections vs. Backward-looking Reporting
We've had talks with utilities who, facing looming, life-altering technology, regulatory and business model changes, are trying to do more than merely recount the budgetary planning steps they've taken in previous years. We've also spoken with ones who aren't ready for this kind of change and don't want to hear about "future test years," for example.
But as the Washington Utilities and Transportation Commission (UTC) noted several years ago:
"... as imprecise as forecasting may be, projected test year data based on reasonable forecasts should consistently come closer to expressing future conditions than purely historic data will."I'd say that's doubly and maybe triple-y true given the current and foreseeable state of major flux the industry is going to be in for the next bunch of years.
What has set this in motion, at least in part, is the Energy Independence and Security Act (EISA) of 2007, that lays out the requirement for utilities to get more future oriented in their thinking and planning. Here's the applicable part (Section 1307) that's causing some contention:
(a) Section 111(d) of the Public Utility Regulatory Policies Act of
1978 (16 U.S.C. 2621(d)) is amended by adding at the end the
following:
(16) CONSIDERATION OF SMART GRID INVESTMENTS-
A) IN GENERAL- Each State shall consider
requiring that, prior to undertaking investments in
non-advanced grid technologies, an electric utility of
the State demonstrate to the State that the electric
utility considered an investment in a qualified smart
grid system based on appropriate factors, including:
(i) total costs;
(ii) cost-effectiveness;
(iii) improved reliability;
(iv) security;
(v) system performance; and
(vi) societal benefit.
Sounds like a great idea to me, but of course I'm far removed from the operational trenches, not to mention the politics involved in these activities. As other language in the act stipulates, states don't have to play along with this guidance, and as this GTM article points out, North Carolina is just saying no. In the ensuing policy vaccuum, that leaves the state regulatory org, the NCUC, battling it out over what its utilities (Progress, Duke, Dominion) should be reporting on.
Fortunately, security reporting has survived in both the proposed NCUC guidance as well as in the counter proposals of two of the three utilities involved. But seems to me that in an industry where many of the constituents are embracing new information and energy technologies, new relationships with its customers and partners, and new ways of defining and monetizing its capabilities, stalling on EISA is a short-sighted rear-guard action.
In any sector, little, including security posture, is enhanced by clinging to outmoded planning and reporting practices. In battles between the past and the future, the future (almost) always wins. It'll be a great thing for all involved when the entire industry is moving in the same direction.
Imaginary animal credit: http://3dcadnews.blog.com/
Subscribe to:
Posts (Atom)