Monday, January 2, 2012

PJM CEO Speaks Out on Cyber Security and Resilience

In an interview published a couple of weeks before Christmas, Linda Evers of the excellent Smart Grid Legal News blog conducted a brief Q&A with the PJM CEO Terry Boston and got quickly to the subject of grid cyber security.

PJM, in case you're new to this, is the Pennsylvania-New Jersey-Maryland Interconnection, an RTO that balances power and oversees wholesale transmission markets across thirteen states and the District of Columbia.

When Evers asked the classic "What keeps you up at night?" Boston responded:
Cyber security. It has changed in the last three to four years. It’s no longer just a matter of trying to keep kids out of the system. Making sure we have security built in not bolted on to all of our networks and systems is probably the most important part of what we do. You have to realize this is a new world we’re in. We have to be very diligent, and we need resilience. Resilience is the ability to recover after a breach or intrusion.
Can't help but feel this approach is realistic and fully in tune with the times, especially in light of the numerous cyber security attacks of 2011 that successfully targeted many different sectors.

With or without a forward-leaning CEO, utilities are regulated to think this way to a certain extent. NERC CIP 009 - Recovery Plans for Critical Cyber Assets insists that asset owners makes plans for responding when their cyber systems are under attack, including when they fail outright or come under the control of the attacker. NERC also wants to see evidence that regular practice sessions and exercises are being conducted, though I don't know how detailed and realistic these exercises are. Looking at the language of CIP 009 it appears that an exercise of some kind, once a year, may suffice to get a clean bill of health in this category.

In my mind, connecting the dots from the reliability of cyber systems to the reliability and quality of performance of generation, transmission and distribution equipment and revealing the potential impacts to the utility and its customers is the work required to build the case for bolstering resilience efforts.

Greatly appreciate it when senior energy-sector leadership articulates practical approaches to dealing with always evolving cyber threats. Feels like a great place to start for 2012.