FERC vs NERC: A grid control showdown over cyber security
FERC vs NERC: A grid control showdown over cyber security
FERC vs NERC: A grid control showdown over cyber security
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
CONNECTIONS<br />
WWW.INTELLIGENTUTILITY.COM /// JULY/AUGUST 2011<br />
44<br />
Cyber <strong>security</strong><br />
requires organic effort<br />
+ + Strategist Annabelle Lee shares thoughts<br />
for utilities and regulators<br />
By Phil Carson<br />
IN JUNE, INTELLIGENT UTILITY DAILY EDITOR-IN-CHIEF PHIL<br />
Carson held a wide-ranging discussion with Annabelle Lee, a technical<br />
executive for <strong>cyber</strong> <strong>security</strong> at the Electric Power Research Institute (EPRI). Lee was<br />
formerly a senior <strong>cyber</strong> <strong>security</strong> strategist at the National Institute of Standards and<br />
Technology (NIST), where she guided and coordinated the creation of the NISTIR<br />
7628: “Guidelines for Smart Grid Cyber Security.”<br />
Framed within the context of electric utility <strong>cyber</strong> <strong>security</strong> discussions ongoing<br />
at the time in the U.S. Congress (detailed in part on pp. 14-16), Carson’s interview<br />
spanned three days’ columns in Intelligent Utility Daily. We excerpt portions of<br />
those columns here.<br />
At the outset, I asked Lee: What can you tell utilities and regulators about<br />
implementing <strong>cyber</strong> <strong>security</strong> when standards remain in flux? Her candor<br />
was bracing.<br />
Lee referred to the enabling legislation, the Energy Independence and Security<br />
Act of 2007 (EISA 2007), which required NIST to create an interoperability<br />
framework for the smart <strong>grid</strong>. The EISA 2007 said that when NIST developed<br />
“sufficient consensus,” the Federal Energy Regulatory Commission (<strong>FERC</strong>)<br />
would post standards and invite comment.<br />
According to EISA 2007, <strong>FERC</strong> could then “adopt” standards without<br />
enforcing compliance with them. So, much hinged on what “adopt” meant,<br />
according to Lee.<br />
In a Jan. 31 meeting with panelists from utilities and the private sector, <strong>FERC</strong><br />
Chairman Jon Wellinghoff explored whether there existed “sufficient consensus”<br />
around standards identified by NIST. The answer: “No.”<br />
“This left everyone up in the air,” Lee told me.<br />
Subsequently, <strong>FERC</strong> sought two rounds of comments on the issue (on April 8<br />
and 22) in order to resolve the issue, but Lee acknowledged that this state of affairs<br />
has left state public utility commissions pondering how to move forward.<br />
Non-prescriptive strategy important<br />
This anecdote merely underscored Lee’s argument that a non-prescriptive<br />
approach to <strong>cyber</strong> <strong>security</strong> is an important strategy. The NISTIR 7628 is<br />
guidance that requires heavy lifting by every utility to protect critical assets.<br />
Guidance allows flexibility and innovation, while mandates tend to be inflexible.<br />
A one-size-fits-all approach cannot account for the variation among individual<br />
utilities’ legacy systems and unique risk profiles.<br />
It’s difficult to deploy tools while utilities watch as standards are developed<br />
and vendors race to provide solutions, Lee acknowledged.<br />
“This is another area where the IT, telecom and electric sector communities<br />
need to come together to figure out how to use these standards in the electric<br />
sector,” she said. “There are some<br />
real restrictions in the electric sector<br />
that you don’t have in IT. The electric<br />
sector has remote devices, limited<br />
bandwidth and processing constraints.<br />
When you consider IT/telecom-<br />
based solutions, you have to think<br />
about that.<br />
Looking end-to-end<br />
“To correctly address <strong>cyber</strong> <strong>security</strong>,<br />
one needs to look at it end-to-end,”<br />
Lee continued. “It requires examining<br />
the technical, physical, and administrative<br />
procedures. Even if <strong>FERC</strong> had<br />
adopted a specific family of standards,<br />
that would not have been the entire<br />
solution. Those would be standards<br />
designed to be applied in very specific<br />
ways. One needs to look at the entire<br />
range of <strong>security</strong> that’s needed. One<br />
may have a good technical solution;<br />
however if a person is allowed to enter<br />
your building and log onto your system,<br />
you don’t have good <strong>security</strong>.”<br />
In Lee’s view, it is most effective for<br />
each utility to designate a <strong>cyber</strong> <strong>security</strong><br />
leader, who may have to educate<br />
upward to develop executive support<br />
for protecting critical assets.<br />
“Part of the problem in approaching<br />
<strong>cyber</strong> <strong>security</strong> is that many organizations<br />
don’t have people who understand<br />
this,” Lee said. “Utilities don’t<br />
always know the questions to ask when<br />
vendors and integrators get involved.<br />
It helps to have a person dedicated to<br />
this task, and clearly this is not something<br />
one learns <strong>over</strong>night.”<br />
One argument that’s both substantive<br />
and convincing is that <strong>cyber</strong><br />
<strong>security</strong> addresses business-continuity<br />
vulnerability, which is a reliability and<br />
productivity issue.<br />
“Reliability is No. 1,” Lee said.<br />
“And <strong>cyber</strong> <strong>security</strong> supports reliability.<br />
I like to tell people ‘We think<br />
we’re at the top of the totem pole, but<br />
we’re not.’ We need to support <strong>cyber</strong><br />
<strong>security</strong>. Typically, when organizations<br />
do a generic risk assessment, <strong>cyber</strong><br />
<strong>security</strong> is one component, not the