FERC vs NERC: A grid control showdown over cyber security

More documents

Recommendations

Info

CONNECTIONS WWW.INTELLIGENTUTILITY.COM /// JULY/AUGUST 2011 44 Cyber security requires organic effort + + Strategist Annabelle Lee shares thoughts for utilities and regulators By Phil Carson IN JUNE, INTELLIGENT UTILITY DAILY EDITOR-IN-CHIEF PHIL Carson held a wide-ranging discussion with Annabelle Lee, a technical executive for cyber security at the Electric Power Research Institute (EPRI). Lee was formerly a senior cyber security strategist at the National Institute of Standards and Technology (NIST), where she guided and coordinated the creation of the NISTIR 7628: “Guidelines for Smart Grid Cyber Security.” Framed within the context of electric utility cyber security discussions ongoing at the time in the U.S. Congress (detailed in part on pp. 14-16), Carson’s interview spanned three days’ columns in Intelligent Utility Daily. We excerpt portions of those columns here. At the outset, I asked Lee: What can you tell utilities and regulators about implementing cyber security when standards remain in flux? Her candor was bracing. Lee referred to the enabling legislation, the Energy Independence and Security Act of 2007 (EISA 2007), which required NIST to create an interoperability framework for the smart grid. The EISA 2007 said that when NIST developed “sufficient consensus,” the Federal Energy Regulatory Commission (FERC) would post standards and invite comment. According to EISA 2007, FERC could then “adopt” standards without enforcing compliance with them. So, much hinged on what “adopt” meant, according to Lee. In a Jan. 31 meeting with panelists from utilities and the private sector, FERC Chairman Jon Wellinghoff explored whether there existed “sufficient consensus” around standards identified by NIST. The answer: “No.” “This left everyone up in the air,” Lee told me. Subsequently, FERC sought two rounds of comments on the issue (on April 8 and 22) in order to resolve the issue, but Lee acknowledged that this state of affairs has left state public utility commissions pondering how to move forward. Non-prescriptive strategy important This anecdote merely underscored Lee’s argument that a non-prescriptive approach to cyber security is an important strategy. The NISTIR 7628 is guidance that requires heavy lifting by every utility to protect critical assets. Guidance allows flexibility and innovation, while mandates tend to be inflexible. A one-size-fits-all approach cannot account for the variation among individual utilities’ legacy systems and unique risk profiles. It’s difficult to deploy tools while utilities watch as standards are developed and vendors race to provide solutions, Lee acknowledged. “This is another area where the IT, telecom and electric sector communities need to come together to figure out how to use these standards in the electric sector,” she said. “There are some real restrictions in the electric sector that you don’t have in IT. The electric sector has remote devices, limited bandwidth and processing constraints. When you consider IT/telecom- based solutions, you have to think about that. Looking end-to-end “To correctly address cyber security, one needs to look at it end-to-end,” Lee continued. “It requires examining the technical, physical, and administrative procedures. Even if FERC had adopted a specific family of standards, that would not have been the entire solution. Those would be standards designed to be applied in very specific ways. One needs to look at the entire range of security that’s needed. One may have a good technical solution; however if a person is allowed to enter your building and log onto your system, you don’t have good security.” In Lee’s view, it is most effective for each utility to designate a cyber security leader, who may have to educate upward to develop executive support for protecting critical assets. “Part of the problem in approaching cyber security is that many organizations don’t have people who understand this,” Lee said. “Utilities don’t always know the questions to ask when vendors and integrators get involved. It helps to have a person dedicated to this task, and clearly this is not something one learns overnight.” One argument that’s both substantive and convincing is that cyber security addresses business-continuity vulnerability, which is a reliability and productivity issue. “Reliability is No. 1,” Lee said. “And cyber security supports reliability. I like to tell people ‘We think we’re at the top of the totem pole, but we’re not.’ We need to support cyber security. Typically, when organizations do a generic risk assessment, cyber security is one component, not the
only component. Utilities need to look at the business case, the cost, and make business-based decisions.” “The point that I emphasize about a risk management framework is that business continuity is a form of risk management,” Lee concluded. “You have to make decisions on where to spend resources. What’s most critical to maintain the operation of the business?” In the initial column of the series (above), Lee pointed out that effective security includes components such as physical security, personnel and administratative security, operations security, communications security and computer security. She also pointed out the efficacy of thinking in terms of systemwide, end-to-end measures. “When we interconnect these systems, if there’s an entry point that’s not protected, that’s a great way to access a critical system,” Lee told me. “That means that we need to look at the security of all systems,” she said. “That doesn’t mean you spend millions and millions. The priorities should be set based on an impact level. I like NIST’s low-moderate-high approach to impact assessment where one can take a qualitative approach. In contrast, using a quantitative approach, I’ve observed people argue whether we’re at 6.1 or 6.2, and I don’t understand the difference between 6 and 7, let alone 6.1 and 6.2.” Taking the steps But, you may be asking, how does one begin taking actual steps? Don’t reinvent the wheel, Lee suggested. “Begin with your existing risk management framework and an overall security strategy,” she said. “Take that as the starting point and begin tailoring that for control systems. Does your risk management framework make sense? Does your security strategy make sense? Then put together a risk assessment. Inventory your assets. Weigh the risk of a compromise of confidentiality, integrity and availability. Determine which of those that need to be addressed first.” Applying requirements Once a utility has determined its high-priority risks, it can review and apply the “requirements” in the NISTIR 7628, “Guidelines for Smart Grid Cyber Security.” “Requirements” offer guidance to effectively address certain vulnerabilities on a systemwide basis, Lee explained. The individual utility assesses its risks and prioritizes them. To mitigate those risks, the utility selects the applicable requirements from the NISTIR 7628 and tailors them to the specific system, in order to effectively address the risk. “When examining the ‘requirements,’ assess the ‘requirements’ for a system,” Lee said. “That’s important, because risk from a system perspective may have certain requirements that need to be implemented in some components and not in others. If one implements every requirement in every component in a system, it won’t function, performance will drop. For instance, if a firewall is required, it is typically installed at the boundary, not between every single device. Intrusion detection is also typically installed at the boundary, which is why risk must be assessed from a system perspective.” Returning to the theme that required standards may be inflexible and, therefore, less effective than guidelines, Lee said: “Standardization is important to ensure interoperability. But each utility must decide how it’s going to address cyber security. In part, the approach depends on a utility’s system architecture, the types of protocols that are being used, and the communications medium they use. The answers are specific to the technologies you’re using.” Dealing with privacy Finally, Lee touched on the privacy issue regarding customer data. “Utilities have had to deal with privacy for decades,” she said. “They have customer information. The difference, moving forward with smart meters, is the granularity and frequency of the information being collected. What will utilities do with that data? Third-party organizations want to get involved, particularly from an energy management perspective. How is information shared with those vendors? Who will be responsible for the integrity of that information? “Most states have privacy-breach laws. How are those addressed by a utility? Ownership of energy use data depends on the state. It is a vexing issue that at some point will have to be dealt with,” Lee concluded. WWW.INTELLIGENTUTILITY.COM 45
Page 1 and 2: VOL 3, ISSUE 4 » JULY/AUGUST 2011
Page 3 and 4: SMART GRID PROVEN TEC H N OLO GY NO
Page 5 and 6: Defy the constraints of time and te
Page 7 and 8: Is it possible to meet the increasi
Page 9 and 10: Heading to the Smart Grid? You’ll
Page 11 and 12: Defining the Smart Grid. Your visio
Page 13 and 14: “ The utility side of this strate
Page 15 and 16: www.bentley.com/substationeC Bentle
Page 17 and 18: WWW.INTELLIGENTUTILITY.COM 15
Page 19 and 20: Establishing coherent policy + + Ex
Page 21 and 22: WIRELESSLY MONITOR GRID PERFORMANCE
Page 23 and 24: ILLUSTRATION BY MELISSA DEHNER Dist
Page 25 and 26: SOURCE-TO-SOCKET: VENTYX DELIVERS V
Page 27 and 28: WWW.INTELLIGENTUTILITY.COM 25
Page 29 and 30: launching September, 2011 Introduci
Page 31 and 32: © 2011 Enspiria Solutions, Inc., a
Page 33 and 34: Knowledge2011 Utility Executive Sum
Page 35 and 36: Texas co-ops opt for public communi
Page 37 and 38: magazine daily magazine daily magaz
Page 39 and 40: Log On Today! Inform yourself for t
Page 41 and 42: This lack of knowledge was somewhat
Page 43 and 44: Focus on Smart Grid Reality, Not th
Page 45: Yes, you can take it with you! FREE
Page 49 and 50: United States by a large margin, an
Page 51 and 52: The resulTs are in! Thermal Direct

FERC vs NERC: A grid control showdown over cyber security

Create successful ePaper yourself

Delete template?

Save as template?