Despite the benefits, the Commission has concerns regarding the potential ambiguity and, ultimately, enforceability of the CIP Version 5 Standards. Specifically, 17 of the requirements of the suite of CIP Version 5 Standards include language that requires the responsible entity to implement the requirement in a manner to “identify, assess and correct” deficiencies. The issue is that this language may be unclear with respect to the compliance obligations it places on regulated entities making it too vague to audit and enforce compliance. The NOPR seeks comments on this and several other concerns. Moving at the speed of technology, some parts of CIP 4 may never become enforceable; it is expected some utilities may go from CIP 3 to CIP 5 for some standards.

systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

Threats to critical infrastructures typically fall into two categories: (1) physical threats - physical threats to tangible property and (2) cyber threats - threats of electronic/computer-based attacks on the communications components that control critical infrastructures. Many of these critical infrastructures are owned and operated by the private sector. Therefore, it is essential that the government and private sector work together to develop a strategy for protecting them and assuring their continued operation. 

The National Institute of Standards and Technology is conducting a comprehensive review to develop a framework to reduce cyber risks to critical infrastructure (“Framework”). The Framework will consist of standards, methodologies, procedures and processes that align policy, business and technological approaches to address cyber risks. The RFI requests information to help identify, refine and guide the many interrelated considerations, challenges and efforts needed to develop the Framework. Responding to the NIST RFI is one of many action items the private sector can take. Several companies have already filed their comments. Some of the questions asked in the RFI include:

• What are the current regulatory and regulatory reporting requirements in the United States (e.g. local, state, national, and other) for organizations relating to cybersecurity?
• What organizational critical assets are dependent upon other critical physical and information infrastructures, including telecommunications, energy, financial services, water and transportation sectors?
• What do organizations see as the greatest challenges in improving cybersecurity practices across critical infrastructure?
• Describe your organization's policies and procedures governing risk generally and cybersecurity risk specifically. How does senior management communicate and oversee these policies and procedures?
• How do organizations define and assess risk generally and cybersecurity risk specifically?

Written comments, due by April 8, 2013, may be submitted by mail to Diane Honeycutt, National Institute of Standards and Technology, 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899. Submissions may be in any of the following formats: HTML, ASCII, Word, RTF, or PDF. Online submissions in electronic form may be sent to cyberframework@nist.gov. Please submit comments only and include your name, company name (if any), and cite “Developing a Framework to Improve Critical Infrastructure Cybersecurity” in all correspondence. All comments received by the deadline will be posted at http://csrc.nist.gov/ without change or redaction, so commenters should not include information they do not wish to be posted (e.g., personal or confidential business information).

• Is cybersecurity integrated between business systems and control systems? For the existing grid and for the smart grid?
• Have logical and physical connections to key systems been evaluated and addressed?
• Does the company maintain standards and expectations for downtime during the upgrade and replacement cycle?
• Does the company have equipment dependent on remote upgrades to firmware or software, or have plans to implement such systems?
• Does the company have a plan in place to maintain system cybersecurity during statistically probable upgrade failures?
• Is there a schedule for required password updates from default vendor or manufacturer passwords?
• Has cybersecurity been identified in the physical security plans for the assets, reflecting planning for a blended cyber / physical attack?
• What network protocols (IP, proprietary, etc.) are used in remote communications? Is the potential vulnerability of each protocol considered in deployment?

I recently saw an informative video by Cisco that provides a nice description of the Cisco Connected Grid FAN Solution which I believe will help many utilities address the issues raised in the primer. According to Cisco’s whitepaper, benefits of the Cisco Connected Grid FAN Solution include reduced system vulnerability to physical attack or cyber attack, operating resiliency against security disruptions, secure access and data privacy for smart grid information and a framework for meeting regulatory compliance requirements.

Recently, PJM CEO Terry Boston stated in his interview with us that security of the electric grid is a critical issue. As cyber threats to the nation’s electrical grid become increasingly sophisticated and dynamic, the Department of Energy is continuing to work closely with the Department of Homeland Security, other government agencies and industry to reduce the risk of energy disruptions due to cyber incidents. Last September, the Department released the Roadmap to Achieve Energy Delivery Systems Cybersecurity and a Draft Cybersecurity Risk Management Process Guideline that seeks to establish frameworks and processes to help the electricity sector manage cybersecurity risk. Those looking to stay current on smart grid security issues should check out the Smart Grid Security Blog. Its author, Andy Bochman, provides a nice overview of these issues and provides a quick way to stay up to date. Given the importance of energy to our nation’s economy, it is nice to see cybersecurity and the electric grid get more attention.

The legislation requires DHS to identify cyber security risks on a sector-by-sector basis and to collect existing performance standards to determine the best methods to mitigate identified risks, and calls for the appointment of a “lead cyber security official” within DHS to coordinate the Department’s cyber security activities with the Department’s other infrastructure protection activities.

The legislation would also establish the National Information Sharing Organization (NISO), a private-sector-controlled, not-for-profit organization to facilitate best practices, provide technical assistance and enable the sharing of cyber-threat information. NISO would be run by a board of directors composed of representatives from five different Federal Agencies, including DHS, and 13 members of the private sector, including members representing the Communications, Electric, Oil and Gas, Health Care and Financial infrastructure sectors. Here is a great section-by-section summary of PRECISE.

Shortly after comments are filed, NICE will be holding its second annual NICE workshop, "Shaping the Future of Cybersecurity Education—Engaging Americans in Securing Cyberspace," Sept. 20-22, 2011, at the NIST campus in Gaithersburg, MD. The strategic plan will be discussed. Government, academia and industry, as well as professionals from small- and medium-sized businesses are expected to be represented at the workshop.

The goals and objectives of the plan include:

• Increase public awareness of cybersecurity risks
• Responsible use of the Internet
• Cybersecurity as a career path

Additionally, the plan seeks to develop the next generation of cybersecurity workers and encourage interest in science, technology, engineering and mathematic (STEM) disciplines. All of these career options will help train the next generation of utility employees, including those with the aptitude to work on smart grid related issues. My guess is if successful, this plan will benefit a myriad of industries. Figure 2 from the report illustrates how the elements of the spectrum link to NICE goals and overall strategic outcomes.

Wood: Thank you for the opportunity to discuss my views concerning the role of innovation. Innovation does and will continue to play a critical role in reducing vulnerabilities to the power grid. A recent article in the Washington Post citing top government intelligence officials indicated that "a major cyber attack somewhere in the United States is increasingly possible.” The article went on to warn that an assault on America's power grid system “represents the battleground for the future.” Based upon this article and several others, as well as my own observations and analyses, it goes without saying that a successful cyber attack on the grid could have a devastating impact on our national security, economy and our way of life.

Evers: Ted, I agree. One of the goals for the smart grid is for it to operate resiliently against attack and natural disaster. A smarter grid protects against outside forces by incorporating a system-wide solution that reduces physical and cyber vulnerabilities and enables fast recovery from disruptions. What is the connection to innovation?

Wood: Innovation = grid resiliency

Evers: OK, connect the dots for me.

Wood: Through innovation, new technologies can emerge to help enhance the grid’s resiliency. Such technologies should address protecting the grid from cyber and other attacks, detecting when failures occur and responding and recovering accordingly. Successful innovation includes creativity, investment and intellectual property (IP) protection. Investment is essential to transforming creativity into tangible technologies and IP protection is a significant factor considered by investors when deciding in which technologies to invest to maximize their returns. And it is critical to have strong IP protection in place before entering the marketplace.

Evers: So it’s a cycle. Innovation → Investment → IP protection→ safer, smarter grid?

Wood: That’s right. However, I would adjust your model a bit:

Innovation → IP protection → Investment → safer, smarter grid. Most investors want to know the IP protection is in place first.

Evers: So Ted, with all of the American Recovery and Reinvestment Act funding, the race is on. I imagine there are a lot of great ideas out there and the developers may feel like they can’t get to the marketplace quick enough. Any ideas on how you can help them? Admittedly I am not from the Patent and Trademark Office, but I have been involved in getting regulatory approvals for a long time and they usually don’t occur at the speed of innovation.

Wood: Recognizing the urgency of cyber security and the development of the smart grid, I believe that some sort of Grid Resiliency patent incentive program might help to spur grid resiliency innovations. The objective of one such program, for example, would be to streamline the examination of patent applications specifically focused on technical innovations to reduce vulnerabilities by ensuring the grid's resiliency. This streamlined process could help improve the revenue stream for innovators by increasing the development speed of their products and technologies. For example, patent applications covered under such a program would include resiliency-enhancing technologies that could be added to existing grid components and systems, as well as resiliency-enhancing technologies integrated into next-generation components and systems. The intent is to leverage the U.S. patent system to encourage grid related R&D investments and innovations which would reduce the grid's vulnerabilities. There are other programs, some already underway at the US Patent and Trademark Office, to encourage innovation across the board. These programs could be used to spur grid innovations.

Evers: That is great! What is the current status of the Grid Resiliency Patent Incentive Program?

Wood: We are vetting a number of different ideas through different means, such as industry blogs and discussions with industry and government representatives. The goal is to try and find the right mix of ideas that will help promote innovation and R&D investment in grid resiliency enhancing technologies.

Evers: I can imagine there are a lot of entrepreneurs hoping to participate. It will be a game changer for those who need funding as soon as possible. Please let me know when this is finalized. What are the other programs at the PTO that can be leveraged by smart grid innovators?

Wood: There are two that come to mind. The first is the Green Technology Pilot Program, which provides for accelerated examination of patent applications related to development of renewable energy sources, energy conservation etc. A few of the technical categories covered by this pilot program also related to smart grid. The second program is the newly implemented Track 1 initiative. Track 1 provides for accelerated examination for applications for payment of a $4,000 fee. Given the limited scope of the green pilot program with respect to grid resiliency and possibility that all innovators may not have access to Track 1 given the required fee, there may still be room for additional programs or incentives to spur grid resiliency innovations.

So Linda, I am going to switch things up a bit and if you don’t mind, I have a few questions for you?

Evers: Sure, but let me remind you…it’s my blog. (laughing)

Wood: I think the next roadblock is getting the utilities to try the new products. I know you represent a lot of utilities so I wondered if you had any insight to share on this issue?

Evers: Absolutely. …cost recovery.

Wood: My turn. Please connect the dots for me.

Evers: Ted, you are talking about new technology. The developer should expect to demonstrate to the prospective utility client that the benefits outweigh the risks. We take risks everyday or nothing would get done. In the case of the smart grid, we know the cost of doing nothing is high. However, it will be an extremely expensive undertaking to fully develop the smart grid. Utilities are very careful when making investments out of concern they will not get the cost recovery they seek from state regulatory agencies.

Wood: But developing the smart grid is a huge priority for our country. I would think the state regulators would be supportive?

Evers: I know this may surprise to you, but there is a fair amount of regulatory uncertainty in this area. Views towards the smart grid will vary by state and some states have laws that require aggressive action in this area. Generally, utilities have to summit their plans to their state PUCs for approval. Part of the approval process is making the business case to support the proposed expenses. And let me tell you, 2010 was a rough year for smart grid approvals, particularly the cost recovery issue, in spite of Uncle Sam contributing $4.5 billion.

Wood: Really?

Evers: Yes! Maryland, Connecticut, Indiana and Ohio to name a few. And in California and Maine, the regulators are acting on one of my favorite lines: “I reserve the right to change my mind,” and are contemplating revising plans they have already approved, notwithstanding the fact that these utilities have already implemented most of the plan.

So for the innovators out there, the best way to get selected is to educate, educate, educate. Spend time explaining to regulators and consumer advocates the importance of your product to the grid. In the end, how does it benefit customers? Ideally, the product should be apart of the utility’s plan that gets approved.

Ted, it will happen slowly at first – layer by layer, but we will get there. Remember when cell phones first came out? For the first few years they were big and clunky and really only used by executives. And now just last year, even to my surprise, off we went to buy my son an iPhone for his 13^th birthday. Progress can be like a sluggish car, slow to get going but it can hold its own on the highway. One day you will look around and bam: you will be driving to Pennsylvania to visit my family without any thought as to where you will charge your electric car; people will just know not to wash clothes and dishes in the afternoon; their appliances will conveniently start the laundry and dishes for them at 2:00 am and utilities will restore service before you even know there was an outage. All these great smart grid related things will be happening and as a county we will be more energy efficient.

The report further identified the following concerns:

• Aspects of the regulatory environment may make it difficult to ensure smart grid system’s cybersecurity
• Utilities are focusing on regulatory compliance rather than comprehensive security
• The electric industry does not have an effective mechanism for sharing information on cybersecurity
• The electric industry does not have metrics for evaluating cybersecurity
• Consumers are not adequately informed about the benefits, costs, and risks associated with smart grid systems

In response, both NIST and FERC agreed the report made useful findings. NIST, however, emphasized that it did not forget to address the key risk as the GAO accused, but that its guidelines addressing that risk weren’t ready for publication in 2010. FERC agreed that a more coordinated approach to enforcement may be desirable, but it pointed out that Congress made the adoption of smart grid standards by utilities and manufacturers voluntary, not mandatory.

Although the GAO report makes useful suggestions, some of its generalizations and assumptions may be a bit unfair or premature. For example, despite the overbroad conclusion that consumers are inadequately informed about the benefits, costs and risks of smart grid systems, some smart meter projects have been successfully executed and well-received by informed consumers. Austin Energy in Texas, for example, credits its smart meter success (installing 400,000 residential smart meters with wide customer acceptance) with extensive education and outreach to consumers. Also an innovative smart grid pilot for commercial customers in Charlotte, North Carolina, called “Envision: Charlotte” appears to enjoy the support of informed customers. And since sharing information is a new project that is at the core of Smart Grid, it seems premature to accuse the electric industry for not already having an effective data-sharing mechanism.

Everyone agrees that we need a Smart Grid that is secure. How best to achieve that goal needs further discussion.

The CSWG privacy subgroup performed a Privacy Impact Assessment (PIA) for the consumer-to-utility aspect of the Smart Grid. The following questions navigated the process of performing the consumer-to-utility PIA:

What personal information may be generated, stored, transmitted, or maintained by components and entities of the Smart Grid?

How is this personal information new or unique compared with personal information in other types of systems and networks?

How is the use of personal information within the Smart Grid new or different from the uses of the information in other types of systems and networks?

What are the new and unique types of privacy risks that may be created by Smart Grid components and entities?

What is the potential that existing laws, regulations, and standards apply to the personal information collected by, created within, and flowing through the Smart Grid components?

What could suggested standardized privacy practices look like for all entities using the Smart Grid so that following them could help to protect privacy and reduce associated risks?

Although not exhaustive, Table 5- 2 from the report provides a snapshot of some of the concerns. With only your imagination as the limit, there are many potential uses for granular energy data when it is combined with personal information. This applies to businesses as well as residential customers.

Table 5-2 Potential Privacy Concerns and Description

The report is a high-level, preliminary assessment of potential reliability considerations. “This preliminary assessment reviews how the evolving integration of the smart grid can support bulk power system reliability,” said Mark Lauby, Director of Reliability Assessment and Performance Analysis at NERC. “It will be vital that the system is planned, designed and operated to address the grid stability and cyber considerations.”

The report highlighted concerns about the number of new devices being connected to the grid. It states that a robust certification process is needed to ensure that new smart grid devices and systems are added to a grid function in the manner in which they were intended.

It is not sufficient that smart grid devices and systems be certified. Rather, there must also be a robust change control process that will allow entities to document changes made to devices and systems after they are purchased and installed. Page 82.

The report also addresses the need for NERC to enhance its standards as the smart grid evolves to address areas that have not previously been covered by NERC reliability standards.

NERC is the electric reliability organization (ERO) certified by the Federal Energy Regulatory Commission to establish and enforce reliability standards for the bulk-power system.

NIST has posted technical narrative summaries of the standards to assist FERC and other interested Smart Grid stakeholders. These five IEC standards are concerned with the structure of messages exchanged within and across Smart Grid domains and are fundamental to interoperability:

• IEC 61970 and IEC 61968: Provide a Common Information Model (CIM) necessary for exchanges of data between devices and networks, primarily in the transmission (IEC 61970) and distribution (lEC 61968) domains.

• IEC 61850: Facilitates substation automation and communication as well as interoperability through a common data format.

• IEC 60870-6: Facilitates exchanges of information between control centers. 

• IEC 62351: Addresses the cyber security of the communication protocols defined by the preceding IEC standards.

George Arnold, national coordinator for smart grid interoperability, states in a letter to FERC, these standards will be updated as Smart Grid requirements evolve.

In its simplest terms, the phrase “smart grid” refers to digitizing and upgrading the electric infrastructure to allow for multi-way communication.  Currently the electric delivery system provides one-way communication.  As the grid evolves and is upgraded, many parties will have access to energy date and will be able to communicate with the grid.  The smart grid will evolve over time.  The general view is that a smarter grid will accomplish the following:

• Enables active consumer participation:  The goal is to provide customers with access to more consumer friendly information about their electricity usage, pricing and incentives. The hope is that this new knowledge will influence usage behavior. This leads to a more efficient and reliable operation of the overall grid.

• Accommodates all generation and storage options:  A smarter grid will integrate power generation and distribution from multiple and widely dispersed sources such as solar, wind and other energy sources including emerging storage technologies.

• Enables new products, services, and markets:  A smarter grid enables the creation of new electricity markets, from the energy management system at home to technologies that allow consumers and third parties to bid their energy resources into the electricity market.

• Provides power quality for the digital economy:  A smarter grid provides power quality for the digital economy; helping to monitor, diagnose, and respond to power quality deficiencies. It will dramatically reduce customers' losses due to poor power quality.

• Optimizes asset utilization and operates efficiently:  A smarter grid will optimize asset utilization and enable efficient operation by improving load factors, lowering system losses, and managing outages or faults in an enhanced manner. Outage recovery time will improve.

• Anticipates and responds to system disturbances:  Most of the time, an electric company does not know about an outage until notified by a customer.   A smarter grid will perform continuous self-assessments to detect and analyze issues, take corrective actions to mitigate them and rapidly restore grid problems as necessary. These digital technologies can also handle problems that are too large or quick for human intervention. A smarter grid is often referred to as a self-healing grid. 

• Operates resiliently against attack and natural disaster:  A smarter grid protects against outside forces by incorporating a system-wide solution that reduces physical and cyber vulnerabilities and enables fast recovery from disruptions. 

"The Modern Grid Strategy: Powering the 21st century economy," is a four minute video that demonstrates the basic concept of the modern grid and its characteristics. It is published by the Department of Energy.