The Board on Energy and Environmental Systems (BEES) of the National Academies of Sciences, Engineering, and Medicine provides independent advice to the United States government and the private sector on science and technology policy issues related to energy and the environment. Given the importance of electricity to our nation’s health, safety, and economy, BEES has researched methods to minimize the impact of extreme weather events, earthquakes, cyber-attacks and other disasters that have the potential to cause large-scale outages. BEES’ most recent report, Enhancing the Resilience of the Nation’s Electricity System will be publicly released at 11 a.m. EST on July 20, 2017.

To provide insight regarding important issues in the report, BEES will host a free webinar on July 20, 2017, at 2 p.m. EST. The following authors will be panelists on the webinar:

  • Granger Morgan, Chair, NAS, Carnegie Mellon University, Pittsburgh, Pennsylvania
  • Jeff Dagle, Pacific Northwest National Laboratory, Richland, Washington
  • William Sanders, University of Illinois-Urbana Champaign, Urbana, Illinois 

They will identify technologies, policies and organizational strategies that should be implemented on the federal, state, and local levels. At the conclusion of the presentation, webinar participants will have an opportunity to ask questions.

On July 20, 2017, you can download the report on the National Academies Press website at nap.edu. Go here to register for the free webinar.

The members of the Smart Grid Interoperability Panel (“SGIP”) are working on standards, policies and guides to help modernize the electric power grid. Last month, the Smart Grid Cybersecurity Committee of SGIP released a helpful resource: A straight forward thirty page User’s Guide to help utilities navigate the previous released hefty 597 page Interagency Report (NISTIR) 7628, Guidelines for Smart Grid Cyber Security. Although not as lengthy as the main event, the User’s Guide contains practical suggestions utilities will find useful. The guide has its share of charts and graphs but I find the gray shaded boxes noteworthy. They serve as a jab in the side to remind utilities about information they may have overlooked while engrossed in the details. For example, on page nine of the report, the gray box says, “Every organization is unique, so portions of the NISTIR Logical Reference Model may not be directly applicable for every business process for every utility. Optionally, instead of solely using the NISTIR 7628 Logical Reference Model diagram, you may create a flowchart that identifies the way the different Actors interface with each other. This will help you conceptualize how the NISTIR 7628 Logical Reference Model aligns to your own organizational business processes.”

If there were doubts, these next few sentences will confirm I am an energy geek. While researching this post, I noticed the most beautiful prose regarding our electric grid on the NIST.gov homepage. It gives big kudos to the current grid while pushing towards the future… and it made me smile. Happy Friday!

Today’s electric power grid ranks as the single greatest engineering achievement of the 20th century. And tomorrow’s smart grid will be one of the greatest achievements of the 21st century. By linking information technologies with the electric power grid—to provide “electricity with a brain”—the smart grid promises many benefits, including increased energy efficiency, reduced carbon emissions, and improved power reliability.

– NIST.gov homepage.

Because the grid is so critical to all aspects of our society and economy, protecting its reliability and resilience is a core responsibility of everyone who works in the electric industry.

– Federal Energy Regulatory Commission (“FERC”) Acting Chairman Cheryl LaFleur

This month, FERC directed the North American Electric Reliability Corporation (“NERC”) to develop Reliability Standards requiring owners and operators of the Bulk-Power System to address risks due to physical security threats and vulnerabilities within 90 days. The Reliability Standards will require owners and operators of the Bulk-Power System to take at least three steps to protect physical security:

  1. Owners and operators must perform a risk assessment of their system to identify facilities that, if rendered inoperable or damaged, could have a critical impact on the operation of the interconnection through instability, uncontrolled separation, or cascading failures of the Bulk-Power System.
  2. Owners and operators of critical facilities must evaluate potential threats and vulnerabilities to those facilities.
  3. Owners and operators must develop and implement a security plan to address potential threats and vulnerabilities.

FERC recognizes that compliance with the Reliability Standards described above could contain sensitive or confidential information that, if released to the public, could jeopardize the reliable operation of the Bulk-Power System. As a result, NERC is also directed to include in the Reliability Standards a procedure that will ensure confidential treatment of sensitive or confidential information but still allow for the Commission, NERC and the Regional Entities to review and inspect any information that is needed to ensure compliance with the Reliability Standards.   

The industry understands the continuing need to address physical security and resilience. This latter point is critical because absolute protection from attack, physical or cyber, can never be promised. It is a risk embedded in our freedom. So a healthy ongoing focus on resilience is critical and grid owners and operators address these issues frequently if not daily. So I can’t help but wonder whether the recent media frenzy about Metcalf and a looming national blackout has FERC fighting back, not just with statements but this order.

With recent cybersecurity breaches at large retailers, it’s easy to forget about the most basic and still threatening issue of physical security. That is why I am pleased to report the Department of Energy (DOE) and Department of Homeland Security (DHS), in coordination with the Federal Bureau of Investigation, the Federal Energy Regulatory Commission’s (FERC) Office of Energy Infrastructure Security, the Electricity Sector Information Sharing and Analysis Center (ES-ISAC), North American Electricity Reliability Corporation (NERC) and industry experts, have begun a series of briefings across the United States with electricity industry asset owners and law enforcement on the physical security of electricity substations.

Briefings have taken place in:

  • Chicago – January 14, 2014
  • Denver – January 16, 2014
  • Tampa – January 21, 2014
  • Houston – January 23, 2014

These meetings are not open to the general public. DOE says the intended audiences for the briefings are security personnel and substation engineers from electric utilities, as well as law enforcement within the regions. 

Upcoming briefings include:

  • The session for FEMA Region II will be held in New York, NY and hosted by Con Edison.
    Date: February 4, 2014
    Time: 8:00am to 12:30pm
    Registration Deadline: Each person attending must register by January 31, 2014.
    Location: Con Edison Auditorium, 4 Irving Place, New York, NY 10121
  • The session for FEMA Region IX will be held in San Jose, CA and hosted by Pacific Gas & Electric.
    Date: February 11, 2014
    Time: 8:00am to 12:30pm
    Registration Deadline: Each person attending must register by February 7, 2014.
    Location: San Jose State University, One Washington Square, San Jose, CA 95192, Barrett Ballroom
  • The session for FEMA Region VI will be held in Albuquerque, NM and hosted by PNM.
    Date: February 12, 2014
    Time: 8:00am to 12:30pm
    Registration Deadline: Each person attending must register by February 7, 2014.
    Location: Hyatt Regency Albuquerque, 330 Tijeras NW, Albuquerque, NM 87102
  • The session for FEMA Region X will be held in Seattle, WA and hosted by Puget Sound Energy.
    Date: February 13, 2014
    Time: 8:00am to 12:30pm
    Registration Deadline: Each person attending must register by February 10, 2014. Location: Puget Sound Energy, 355 110th Ave NE, Bellevue, WA 98004
  • The session for FEMA Region I will be held in Boston, MA and hosted by National Grid.
    Date: March 18, 2014
    Time: 8:00am to 12:30pm
    Registration Deadline: Each person attending must register by March 13, 2014.
    Location: Gillette Stadium, 1 Patriot Place, Foxborough, MA 02035, Entrance E-1

Additional logistical information will be emailed to all registrants prior to the sessions. Late registration will not be accepted. A resource for you this month is a somewhat dated (2007) but still relevant report: The NIAC Convergence of Physical and Cyber Technologies and Related Security Management Challenges.

Later this year, NIST expects to release a draft of the Framework and Roadmap for Smart Grid Interoperability Standards (“Framework”) document for a formal 60-day public comment period and the final version of the document is planned for publication in the first half of 2014. However, those attending the SGIP Inaugural Meeting received an advanced look at the new Framework.

NIST says the smart grid will ultimately require hundreds of standards. To prioritize its work, NIST chose to focus on seven key functionalities plus cybersecurity and network communications. Together, they create nine priority areas:

  • Demand response and consumer energy efficiency: Provide mechanisms and incentives for utilities, business, industrial and residential customers to modify energy use during times of peak demand or when power reliability is at risk. Demand response is necessary for optimizing the balance of power supply and demand.
  • Wide-area situational awareness: Utilizes monitoring and display of power-system components and performance across interconnections and over large geographic areas in near real-time. The goals of situational awareness are to understand and ultimately optimize the management of power-network components, behavior and performance, as well as to anticipate, prevent, or respond to problems before disruptions arise. 
  • Distributed Energy Resources (DER): Covers generation and/or electric storage systems that are interconnected with distribution systems, including devices that reside on a customer premise, “behind the meter.” DER systems utilize a wide range of generation and storage technologies such as renewable energy, combined heat and power generators (CHP), fixed battery storage and electric vehicles with bi-directional chargers. 
  • Energy Storage: Means of storing energy, directly or indirectly. The most common bulk energy storage technology used today is pumped hydroelectric storage technology. New storage capabilities — especially for distributed storage — would benefit the entire grid, from generation to end use.
  • Electric transportation: Refers primarily to enabling large-scale integration of plug-in electric vehicles (PEVs). Electric transportation could significantly reduce U.S. dependence on foreign oil, increase use of renewable sources of energy, provide electric energy storage to ameliorate peak-load demands, and dramatically reduce the nation’s carbon footprint. 
  • Network communications: Refers to a variety of public and private communication networks, both wired and wireless, that will be used for smart grid domains and subdomains. An interface is a point where two systems need to exchange data with each other. Effective communication and coordination occurs when each of the systems understand and can respond to the data provided by the other system, even if the internal workings of the system are quite different.
  • Advanced metering infrastructure (AMI): Provides near real-time monitoring of power usage. AMI consists of the communications hardware and software, and the associated system and data management software, that together create a two-way network between advanced meters and utility business systems, enabling collection and distribution of information to customers and other parties, such as the competitive retail supplier or the utility itself. 
  • Distribution grid management: Focuses on maximizing performance of feeders, transformers and other components of networked distribution systems and integrating them with transmission systems and customer operations. As smart grid capabilities such as AMI and demand response are developed, and as large numbers of distributed energy resources and PEVs are deployed, the automation of distribution systems becomes increasingly more important to the efficient and reliable operation of the overall power system.
  • Cybersecurity: Encompasses measures to ensure the confidentiality, integrity and availability of the electronic information communication systems and the control systems necessary for the management, operation and protection of the smart grid’s energy, information technology and telecommunications infrastructures.

Given the importance and magnitude of the smart grid, at the most basic level just about everyone you know is a stakeholder. According to NIST, the stakeholder groups who may find Framework 3.0 most useful include:

  • Utilities and suppliers concerned with how best to understand and implement the smart grid (especially Chapters  4, 5 and 6);
  • Testing laboratories and certification organizations (especially Chapter 7);
  • Academia (especially Section 5.1 and Chapter 8); and
  • Regulators (especially Chapters 1, 4, and 6, and also Section 3.5).

Who knew? October is National Cyber Security Awareness Month! This year marks the 10th anniversary of the initiative sponsored by the Department of Homeland Security in cooperation with the National Cyber Security Alliance and the Multi-State Information Sharing and Analysis Center. Just in time to commemorate the milestone, this week, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released its expected Preliminary Cybersecurity Framework to help critical infrastructure owners and operators reduce cybersecurity risks in industries such as power generation, transportation and telecommunications. Under Secretary of Commerce for Standards and Technology and NIST Director Patrick Gallagher encourages organizations to begin reviewing and testing the Preliminary Framework to better inform the version NIST plans to release in February. Once published in the Federal Register, stakeholders will have 45 days to comment.

NIST will hold its 5th Cybersecurity workshop to discuss implementation of the Preliminary Framework on November 14 and 15, 2013, at North Carolina State University. A draft agenda has been released. Those with operational, managerial and policy responsibilities for cybersecurity, technology and/or standards development for critical infrastructure companies are encouraged to attend. Attendance is free but advance registration is required.

I can’t end this blog without mentioning October is more commonly known as Breast Cancer Awareness Month. When this blog posts, I will be in route to Phoenix, AZ, to see the play Life in the Cancer Lane, which is a compilation of stories from breast cancer survivors produced by friend, Soror and first-time playwright Barbra Watson Riley. While the disease causes pain all year long, I encourage Smart Grid Legal News readers to take advantage of the platform provided this month to discuss self-care and prevention with those you love.

On February 12, 2012, President Obama issued Executive Order 13636 calling for the development of a voluntary risk-based cybersecurity framework (“Framework”). The National Institute of Standards (“NIST”) is developing the Framework through an open process. Although it will serve as a uniform guide for developing cybersecurity programs, the Framework is expected to evolve with business needs and technological advances. On August 30, NIST issued an illustrative example for the electric industry.

Appendix A provides the proposed Cybersecurity Framework’s Core and is summed up as follows:

Identify – Develop the institutional understanding of which organizational systems, assets, data, and capabilities need to be protected, determine priority in light of organizational mission and establish processes to achieve risk management goals.

Protect – Develop and implement the appropriate safeguards, prioritized through the organization’s risk management process, to ensure delivery of critical infrastructure services.

Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.

Respond – Develop and implement the appropriate activities, prioritized through the organization’s risk management process (including effective planning), to take action regarding a detected cybersecurity event.

Recover – Develop and implement the appropriate activities, prioritized through the organization’s risk management process, to restore the appropriate capabilities that were impaired through a cybersecurity event.

Meant to be a discussion draft, NIST would like comments from stakeholders. Here are some of the questions NIST would like reviewers to consider:

  • How can the Framework adequately:
    • Define outcomes that strengthen cybersecurity and support business objectives?
    • Enable cost-effective implementation?
    • Appropriately integrate cybersecurity risk into business risk?
    • Provide the tools for senior executives and boards of directors to understand risks and mitigations at the appropriate level of detail?
  • Will the Framework as presented be inclusive of, and not disruptive to, effective cybersecurity practices in use today?
  • Is the Framework presented at the right level of specificity?

Microgrids play an important role in the development of a smarter electric grid and present security and safety challenges which must be addressed. Ever wanted to attend the National Defense University? On June 18, 2013, the Department of Energy and the National Defense University will co-host the Smart Power Infrastructure Demonstration for Energy Reliability and Security (SPIDERS) Joint Capability Technology Demonstration (JCTD) Industry Day. Industry Day will provide organizations interested in implementing a secure microgrid with guidance on assessing their facilities’ needs, translating them into procurement requirements and assembling the necessary site data package for bidders.

This event is open to all stakeholders with an interest in the development of secure microgrids, ranging from policy and regulatory bodies and equipment vendors to those tasked with the development of standards and specifications and the utilities that will be interconnecting with these microgrids.

Industry Day Highlights:

  • Performance Metrics for Evaluating New Microgrids
  • Approaches to Controlling Architecture Specifications
  • Utility Interconnection and Service Agreement Issues
  • Cybersecurity
  • SPIDERS Technology Case Studies including lessons learned and results of the Phase 1 Operational Demonstration performed at Joint Base Pearl Harbor Hickam (JBPHH).

Details:

June 18, 2013
8 a.m. E.T.
National Defense University
300 5th Avenue
Fort McNair, DC 20319-5066 

Register soon as space is limited. Attendance is limited to one representative per energy company/agency office/university lab. All confirmed registrants will receive a confirmation email with location information and meeting agenda.

Got plans for the summer? Researchers from the University of Illinois at Urbana-Champaign, Dartmouth College, Cornell University, the University of California at Davis and Washington State University are addressing the challenge of how to protect the nation’s power grid by improving the way the power grid infrastructure is built, making it more secure, reliable and safe. Together, these institutions make up The Trustworthy Cyber Infrastructure for the Power Grid (TCIPG) Center, a Department of Energy-funded project, with support from the Department of Homeland Security. TCIPG is hosting its third summer school for utility and industry practitioners, researchers and students to attend and explore the nexus between electrical energy systems and cybersecurity on June 17-21, 2013, at the Q Center in St. Charles, Illinois.

The program is designed to provide an essential background in the basics of security and resiliency for cyber infrastructure in power and smart grids. Participants will also gain an understanding of the smarter energy system evolving from the power grid, as well as associated cybersecurity challenges. An optional hands-on training lab for SCADA security assessment, as well as many other topics will be explored, including:

  • Smart Grid Vulnerabilities
  • Secure Network Architecture for Control Systems
  • Security Testing, Assessment and Validation of Devices in Utility Environments
  • Security-aware Modeling and Simulation of Grid Systems
  • Renewables and Resiliency in Microgrids
  • Military Microgrids and SPIDERS Implementation
  • Approaches and Challenges in Vehicle-to-Grid Systems
  • Advanced Techniques for Security Assessment
  • Security Testing Framework for Utilities

This detailed agenda provides more information on the summer school.

FERC recently proposed to approve the Version 5 Critical Infrastructure Protection (CIP) Reliability Standards, CIP-002-5 through CIP-011-1, submitted by the North American Electric Reliability Corporation (NERC). FERC believes the proposed CIP Version 5 Standards, which pertain to the cybersecurity of the bulk electric system, represent an improvement over the current Commission-approved CIP Reliability Standards because they adopt new cybersecurity controls and extend the scope of the systems that are protected by the CIP Reliability Standards.

Despite the benefits, the Commission has concerns regarding the potential ambiguity and, ultimately, enforceability of the CIP Version 5 Standards. Specifically, 17 of the requirements of the suite of CIP Version 5 Standards include language that requires the responsible entity to implement the requirement in a manner to “identify, assess and correct” deficiencies. The issue is that this language may be unclear with respect to the compliance obligations it places on regulated entities making it too vague to audit and enforce compliance. The NOPR seeks comments on this and several other concerns. Moving at the speed of technology, some parts of CIP 4 may never become enforceable; it is expected some utilities may go from CIP 3 to CIP 5 for some standards.