Cybersecurity

Subscribe to Cybersecurity

For purposes of the Request for Information (“RFI”) the National Institute of Standards and Technology (“NIST”) defines “critical infrastructure” as:

systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

Threats to critical infrastructures typically fall into two categories: (1) physical threats – physical threats to tangible property and (2) cyber threats – threats of electronic/computer-based attacks on the communications components that control critical infrastructures. Many of these critical infrastructures are owned and operated by the private sector. Therefore, it is essential that the government and private sector work together to develop a strategy for protecting them and assuring their continued operation. 

The National Institute of Standards and Technology is conducting a comprehensive review to develop a framework to reduce cyber risks to critical infrastructure (“Framework”). The Framework will consist of standards, methodologies, procedures and processes that align policy, business and technological approaches to address cyber risks. The RFI requests information to help identify, refine and guide the many interrelated considerations, challenges and efforts needed to develop the Framework. Responding to the NIST RFI is one of many action items the private sector can take. Several companies have already filed their comments. Some of the questions asked in the RFI include:

  • What are the current regulatory and regulatory reporting requirements in the United States (e.g. local, state, national, and other) for organizations relating to cybersecurity?
  • What organizational critical assets are dependent upon other critical physical and information infrastructures, including telecommunications, energy, financial services, water and transportation sectors?
  • What do organizations see as the greatest challenges in improving cybersecurity practices across critical infrastructure?
  • Describe your organization’s policies and procedures governing risk generally and cybersecurity risk specifically. How does senior management communicate and oversee these policies and procedures?
  • How do organizations define and assess risk generally and cybersecurity risk specifically?

Written comments, due by April 8, 2013, may be submitted by mail to Diane Honeycutt, National Institute of Standards and Technology, 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899. Submissions may be in any of the following formats: HTML, ASCII, Word, RTF, or PDF. Online submissions in electronic form may be sent to cyberframework@nist.gov. Please submit comments only and include your name, company name (if any), and cite “Developing a Framework to Improve Critical Infrastructure Cybersecurity” in all correspondence. All comments received by the deadline will be posted at http://csrc.nist.gov/ without change or redaction, so commenters should not include information they do not wish to be posted (e.g., personal or confidential business information).

The smart grid creates the need for greater cybersecurity and is also part of the solution. The smart grid represents the modernization of electricity infrastructure often through added technology, allowing the grid to gather and store data and to create a “dialogue” between all components of the grid, and also allowing for automatic command and response within the function of the grid. A fully evolved smart grid will provide many improvements to situational awareness, prevention, management and restoration that, in spite of the new vulnerabilities it introduces, fundamentally makes the electric system more secure and reliable. On the other hand, the smart grid enhances the need for cybersecurity because it adds a layer of computer systems and software to existing utility infrastructure. It may increase the portals through which a cyber threat could enter the system.

Last month, the National Association of Regulatory Utility Commissioners (“NARUC”) released an updated version of its cybersecurity primer Cybersecurity for State Regulators 2.0. Meant for state regulators, the Primer will be helpful to utilities as it provides a “heads up” to the questions you will be asked. It includes an introductory explanation of the issues, identifies the jurisdictional landscape and highlights some of the characteristics of good cybersecurity that policymakers should consider. Understanding that cybersecurity is a quickly evolving area, the Primer also encourages regulators to engage in strategic discussions about cybersecurity to enable and support a thoughtful, risk-based approach to prudent investments by infrastructure operators. It includes sample questions for regulators to customize and ask their regulated entities and provides other resources. Here are some of the thought-provoking questions:

  • Does your cybersecurity plan include alternative methods for meeting critical functional responsibilities in the absence of IT or communication technology?
  • Has your organization conducted a cyber risk or vulnerability assessment of its information systems, control systems and other networked systems?
  • Does your organization perform vulnerability assessment activities as part of the acquisition cycle for products in each of the following areas: cybersecurity, SCADA, smart grid, internet connectivity and Web site hosting?
  • Has the company managed cybersecurity in the replacement and upgrade cycle of its networked equipment? Does this include smart meters?

Cybersecurity threats challenge the reliability, resiliency and safety of the electric grid. As the smart grid develops and today’s electrical grid interconnects with distributed generation and less tangible information technology components such as networks, software and the internet, the need to address cybersecurity at utilities takes center stage. Enter NARUC. With funding from DOE, NARUC recently issued a Primer on Cybersecurity for State Regulators. The well-written primer does not simply address cybersecurity regarding the physical distribution and transmission grids, substations and offices, but also equipment and systems that communicate, store and act on data. The challenge for regulators will be that cybersecurity must encompass not only utility-owned systems, but some aspects of customer and third party components that interact with the grid, such as advanced meters, devices behind the meter and human elements such as system operators, customers and “bad guys” interacting at all levels of a system. Although written for regulators, the primer will be helpful to all utilities and the vendors that support the utilities. Below are just a few of the questions presented in the primer:

  • Is cybersecurity integrated between business systems and control systems? For the existing grid and for the smart grid?
  • Have logical and physical connections to key systems been evaluated and addressed?
  • Does the company maintain standards and expectations for downtime during the upgrade and replacement cycle?
  • Does the company have equipment dependent on remote upgrades to firmware or software, or have plans to implement such systems?
  • Does the company have a plan in place to maintain system cybersecurity during statistically probable upgrade failures?
  • Is there a schedule for required password updates from default vendor or manufacturer passwords?
  • Has cybersecurity been identified in the physical security plans for the assets, reflecting planning for a blended cyber / physical attack?
  • What network protocols (IP, proprietary, etc.) are used in remote communications? Is the potential vulnerability of each protocol considered in deployment?

I recently saw an informative video by Cisco that provides a nice description of the Cisco Connected Grid FAN Solution which I believe will help many utilities address the issues raised in the primer. According to Cisco’s whitepaper, benefits of the Cisco Connected Grid FAN Solution include reduced system vulnerability to physical attack or cyber attack, operating resiliency against security disruptions, secure access and data privacy for smart grid information and a framework for meeting regulatory compliance requirements.

Last week, officials from the Energy Department, the White House and the Department of Homeland Security met with senior leaders from across the electric sector to launch an initiative to better protect the nation’s electric grid. Over a dozen electric utilities and grid operators are expected to participate in the pilot program to test the maturity model, assess its effectiveness and validate results. This public-private partnership and pilot program will help develop a risk management maturity model that is expected to be made available to the electric sector later this summer. Over the next several months, the Department will host a series of workshops with the private sector to draft the maturity model that can be used throughout the electric sector.

Recently, PJM CEO Terry Boston stated in his interview with us that security of the electric grid is a critical issue. As cyber threats to the nation’s electrical grid become increasingly sophisticated and dynamic, the Department of Energy is continuing to work closely with the Department of Homeland Security, other government agencies and industry to reduce the risk of energy disruptions due to cyber incidents. Last September, the Department released the Roadmap to Achieve Energy Delivery Systems Cybersecurity and a Draft Cybersecurity Risk Management Process Guideline that seeks to establish frameworks and processes to help the electricity sector manage cybersecurity risk. Those looking to stay current on smart grid security issues should check out the Smart Grid Security Blog. Its author, Andy Bochman, provides a nice overview of these issues and provides a quick way to stay up to date. Given the importance of energy to our nation’s economy, it is nice to see cybersecurity and the electric grid get more attention.

When Smart Grid Legal News interviewed PJM’s CEO Terry Boston earlier this month, he identified cyber security as the problem that kept him up at night. Clearly, Terry is not the only person who worries about cyber security, and that includes members of Congress. On December 15, 2011, U.S. Rep. Peter T. King (R-NY), Chairman of the Committee on Homeland Security, and Rep. Dan Lungren (R-CA), Chairman of the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, introduced the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act of 2011 (the “PRECISE Act”). This bill (H.R. 3674) would amend the Homeland Security Act of 2002 to require the Department of Homeland Security (“DHS”) to identify cyber security risks to critical infrastructure, including the electric grid, and develop methods to mitigate these risks.

The legislation requires DHS to identify cyber security risks on a sector-by-sector basis and to collect existing performance standards to determine the best methods to mitigate identified risks, and calls for the appointment of a “lead cyber security official” within DHS to coordinate the Department’s cyber security activities with the Department’s other infrastructure protection activities.

The legislation would also establish the National Information Sharing Organization (NISO), a private-sector-controlled, not-for-profit organization to facilitate best practices, provide technical assistance and enable the sharing of cyber-threat information. NISO would be run by a board of directors composed of representatives from five different Federal Agencies, including DHS, and 13 members of the private sector, including members representing the Communications, Electric, Oil and Gas, Health Care and Financial infrastructure sectors. Here is a great section-by-section summary of PRECISE.

Given the importance of cybersecurity to the smart grid and our national security in general, I wanted you to know about the National Initiative for Cybersecurity Education (“NICE”) Strategic Plan that was released for comment on August 11, 2011, by NIST. The plan, “Building a Digital Nation,” outlines NICE’s mission, vision, goals and objectives. Comments from all interested citizens and organizations concerned with cybersecurity awareness, training and education are due by September 12, 2011. NICE has provided a suggested template to be used when submitting comments. Your suggestions can help build a digital nation.

Shortly after comments are filed, NICE will be holding its second annual NICE workshop, “Shaping the Future of Cybersecurity Education—Engaging Americans in Securing Cyberspace,” Sept. 20-22, 2011, at the NIST campus in Gaithersburg, MD. The strategic plan will be discussed. Government, academia and industry, as well as professionals from small- and medium-sized businesses are expected to be represented at the workshop.

The goals and objectives of the plan include:

  • Increase public awareness of cybersecurity risks
  • Responsible use of the Internet
  • Cybersecurity as a career path

Additionally, the plan seeks to develop the next generation of cybersecurity workers and encourage interest in science, technology, engineering and mathematic (STEM) disciplines. All of these career options will help train the next generation of utility employees, including those with the aptitude to work on smart grid related issues. My guess is if successful, this plan will benefit a myriad of industries. Figure 2 from the report illustrates how the elements of the spectrum link to NICE goals and overall strategic outcomes.

 edu_image.jpg

Ted_Wood.jpgToday I would like to introduce you to my colleague Ted Wood. Ted is a patent attorney with the law firm of Sterne Kessler Goldstein & Fox and is at the forefront of the smart grid cyber security and innovation discussion. He has some great ideas to help smart grid technology developers and is passionate about what innovation means to our energy independence and security.

Evers: Ted, how is innovation relevant to those in the energy industry and to businesses that rely on reliable energy delivery?

Wood: Thank you for the opportunity to discuss my views concerning the role of innovation. Innovation does and will continue to play a critical role in reducing vulnerabilities to the power grid. A recent article in the Washington Post citing top government intelligence officials indicated that “a major cyber attack somewhere in the United States is increasingly possible.” The article went on to warn that an assault on America’s power grid system “represents the battleground for the future.” Based upon this article and several others, as well as my own observations and analyses, it goes without saying that a successful cyber attack on the grid could have a devastating impact on our national security, economy and our way of life.

Evers: Ted, I agree. One of the goals for the smart grid is for it to operate resiliently against attack and natural disaster. A smarter grid protects against outside forces by incorporating a system-wide solution that reduces physical and cyber vulnerabilities and enables fast recovery from disruptions. What is the connection to innovation?

Wood: Innovation = grid resiliency

Evers: OK, connect the dots for me.

Wood: Through innovation, new technologies can emerge to help enhance the grid’s resiliency. Such technologies should address protecting the grid from cyber and other attacks, detecting when failures occur and responding and recovering accordingly. Successful innovation includes creativity, investment and intellectual property (IP) protection. Investment is essential to transforming creativity into tangible technologies and IP protection is a significant factor considered by investors when deciding in which technologies to invest to maximize their returns. And it is critical to have strong IP protection in place before entering the marketplace.

Evers: So it’s a cycle. Innovation → Investment → IP protection→ safer, smarter grid?

Wood: That’s right. However, I would adjust your model a bit:

Innovation → IP protection → Investment → safer, smarter grid. Most investors want to know the IP protection is in place first.

Evers: So Ted, with all of the American Recovery and Reinvestment Act funding, the race is on. I imagine there are a lot of great ideas out there and the developers may feel like they can’t get to the marketplace quick enough. Any ideas on how you can help them? Admittedly I am not from the Patent and Trademark Office, but I have been involved in getting regulatory approvals for a long time and they usually don’t occur at the speed of innovation.

Wood: Recognizing the urgency of cyber security and the development of the smart grid, I believe that some sort of Grid Resiliency patent incentive program might help to spur grid resiliency innovations. The objective of one such program, for example, would be to streamline the examination of patent applications specifically focused on technical innovations to reduce vulnerabilities by ensuring the grid’s resiliency. This streamlined process could help improve the revenue stream for innovators by increasing the development speed of their products and technologies. For example, patent applications covered under such a program would include resiliency-enhancing technologies that could be added to existing grid components and systems, as well as resiliency-enhancing technologies integrated into next-generation components and systems. The intent is to leverage the U.S. patent system to encourage grid related R&D investments and innovations which would reduce the grid’s vulnerabilities. There are other programs, some already underway at the US Patent and Trademark Office, to encourage innovation across the board. These programs could be used to spur grid innovations.

Evers: That is great! What is the current status of the Grid Resiliency Patent Incentive Program?

Wood: We are vetting a number of different ideas through different means, such as industry blogs and discussions with industry and government representatives. The goal is to try and find the right mix of ideas that will help promote innovation and R&D investment in grid resiliency enhancing technologies.

Evers: I can imagine there are a lot of entrepreneurs hoping to participate. It will be a game changer for those who need funding as soon as possible. Please let me know when this is finalized. What are the other programs at the PTO that can be leveraged by smart grid innovators?

Wood: There are two that come to mind. The first is the Green Technology Pilot Program, which provides for accelerated examination of patent applications related to development of renewable energy sources, energy conservation etc. A few of the technical categories covered by this pilot program also related to smart grid. The second program is the newly implemented Track 1 initiative. Track 1 provides for accelerated examination for applications for payment of a $4,000 fee. Given the limited scope of the green pilot program with respect to grid resiliency and possibility that all innovators may not have access to Track 1 given the required fee, there may still be room for additional programs or incentives to spur grid resiliency innovations.

So Linda, I am going to switch things up a bit and if you don’t mind, I have a few questions for you?

Evers: Sure, but let me remind you…it’s my blog. (laughing)

Wood: I think the next roadblock is getting the utilities to try the new products. I know you represent a lot of utilities so I wondered if you had any insight to share on this issue?

Evers: Absolutely. …cost recovery.

Wood: My turn. Please connect the dots for me.

Evers: Ted, you are talking about new technology. The developer should expect to demonstrate to the prospective utility client that the benefits outweigh the risks. We take risks everyday or nothing would get done. In the case of the smart grid, we know the cost of doing nothing is high. However, it will be an extremely expensive undertaking to fully develop the smart grid. Utilities are very careful when making investments out of concern they will not get the cost recovery they seek from state regulatory agencies.

Wood: But developing the smart grid is a huge priority for our country. I would think the state regulators would be supportive?

Evers: I know this may surprise to you, but there is a fair amount of regulatory uncertainty in this area. Views towards the smart grid will vary by state and some states have laws that require aggressive action in this area. Generally, utilities have to summit their plans to their state PUCs for approval. Part of the approval process is making the business case to support the proposed expenses. And let me tell you, 2010 was a rough year for smart grid approvals, particularly the cost recovery issue, in spite of Uncle Sam contributing $4.5 billion.

Wood: Really?

Evers: Yes! Maryland, Connecticut, Indiana and Ohio to name a few. And in California and Maine, the regulators are acting on one of my favorite lines: “I reserve the right to change my mind,” and are contemplating revising plans they have already approved, notwithstanding the fact that these utilities have already implemented most of the plan.

So for the innovators out there, the best way to get selected is to educate, educate, educate. Spend time explaining to regulators and consumer advocates the importance of your product to the grid. In the end, how does it benefit customers? Ideally, the product should be apart of the utility’s plan that gets approved.

Ted, it will happen slowly at first – layer by layer, but we will get there. Remember when cell phones first came out? For the first few years they were big and clunky and really only used by executives. And now just last year, even to my surprise, off we went to buy my son an iPhone for his 13th birthday. Progress can be like a sluggish car, slow to get going but it can hold its own on the highway. One day you will look around and bam: you will be driving to Pennsylvania to visit my family without any thought as to where you will charge your electric car; people will just know not to wash clothes and dishes in the afternoon; their appliances will conveniently start the laundry and dishes for them at 2:00 am and utilities will restore service before you even know there was an outage. All these great smart grid related things will be happening and as a county we will be more energy efficient.

Addressing cybersecurity guidelines and standards being considered by NIST and FERC, the U.S. Government Accountability Office, the nonpartisan investigative arm of Congress, pointed out key challenges to securing smart grid systems in a recently released report. Chief among them were that NIST’s cybersecurity guidelines did not address the risk of attacks that use both cyber and physical means and that FERC has not developed a coordinated approach to enforce the adoption of its cybersecurity standards.

The report further identified the following concerns:

  • Aspects of the regulatory environment may make it difficult to ensure smart grid system’s cybersecurity
  • Utilities are focusing on regulatory compliance rather than comprehensive security
  • The electric industry does not have an effective mechanism for sharing information on cybersecurity
  • The electric industry does not have metrics for evaluating cybersecurity
  • Consumers are not adequately informed about the benefits, costs, and risks associated with smart grid systems

In response, both NIST and FERC agreed the report made useful findings. NIST, however, emphasized that it did not forget to address the key risk as the GAO accused, but that its guidelines addressing that risk weren’t ready for publication in 2010. FERC agreed that a more coordinated approach to enforcement may be desirable, but it pointed out that Congress made the adoption of smart grid standards by utilities and manufacturers voluntary, not mandatory.

Although the GAO report makes useful suggestions, some of its generalizations and assumptions may be a bit unfair or premature. For example, despite the overbroad conclusion that consumers are inadequately informed about the benefits, costs and risks of smart grid systems, some smart meter projects have been successfully executed and well-received by informed consumers. Austin Energy in Texas, for example, credits its smart meter success (installing 400,000 residential smart meters with wide customer acceptance) with extensive education and outreach to consumers. Also an innovative smart grid pilot for commercial customers in Charlotte, North Carolina, called “Envision: Charlotte” appears to enjoy the support of informed customers. And since sharing information is a new project that is at the core of Smart Grid, it seems premature to accuse the electric industry for not already having an effective data-sharing mechanism.

Everyone agrees that we need a Smart Grid that is secure. How best to achieve that goal needs further discussion.

On February 23, 2011, from 8:00 am to 5:00 pm at ERCOT Austin, 7620 Metro Center Drive, Austin, TX, the NIST Smart Grid Cyber Security Working Group (“CSWG) Outreach Team will be available to answer questions regarding the lengthy NIST Interagency Report, Guidelines for Smart Grid Cyber Security 7628. This report will guide the industry  through the many layers of Smart Grid Cyber Security issues. In addition to discussing technical issues, such as Security Architecture and Cryptography, the hot topic of Smart Grid Privacy will also be touched upon as part of the day’s agenda.

The CSWG privacy subgroup performed a Privacy Impact Assessment (PIA) for the consumer-to-utility aspect of the Smart Grid. The following questions navigated the process of performing the consumer-to-utility PIA:

  1. What personal information may be generated, stored, transmitted, or maintained by components and entities of the Smart Grid?
  2. How is this personal information new or unique compared with personal information in other types of systems and networks?
  3. How is the use of personal information within the Smart Grid new or different from the uses of the information in other types of systems and networks?
  4. What are the new and unique types of privacy risks that may be created by Smart Grid components and entities?
  5. What is the potential that existing laws, regulations, and standards apply to the personal information collected by, created within, and flowing through the Smart Grid components?
  6. What could suggested standardized privacy practices look like for all entities using the Smart Grid so that following them could help to protect privacy and reduce associated risks?

Although not exhaustive, Table 5- 2 from the report provides a snapshot of some of the concerns. With only your imagination as the limit, there are many potential uses for granular energy data when it is combined with personal information. This applies to businesses as well as residential customers.

Table 5-2 Potential Privacy Concerns and Description

Privacy Concern

Discussion

Categorization

Fraud

Attributing energy consumption to another location or vehicle (in the case of PEVs).

Type II: While fraud is an existing concern, the current system of reading consumer meters (either manual recording or electronically via “drive-by” remote meter reading systems) may allow less opportunity for data manipulation without collusion with the personnel collecting the data.

Determine Personal Behavior Patterns / Appliances Used

Smart meter and home automation network data may track the use of specific appliances. Access to data-use profiles that can reveal specific times and locations of electricity use in specific areas of the home can also indicate the types of activities and/or appliances used. Possible uses for this information include: Appliance manufacturers could use this information for product reliability and warranty purposes; Other entities could use this data to do targeted marketing.

Type I: The type of data made available by Smart Grid implementation may be both more granular and available on a broader scale.

Perform Real- Time Remote Surveillance

Access to live energy use data can reveal such things as if people are in a facility or residence, what they are doing, waking and sleeping patterns, where they are in the structure, and how many are in the structure.

Type II: Many methods of real-time surveillance currently exist. The availability of computerized real-time or near-real-time energy usage data would create another way in which such surveillance could be conducted.

Non-Grid Commercial Uses of Data

Personal energy consumption data storage may reveal lifestyle information that could be of value to many entities, including vendors of a wide range of products and services. Vendors may purchase attribute lists for targeted sales and marketing campaigns that may not be welcomed by those targets. Universities might purchase information to study student attributes and target a new student profile with simple application question profiling. Such profiling could extend to other types of profiling on employment selection, rental applications, and other situations that may not be welcomed by those targets.

Type II: Under the existing metering and billing systems, meter data is not sufficiently granular in most cases to reveal any detail about activities. However, smart meters, time of use and demand rates, and direct load control of equipment may create detailed data that could be sold and used for energy management analyses and peer comparisons. While this information has beneficial value to third parties, consumer education about protecting that data has considerable positive outcomes.

On January 13, 2011, FERC issued the agenda for the Smart Grid Interoperability Standards Technical Conference scheduled for January 31, 2011. The conference will begin at 1:00 pm (EST) and is scheduled to conclude at 5:00 pm. Panelists include: Ed Beroset of Elster Solutions, LLC, John Lucas of Southern Company and Ron Ambrosio of IBM, among others. FERC staff along with George Arnold of NIST will wrap-up the event. The conference is open to the public and will be webcast for those not wanting to travel to FERC headquarters (888 First Street, NE, Washington, DC, 20426) where the event will take place in the Commission Meeting Room.