Page 2: Issues to address >>

Editor's note: Some electric power utilities take a reactive approach to cyber security -- "we'll do something when mandated." But many industry observers -- including me -- think they need to be more proactive. So when I saw a recent white paper from the California Public Utilities Commission (CPUC) suggesting a proactive approach -- and making specific recommendations -- I asked for permission to run a short summary here.

 

California is a progressive state that is watched closely by others. What's more, commissions in Michigan, Pennsylvania and Texas are also developing cyber security policies. In other words, if you haven't yet heard from your PUC about the issue, you probably will soon. If I were you, I'd be getting ready right now. The article below is a good starting point. -- Jesse Berst

 

By Elizaveta Malashenko

 

With grid modernization underway, cyber security is recognized as an increasingly important factor in ensuring resiliency, reliability and safety. Indeed, it has become a top national security issue. Many cyber security events have already taken place, including Stuxnet, Aurora, RuggedCom, smart meter hacks and others.

 

From a regulatory perspective, grid cyber security has been addressed most actively at the Federal level through the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) requirements. However, the NERC-CIP framework has important limitations.

 

First, NERC-CIP primarily covers only generation and transmission assets that qualify as “critical." Estimates suggest that 80-90% of grid assets are outside NERC-CIP’s scope. Second, NERC-CIP is primarily compliance-based. Compliance is important, but it is not enough to ensure that the rapidly evolving risks are adequately considered and acted upon.

A new role for state regulators?

State regulators have not traditionally played a large role in cyber security. However,

this is beginning to change with the recognition that Federal compliance-based models may not be sufficient. Grid modernization is underway and much of this new infrastructure will be located on the distribution grid, which is currently outside of NERC authority.

 

Utilities often lack a business case to spend on cyber security beyond minimal compliance. What's more, there is no such thing as a 100% secure system. For these reasons, regulators and utilities should explore a risk management-based approach.

 

Indeed, California and other states have already started developing cyber security policies. Additionally, the National Association of Regulatory Utility Commissioners (NARUC) passed a 2010 resolution encouraging regulators to open a dialogue with their regulated utilities to promote cost-effective protection and preparedness.

Page 2: Issues to address >>

Talk Back to the Author

Current Comments (3)

Leave a Comment

---

Smart Grid CyberSecurity is a JOKE!

The WEB is replete with warnings and alarms regarding CyberSecurity. State regulators or not! LIP SERVICE will be paid to the masses ...till the LIGHTS GO out! and then there will be finger pointing and passing the Buck. Nothing new! That is how America has always done business!

George Karadimas - 09/28/2012 - 07:34

It could be worse, George...

George K. - It could be worse. We could stay with the current system, which was largely developed before there was such a thing as cybersecurity or hackers. Compared to what is, what is being developed for Smart Grid is far superior. I doubt you will believe that, but ridiculous assertions without any knowledge behind them have to be responded to. BTW: I was the Co-Chair of the Cybersecurity Working Group of the NERC Smart Grid Task Force, so I do know a little of what I'm talking about.

Christopher Kotting - 09/28/2012 - 08:34

. NARUC published a cyber primer in late June

Many good resources are available, including those for electric cooperatives typically not regulated by state PSCs -- go to NRECA's website. NARUC conducted a training exercise in Indianapolis, and DOE released a risk management framework document May 2012, followed by tools June 28. Many good information security tools better than NERC-CIP, such as ISO 27000 series, COBIT 5, etc. The point: we don't need any more new mandatory standards that are unbalanced to the favor of compliance and reams of documentation -- reactive measures that consume time and resources without nudging cyber security "goodness" and proactive measures forward. Compliance does not = or assure good cyber protection. Time to get moving instead of waiting for the Executive Orders to come down -- or, worse yet, sweeping legislation from the next Congress.

Michael E Ebert - 09/28/2012 - 08:49

Leave a Comment

New to this Blog? Need some help?

Email: [?] We will send you an email with an appproval link you must click for your comment to appear.
Full Real Name:	[?] Real comments need a real name.
Subject:	[?] Please provide a short subject for your comment.
Comment:[?] Do not post commercial/sales messages here. They will be deleted. Try: pr@smartgridnews.com PLEASE NOTE:  All HTML codes will be removed from your comment.
CAPTCHA Security Code The numbers (0) and (1) are not used. [?] Please type the characters you see into the box above.
Remember my name? (Uncheck to forget.)
You can not edit or delete your comment once it is posted. Please check for spelling now. Your IP Address is: 23.20.196.179