ad hoc smart grid executive committee february 10, 2011...

Ad Hoc Smart Grid Executive Committee

February 10, 2011 New Orleans, LA

2© 2011 Electric Power Research Institute, Inc. All rights reserved.

Agenda

Time Topic and Location Lead

3:00 – 3:10p Welcome & Introductions George Bjelovuk, AEP

3:10 – 3:40p Regulatory Trends for Cyber Security

Annabelle Lee, EPRI

3:40 – 4:15p EPRI Security & Privacy – R&D for 2011

Galen Rasche, EPRIErfan Ibrahim, EPRI

4:15 – 4:45p Regulatory Trends for Interoperability Standards

Annabelle Lee, EPRI

4:45 – 5:00p Wrap-up and Adjourn George Bjelovuk, AEP


Regulatory Trends on Cyber Security

Annabelle Lee Technical Executive - Cyber Security

4© 2011 Electric Power Research Institute, Inc. All rights reserved. 2© 2011 Electric Power Research Institute, Inc. All rights reserved.

Current Status...

• Mandatory cyber security standards for the federal government are developed by the National Institute of Standards and Technology (NIST)

• The Department of Homeland Security (DHS) in coordination with other federal sector specific agencies (SSAs), has developed voluntary guidance– The base document is the National Infrastructure Protection Plan

(NIPP)– Each SSA, in collaboration with the appropriate Sector

Coordinating Council (SCC), developed a Sector Specific Plan– Each plan is updated annually– The Department of Energy (DOE) is the SSA for the energy

sector, including the electric sector• Energy, IT, communications, chemical, transportation, etc.


Current Status...

• NERC developed the Critical Infrastructure Protection (CIPs) for the bulk power system

• The Smart Grid Interoperability Panel (SGIP) Cyber Security Working Group (CSWG) published National Institute of Standards and Technology Interagency Report (NISTIR) 7628, Guidelines for Smart Grid Cyber Security– The document is guidance and voluntary– Provides cyber security requirements at a high level– Has been referenced by three states and adopted by China and

Sweden

• DOE included security requirements in the American Recovery and Reinvestment Act (ARRA) of 2009 – Grant winners are required to develop a system security plan


Current Trends...

• The NERC CIPs are being revised– The mandatory implementation date for the NERC CIPs 002-009,

version 3 was October 1, 2010– CIP 002 - Cyber Security - Critical Cyber Asset Identification

recently updated to Version 4• Initial assessment is that the new definition will not significantly

increase the number of critical cyber assets

• FERC and NIST are assessing the results of the FERC technical conference– Some state PUCs were watching FERC for guidance

• H.R. 174: Homeland Security Cyber and Physical Infrastructure Protection Act of 2011– Includes prioritized critical infrastructures


Current Trends...

• GAO Report GAO-11-117: Electricity Grid Modernization– Positive comments on the tasks that NIST performed on the Smart

Grid– Outstanding issues:

• NIST did not address cyber-physical attacks• FERC does not have enforcement authority in the Energy

Independence and Security Act of 2007• Fragmentation of the regulatory environment complicates smart

grid interoperability and cyber security– Report includes recommendations

• DOE IG Report - IG-0846, Jan 26, 2011, Federal Energy Regulatory Commission's Monitoring of Power Grid Cyber Security– Criticisms of the NERC CIPs

• With new Congress - not clear what the priorities and trends will be


Questions?

[email protected]

Electric Sector Security & Privacy Plans for 2011

Galen Rasche Technical ExecutiveErfan IbrahimTechnical Executive

Ad-Hoc Smart Grid Executive Committee 2011-Feb-10


Contents

• PDU Cyber Security R&D Portfolio

• National Electric Sector Cyber Security Organization

• EPRI Security and Privacy Initiative


EPRI’s Cyber Security Focus for 2011


EPRI 2011 Cyber Security R&D Portfolio


EPRI Cyber Security Resources

• Staffing– Three Technical Executives– One Senior Project Manager– Three Project Engineers

• Lab capabilities– Substation lab in Knoxville– Interconnects between Charlotte, Knoxville, and Lenox

• Advisory structure– Ad hoc Security and Privacy Executive Committee


EPRI Cyber Security Projects and Programs

PDU Base Program For 2011:• NERC CIP and DHS ICS JWG

Coordination and Reporting• Lemnos Testing for Security

Configuration Profiles• DNP4 Security Interoperability

Testing• Smart Energy Profile 2.0 Security

Testing Procedures & Penetration Testing

NESCO:• Focal point for utilities, federal

agencies, regulators, and researchers

• Organize the collection, analysis, and dissemination of infrastructure vulnerabilities and threats

• Cyber Security standards and requirements evaluation

Research Projects:• Secure Smart Grid Communications• Cryptographic Key Management• Tools and Templates For Measuring

Security Posture• Best Practices for NERC CIP

Compliance


National Electric Sector Cyber Security Organization (NESCO)

• Vision:– Provide a focal point for bringing together utilities,

federal agencies, regulators, and researchers to address the electric sector security threats

• Objectives:– Focus cyber security R&D priorities– Identify and disseminate best practices– Organize the collection, analysis, and dissemination of

infrastructure vulnerabilities and threats


NESCO Project Structure

Cyber Incident Data Center (EnergySec):

• Identify / receive threat information

• Forensics

• Vulnerability analysis

• Categorize threats

• Disseminate threat information to asset owners and operators

R&D Team (EPRI and EnergySec):• Review NIST, NERC and other cyber

security requirements and results• Assess existing power system and cyber

security standards to meet the security requirements of the power system

• Develop risk mitigation strategies, best practices and metrics

• Test security technologies in labs and pilot projects

R&D Industry Advisory Board:• Provide technical oversight for the project for

direction setting and content creation• Facilitate outreach in the industry for greater

participation and implementation

• Populated by industry groups, federal agencies, regulators


EPRI Led Team Supporting DOE NESCO

National/ Commercial

Research LabsAcademia Subject-Matter

Experts

•

Oak Ridge National Lab

•

Sandia National Lab•

Idaho National Lab•

National Renewable Energy Laboratory

•

Palo Alto Research Center

•

SRI•

Telcordia

•

University of Houston•

Mladen Kezunovic (Texas A&M University)

•

UCLA•

UC Berkeley•

University of Minnesota Smart Grid Consortium

•

N-Dimension•

Inguardians•

Arc Technical•

EnerNex•

Xanthus Consulting International


NESCO Work Flow


EPRI Members Call to Action for NESCO

• Communicate critical security and privacy issues to EPRI to facilitate RD&D project identification (e.g., relating to NERC Compliance, SGIG and SGDP Cyber Security Assessment Plan)

• Volunteer cyber security technical staff to participate in NESCO Working Groups

• Volunteer senior cyber security experts to sit on NESCO advisory board


EPRI Cyber Security and Privacy Initiative

• Cross-sector initiative (Power Delivery, Generation, and Nuclear)

– Leverage lessons learned and address common concerns

• Address gaps in current industry security and privacy R&D work

• Forum for designing and implementing collaborative R&D projects to meet long-term security needs of the electric sector

• Ad-Hoc Electric Sector Security and Privacy Executive Committee

– Provides strategic advice and guidance on EPRI security and privacy R&D activities

– Contributions from IOUs, co-ops, ISOs, and municipals

– Involvement at the CIO-level


1Q11 2Q11 3Q11 4Q11

Near Term Goals of EPRI Cyber Security Research Initiative

Develop the organizational structure and populate the Ad- Hoc Security and Privacy Executive Committee

• Create focused task forces for areas of interest

• Identify 1st set of high priority RD&D projects

Organize and populate working groups to perform the RD&D projects


Security and Privacy Initiative Research Areas


Questions?

Galen Rasche [email protected]

Erfan Ibrahim [email protected]

mailto:[email protected]

mailto:[email protected]


FERC Smart Grid Technical Conference -

January 2011

Annabelle Lee Technical Executive – Cyber Security


Background ...

• Energy Independence and Security Act (EISA) of 2007, Title XIII, Section 1305

– National Institute of Standards and Technology (NIST) to coordinate the development of a framework

• That includes protocols and modern standards for information management• To achieve interoperability of Smart Grid devices and systems

• At any time after NIST has reached sufficient consensus in FERC's judgment– FERC shall institute a rule making proceeding to adopt such standards and

protocols as may be necessary to insure• Smart Grid functionality and interoperability in

– Interstate transmission of electric power and– Regional and wholesale electricity markets.

• New roles for both FERC and NIST

• Significant pressure for NIST to move forward on the standards


FERC Technical Conference

• Held January 31, 2011 at FERC• http://www.ferc.gov/eventcalendar/EventDetails.aspx?ID=5

571&CalType=%20&CalendarID=116&Date=01/31/2011&Vie w=Listview

• All five commissioners attended

• Presentations by• George Arnold, National Coordinator for Smart Grid

Interoperability• Two panels

• NIST process used for reviewing and selecting the five families of standards

• Smart Grid interoperability standards development and identification process going forward

http://www.ferc.gov/eventcalendar/EventDetails.aspx?ID=5571&CalType=%20&CalendarID=116&Date=01/31/2011&View=Listview




FERC Technical Conference

• Initial families of standards posted by NIST• IEC 61850 - substation automation• IEC 61968 - common Information model• IEC 61970 - common information model• IEC 61870-6 - TASE 2/ICCP• IEC 62351 - security

• All 13 panel members, in response to a question from Chairman Wellinghoff, stated there was not sufficient consensus for adoption


Issues Raised at the FERC Technical Conference

• What is the definition of "adoption"?• Adoption involves significant policy issues

• What is the definition of consensus?• Applicable to the Smart Grid?• Technical content reviewed and accepted by experts?• Applicable to interoperability?


Issues Raised at the FERC Technical Conference

• Standards are a snapshot in time• How do you allow for innovation?

• Not sufficient discussion on the context for using the standard

• Need further review on functionality and interoperability

• Significant technical cyber security issues

• Limitations to access of the standards


What's Next?...

• FERC is accepting comments on the presentations and the questions posted• Comments due March 2, 2011• Comments on comments due March 16, 2011• May be supplemental questions posted...

• The path forward is not clear• Both NIST and FERC are assessing the results of the

technical conference• Many state PUCs were waiting for FERC to perform the

rule making


Questions?

[email protected]


EPRI’s Role Going Forward

• EPRI will very quickly develop a series of white papers on the adoption of standards by the electric utility industry–The first white paper will present an adoption

roadmap for standards in the electric utility industry–The second and third white papers will provide

mappings of CIM and 61850 to the adoption roadmap

–The fourth white paper will be a case study of a utility who has adopted one of the five NIST standard.


EPRI’s Role Going Forward

• Wayne Longcore (Consumers Energy), Phil Slack (FPL) and Chris Knudsen (PG&E) have already volunteered to help develop the white papers

• George Arnold likes what is being proposed

• George Arnold has asked that EPRI organize a technical workshop to discuss the adoption of standards by the electric utility industry.

ad hoc smart grid executive committee february 10, 2011...

Documents