ad hoc smart grid executive committee february 10, 2011...
TRANSCRIPT
Ad Hoc Smart Grid Executive Committee
February 10, 2011 New Orleans, LA
2© 2011 Electric Power Research Institute, Inc. All rights reserved.
Agenda
Time Topic and Location Lead
3:00 – 3:10p Welcome & Introductions George Bjelovuk, AEP
3:10 – 3:40p Regulatory Trends for Cyber Security
Annabelle Lee, EPRI
3:40 – 4:15p EPRI Security & Privacy – R&D for 2011
Galen Rasche, EPRIErfan Ibrahim, EPRI
4:15 – 4:45p Regulatory Trends for Interoperability Standards
Annabelle Lee, EPRI
4:45 – 5:00p Wrap-up and Adjourn George Bjelovuk, AEP
3© 2011 Electric Power Research Institute, Inc. All rights reserved.
Regulatory Trends on Cyber Security
Annabelle Lee Technical Executive - Cyber Security
4© 2011 Electric Power Research Institute, Inc. All rights reserved. 2© 2011 Electric Power Research Institute, Inc. All rights reserved.
Current Status...
• Mandatory cyber security standards for the federal government are developed by the National Institute of Standards and Technology (NIST)
• The Department of Homeland Security (DHS) in coordination with other federal sector specific agencies (SSAs), has developed voluntary guidance– The base document is the National Infrastructure Protection Plan
(NIPP)– Each SSA, in collaboration with the appropriate Sector
Coordinating Council (SCC), developed a Sector Specific Plan– Each plan is updated annually– The Department of Energy (DOE) is the SSA for the energy
sector, including the electric sector• Energy, IT, communications, chemical, transportation, etc.
5© 2011 Electric Power Research Institute, Inc. All rights reserved. 2© 2011 Electric Power Research Institute, Inc. All rights reserved.
Current Status...
• NERC developed the Critical Infrastructure Protection (CIPs) for the bulk power system
• The Smart Grid Interoperability Panel (SGIP) Cyber Security Working Group (CSWG) published National Institute of Standards and Technology Interagency Report (NISTIR) 7628, Guidelines for Smart Grid Cyber Security– The document is guidance and voluntary– Provides cyber security requirements at a high level– Has been referenced by three states and adopted by China and
Sweden
• DOE included security requirements in the American Recovery and Reinvestment Act (ARRA) of 2009 – Grant winners are required to develop a system security plan
6© 2011 Electric Power Research Institute, Inc. All rights reserved. 2© 2011 Electric Power Research Institute, Inc. All rights reserved.
Current Trends...
• The NERC CIPs are being revised– The mandatory implementation date for the NERC CIPs 002-009,
version 3 was October 1, 2010– CIP 002 - Cyber Security - Critical Cyber Asset Identification
recently updated to Version 4• Initial assessment is that the new definition will not significantly
increase the number of critical cyber assets
• FERC and NIST are assessing the results of the FERC technical conference– Some state PUCs were watching FERC for guidance
• H.R. 174: Homeland Security Cyber and Physical Infrastructure Protection Act of 2011– Includes prioritized critical infrastructures
7© 2011 Electric Power Research Institute, Inc. All rights reserved. 2© 2011 Electric Power Research Institute, Inc. All rights reserved.
Current Trends...
• GAO Report GAO-11-117: Electricity Grid Modernization– Positive comments on the tasks that NIST performed on the Smart
Grid– Outstanding issues:
• NIST did not address cyber-physical attacks• FERC does not have enforcement authority in the Energy
Independence and Security Act of 2007• Fragmentation of the regulatory environment complicates smart
grid interoperability and cyber security– Report includes recommendations
• DOE IG Report - IG-0846, Jan 26, 2011, Federal Energy Regulatory Commission's Monitoring of Power Grid Cyber Security– Criticisms of the NERC CIPs
• With new Congress - not clear what the priorities and trends will be
8© 2011 Electric Power Research Institute, Inc. All rights reserved. 5© 2011 Electric Power Research Institute, Inc. All rights reserved.
Questions?
Electric Sector Security & Privacy Plans for 2011
Galen Rasche Technical ExecutiveErfan IbrahimTechnical Executive
Ad-Hoc Smart Grid Executive Committee 2011-Feb-10
10© 2011 Electric Power Research Institute, Inc. All rights reserved.
Contents
• PDU Cyber Security R&D Portfolio
• National Electric Sector Cyber Security Organization
• EPRI Security and Privacy Initiative
11© 2011 Electric Power Research Institute, Inc. All rights reserved.
EPRI’s Cyber Security Focus for 2011
12© 2011 Electric Power Research Institute, Inc. All rights reserved.
EPRI 2011 Cyber Security R&D Portfolio
13© 2011 Electric Power Research Institute, Inc. All rights reserved.
EPRI Cyber Security Resources
• Staffing– Three Technical Executives– One Senior Project Manager– Three Project Engineers
• Lab capabilities– Substation lab in Knoxville– Interconnects between Charlotte, Knoxville, and Lenox
• Advisory structure– Ad hoc Security and Privacy Executive Committee
14© 2011 Electric Power Research Institute, Inc. All rights reserved.
EPRI Cyber Security Projects and Programs
PDU Base Program For 2011:• NERC CIP and DHS ICS JWG
Coordination and Reporting• Lemnos Testing for Security
Configuration Profiles• DNP4 Security Interoperability
Testing• Smart Energy Profile 2.0 Security
Testing Procedures & Penetration Testing
NESCO:• Focal point for utilities, federal
agencies, regulators, and researchers
• Organize the collection, analysis, and dissemination of infrastructure vulnerabilities and threats
• Cyber Security standards and requirements evaluation
Research Projects:• Secure Smart Grid Communications• Cryptographic Key Management• Tools and Templates For Measuring
Security Posture• Best Practices for NERC CIP
Compliance
15© 2011 Electric Power Research Institute, Inc. All rights reserved.
National Electric Sector Cyber Security Organization (NESCO)
• Vision:– Provide a focal point for bringing together utilities,
federal agencies, regulators, and researchers to address the electric sector security threats
• Objectives:– Focus cyber security R&D priorities– Identify and disseminate best practices– Organize the collection, analysis, and dissemination of
infrastructure vulnerabilities and threats
16© 2011 Electric Power Research Institute, Inc. All rights reserved.
NESCO Project Structure
Cyber Incident Data Center (EnergySec):
• Identify / receive threat information
• Forensics
• Vulnerability analysis
• Categorize threats
• Disseminate threat information to asset owners and operators
R&D Team (EPRI and EnergySec):• Review NIST, NERC and other cyber
security requirements and results• Assess existing power system and cyber
security standards to meet the security requirements of the power system
• Develop risk mitigation strategies, best practices and metrics
• Test security technologies in labs and pilot projects
R&D Industry Advisory Board:• Provide technical oversight for the project for
direction setting and content creation• Facilitate outreach in the industry for greater
participation and implementation
• Populated by industry groups, federal agencies, regulators
17© 2011 Electric Power Research Institute, Inc. All rights reserved.
EPRI Led Team Supporting DOE NESCO
National/ Commercial
Research LabsAcademia Subject-Matter
Experts
•
Oak Ridge National Lab
•
Sandia National Lab•
Idaho National Lab•
National Renewable Energy Laboratory
•
Palo Alto Research Center
•
SRI•
Telcordia
•
University of Houston•
Mladen Kezunovic (Texas A&M University)
•
UCLA•
UC Berkeley•
University of Minnesota Smart Grid Consortium
•
N-Dimension•
Inguardians•
Arc Technical•
EnerNex•
Xanthus Consulting International
18© 2011 Electric Power Research Institute, Inc. All rights reserved.
NESCO Work Flow
19© 2011 Electric Power Research Institute, Inc. All rights reserved.
EPRI Members Call to Action for NESCO
• Communicate critical security and privacy issues to EPRI to facilitate RD&D project identification (e.g., relating to NERC Compliance, SGIG and SGDP Cyber Security Assessment Plan)
• Volunteer cyber security technical staff to participate in NESCO Working Groups
• Volunteer senior cyber security experts to sit on NESCO advisory board
20© 2011 Electric Power Research Institute, Inc. All rights reserved.
EPRI Cyber Security and Privacy Initiative
• Cross-sector initiative (Power Delivery, Generation, and Nuclear)
– Leverage lessons learned and address common concerns
• Address gaps in current industry security and privacy R&D work
• Forum for designing and implementing collaborative R&D projects to meet long-term security needs of the electric sector
• Ad-Hoc Electric Sector Security and Privacy Executive Committee
– Provides strategic advice and guidance on EPRI security and privacy R&D activities
– Contributions from IOUs, co-ops, ISOs, and municipals
– Involvement at the CIO-level
21© 2011 Electric Power Research Institute, Inc. All rights reserved.
1Q11 2Q11 3Q11 4Q11
Near Term Goals of EPRI Cyber Security Research Initiative
Develop the organizational structure and populate the Ad- Hoc Security and Privacy Executive Committee
• Create focused task forces for areas of interest
• Identify 1st set of high priority RD&D projects
Organize and populate working groups to perform the RD&D projects
22© 2011 Electric Power Research Institute, Inc. All rights reserved.
Security and Privacy Initiative Research Areas
23© 2011 Electric Power Research Institute, Inc. All rights reserved.
Questions?
Galen Rasche [email protected]
Erfan Ibrahim [email protected]
24© 2011 Electric Power Research Institute, Inc. All rights reserved.
FERC Smart Grid Technical Conference -
January 2011
Annabelle Lee Technical Executive – Cyber Security
25© 2011 Electric Power Research Institute, Inc. All rights reserved. 2© 2011 Electric Power Research Institute, Inc. All rights reserved.
Background ...
• Energy Independence and Security Act (EISA) of 2007, Title XIII, Section 1305
– National Institute of Standards and Technology (NIST) to coordinate the development of a framework
• That includes protocols and modern standards for information management• To achieve interoperability of Smart Grid devices and systems
• At any time after NIST has reached sufficient consensus in FERC's judgment– FERC shall institute a rule making proceeding to adopt such standards and
protocols as may be necessary to insure• Smart Grid functionality and interoperability in
– Interstate transmission of electric power and– Regional and wholesale electricity markets.
• New roles for both FERC and NIST
• Significant pressure for NIST to move forward on the standards
26© 2011 Electric Power Research Institute, Inc. All rights reserved. 2© 2011 Electric Power Research Institute, Inc. All rights reserved.
FERC Technical Conference
• Held January 31, 2011 at FERC• http://www.ferc.gov/eventcalendar/EventDetails.aspx?ID=5
571&CalType=%20&CalendarID=116&Date=01/31/2011&Vie w=Listview
• All five commissioners attended
• Presentations by• George Arnold, National Coordinator for Smart Grid
Interoperability• Two panels
• NIST process used for reviewing and selecting the five families of standards
• Smart Grid interoperability standards development and identification process going forward
27© 2011 Electric Power Research Institute, Inc. All rights reserved. 2© 2011 Electric Power Research Institute, Inc. All rights reserved.
FERC Technical Conference
• Initial families of standards posted by NIST• IEC 61850 - substation automation• IEC 61968 - common Information model• IEC 61970 - common information model• IEC 61870-6 - TASE 2/ICCP• IEC 62351 - security
• All 13 panel members, in response to a question from Chairman Wellinghoff, stated there was not sufficient consensus for adoption
28© 2011 Electric Power Research Institute, Inc. All rights reserved. 2© 2011 Electric Power Research Institute, Inc. All rights reserved.
Issues Raised at the FERC Technical Conference
• What is the definition of "adoption"?• Adoption involves significant policy issues
• What is the definition of consensus?• Applicable to the Smart Grid?• Technical content reviewed and accepted by experts?• Applicable to interoperability?
29© 2011 Electric Power Research Institute, Inc. All rights reserved. 2© 2011 Electric Power Research Institute, Inc. All rights reserved.
Issues Raised at the FERC Technical Conference
• Standards are a snapshot in time• How do you allow for innovation?
• Not sufficient discussion on the context for using the standard
• Need further review on functionality and interoperability
• Significant technical cyber security issues
• Limitations to access of the standards
30© 2011 Electric Power Research Institute, Inc. All rights reserved. 2© 2011 Electric Power Research Institute, Inc. All rights reserved.
What's Next?...
• FERC is accepting comments on the presentations and the questions posted• Comments due March 2, 2011• Comments on comments due March 16, 2011• May be supplemental questions posted...
• The path forward is not clear• Both NIST and FERC are assessing the results of the
technical conference• Many state PUCs were waiting for FERC to perform the
rule making
31© 2011 Electric Power Research Institute, Inc. All rights reserved. 5© 2011 Electric Power Research Institute, Inc. All rights reserved.
Questions?
32© 2011 Electric Power Research Institute, Inc. All rights reserved.
EPRI’s Role Going Forward
• EPRI will very quickly develop a series of white papers on the adoption of standards by the electric utility industry–The first white paper will present an adoption
roadmap for standards in the electric utility industry–The second and third white papers will provide
mappings of CIM and 61850 to the adoption roadmap
–The fourth white paper will be a case study of a utility who has adopted one of the five NIST standard.
33© 2011 Electric Power Research Institute, Inc. All rights reserved.
EPRI’s Role Going Forward
• Wayne Longcore (Consumers Energy), Phil Slack (FPL) and Chris Knudsen (PG&E) have already volunteered to help develop the white papers
• George Arnold likes what is being proposed
• George Arnold has asked that EPRI organize a technical workshop to discuss the adoption of standards by the electric utility industry.