Ad Hoc Smart Grid Executive Committee February 10, 2011 New Orleans, LA
Agenda Time Topic and Location Lead 3:00 3:10p Welcome & Introductions George Bjelovuk, AEP 3:10 3:40p Regulatory Trends for Cyber Security Annabelle Lee, EPRI 3:40 4:15p EPRI Security & Privacy R&D for 2011 4:15 4:45p Regulatory Trends for Interoperability Standards Galen Rasche, EPRI Erfan Ibrahim, EPRI Annabelle Lee, EPRI 4:45 5:00p Wrap-up and Adjourn George Bjelovuk, AEP 2
Regulatory Trends on Cyber Security Annabelle Lee Technical Executive - Cyber Security 3
Current Status... Mandatory cyber security standards for the federal government are developed by the National Institute of Standards and Technology (NIST) The Department of Homeland Security (DHS) in coordination with other federal sector specific agencies (SSAs), has developed voluntary guidance The base document is the National Infrastructure Protection Plan (NIPP) Each SSA, in collaboration with the appropriate Sector Coordinating Council (SCC), developed a Sector Specific Plan Each plan is updated annually The Department of Energy (DOE) is the SSA for the energy sector, including the electric sector Energy, IT, communications, chemical, transportation, etc. 2011 Electric Power Power Research Research Institute, Institute, Inc. All rights Inc. All reserved. rights reserved. 24
Current Status... NERC developed the Critical Infrastructure Protection (CIPs) for the bulk power system The Smart Grid Interoperability Panel (SGIP) Cyber Security Working Group (CSWG) published National Institute of Standards and Technology Interagency Report (NISTIR) 7628, Guidelines for Smart Grid Cyber Security The document is guidance and voluntary Provides cyber security requirements at a high level Has been referenced by three states and adopted by China and Sweden DOE included security requirements in the American Recovery and Reinvestment Act (ARRA) of 2009 Grant winners are required to develop a system security plan 2011 Electric Power Power Research Research Institute, Institute, Inc. All rights Inc. All reserved. rights reserved. 25
Current Trends... The NERC CIPs are being revised The mandatory implementation date for the NERC CIPs 002-009, version 3 was October 1, 2010 CIP 002 - Cyber Security - Critical Cyber Asset Identification recently updated to Version 4 Initial assessment is that the new definition will not significantly increase the number of critical cyber assets FERC and NIST are assessing the results of the FERC technical conference Some state PUCs were watching FERC for guidance H.R. 174: Homeland Security Cyber and Physical Infrastructure Protection Act of 2011 Includes prioritized critical infrastructures 2011 Electric Power Power Research Research Institute, Institute, Inc. All rights Inc. All reserved. rights reserved. 26
Current Trends... GAO Report GAO-11-117: Electricity Grid Modernization Positive comments on the tasks that NIST performed on the Smart Grid Outstanding issues: NIST did not address cyber-physical attacks FERC does not have enforcement authority in the Energy Independence and Security Act of 2007 Fragmentation of the regulatory environment complicates smart grid interoperability and cyber security Report includes recommendations DOE IG Report - IG-0846, Jan 26, 2011, Federal Energy Regulatory Commission's Monitoring of Power Grid Cyber Security Criticisms of the NERC CIPs With new Congress - not clear what the priorities and trends will be 2011 Electric Power Power Research Research Institute, Institute, Inc. All rights Inc. All reserved. rights reserved. 27
Questions? Alee@epri.com 2011 Electric Power Power Research Research Institute, Institute, Inc. All rights Inc. All reserved. rights reserved. 58
Electric Sector Security & Privacy Plans for 2011 Galen Rasche Technical Executive Erfan Ibrahim Technical Executive Ad-Hoc Smart Grid Executive Committee 2011-Feb-10
Contents PDU Cyber Security R&D Portfolio National Electric Sector Cyber Security Organization EPRI Security and Privacy Initiative 10
EPRI s Cyber Security Focus for 2011 11
EPRI 2011 Cyber Security R&D Portfolio 12
EPRI Cyber Security Resources Staffing Three Technical Executives One Senior Project Manager Three Project Engineers Lab capabilities Substation lab in Knoxville Interconnects between Charlotte, Knoxville, and Lenox Advisory structure Ad hoc Security and Privacy Executive Committee 13
EPRI Cyber Security Projects and Programs PDU Base Program For 2011: NERC CIP and DHS ICS JWG Coordination and Reporting Lemnos Testing for Security Configuration Profiles DNP4 Security Interoperability Testing Smart Energy Profile 2.0 Security Testing Procedures & Penetration Testing NESCO: Focal point for utilities, federal agencies, regulators, and researchers Organize the collection, analysis, and dissemination of infrastructure vulnerabilities and threats Cyber Security standards and requirements evaluation Research Projects: Secure Smart Grid Communications Cryptographic Key Management Tools and Templates For Measuring Security Posture Best Practices for NERC CIP Compliance 14
National Electric Sector Cyber Security Organization (NESCO) Vision: Provide a focal point for bringing together utilities, federal agencies, regulators, and researchers to address the electric sector security threats Objectives: Focus cyber security R&D priorities Identify and disseminate best practices Organize the collection, analysis, and dissemination of infrastructure vulnerabilities and threats 15
NESCO Project Structure Cyber Incident Data Center (EnergySec): Identify / receive threat information Forensics Vulnerability analysis Categorize threats Disseminate threat information to asset owners and operators R&D Industry Advisory Board: Provide technical oversight for the project for direction setting and content creation Facilitate outreach in the industry for greater participation and implementation Populated by industry groups, federal agencies, regulators R&D Team (EPRI and EnergySec): Review NIST, NERC and other cyber security requirements and results Assess existing power system and cyber security standards to meet the security requirements of the power system Develop risk mitigation strategies, best practices and metrics Test security technologies in labs and pilot projects 16
EPRI Led Team Supporting DOE NESCO National/ Commercial Research Labs Oak Ridge National Lab Sandia National Lab Idaho National Lab National Renewable Energy Laboratory Palo Alto Research Center SRI Telcordia Academia University of Houston Mladen Kezunovic (Texas A&M University) UCLA UC Berkeley University of Minnesota Smart Grid Consortium Subject-Matter Experts N-Dimension Inguardians Arc Technical EnerNex Xanthus Consulting International 17
NESCO Work Flow 18
EPRI Members Call to Action for NESCO Communicate critical security and privacy issues to EPRI to facilitate RD&D project identification (e.g., relating to NERC Compliance, SGIG and SGDP Cyber Security Assessment Plan) Volunteer cyber security technical staff to participate in NESCO Working Groups Volunteer senior cyber security experts to sit on NESCO advisory board 19
EPRI Cyber Security and Privacy Initiative Cross-sector initiative (Power Delivery, Generation, and Nuclear) Leverage lessons learned and address common concerns Address gaps in current industry security and privacy R&D work Forum for designing and implementing collaborative R&D projects to meet long-term security needs of the electric sector Ad-Hoc Electric Sector Security and Privacy Executive Committee Provides strategic advice and guidance on EPRI security and privacy R&D activities Contributions from IOUs, co-ops, ISOs, and municipals Involvement at the CIO-level 20
Near Term Goals of EPRI Cyber Security Research Initiative Develop the organizational structure and populate the Ad- Hoc Security and Privacy Executive Committee Organize and populate working groups to perform the RD&D projects 1Q11 2Q11 3Q11 4Q11 Create focused task forces for areas of interest Identify 1 st set of high priority RD&D projects 21
Security and Privacy Initiative Research Areas 22
Questions? Galen Rasche grasche@epri.com Erfan Ibrahim eibrahim@epri.com 23
FERC Smart Grid Technical Conference - January 2011 Annabelle Lee Technical Executive Cyber Security 24
Background... Energy Independence and Security Act (EISA) of 2007, Title XIII, Section 1305 National Institute of Standards and Technology (NIST) to coordinate the development of a framework That includes protocols and modern standards for information management To achieve interoperability of Smart Grid devices and systems At any time after NIST has reached sufficient consensus in FERC's judgment FERC shall institute a rule making proceeding to adopt such standards and protocols as may be necessary to insure Smart Grid functionality and interoperability in Interstate transmission of electric power and Regional and wholesale electricity markets. New roles for both FERC and NIST Significant pressure for NIST to move forward on the standards 2011 Electric Power Power Research Research Institute, Institute, Inc. All rights Inc. All reserved. rights reserved. 25 2
FERC Technical Conference Held January 31, 2011 at FERC http://www.ferc.gov/eventcalendar/eventdetails.aspx?id=5 571&CalType=%20&CalendarID=116&Date=01/31/2011&Vie w=listview All five commissioners attended Presentations by George Arnold, National Coordinator for Smart Grid Interoperability Two panels NIST process used for reviewing and selecting the five families of standards Smart Grid interoperability standards development and identification process going forward 2011 Electric Power Power Research Research Institute, Institute, Inc. All rights Inc. All reserved. rights reserved. 26 2
FERC Technical Conference Initial families of standards posted by NIST IEC 61850 - substation automation IEC 61968 - common Information model IEC 61970 - common information model IEC 61870-6 - TASE 2/ICCP IEC 62351 - security All 13 panel members, in response to a question from Chairman Wellinghoff, stated there was not sufficient consensus for adoption 2011 Electric Power Power Research Research Institute, Institute, Inc. All rights Inc. All reserved. rights reserved. 27 2
Issues Raised at the FERC Technical Conference What is the definition of "adoption"? Adoption involves significant policy issues What is the definition of consensus? Applicable to the Smart Grid? Technical content reviewed and accepted by experts? Applicable to interoperability? 2011 Electric Power Power Research Research Institute, Institute, Inc. All rights Inc. All reserved. rights reserved. 28 2
Issues Raised at the FERC Technical Conference Standards are a snapshot in time How do you allow for innovation? Not sufficient discussion on the context for using the standard Need further review on functionality and interoperability Significant technical cyber security issues Limitations to access of the standards 2011 Electric Power Power Research Research Institute, Institute, Inc. All rights Inc. All reserved. rights reserved. 29 2
What's Next?... FERC is accepting comments on the presentations and the questions posted Comments due March 2, 2011 Comments on comments due March 16, 2011 May be supplemental questions posted... The path forward is not clear Both NIST and FERC are assessing the results of the technical conference Many state PUCs were waiting for FERC to perform the rule making 2011 Electric Power Power Research Research Institute, Institute, Inc. All rights Inc. All reserved. rights reserved. 30 2
Questions? Alee@epri.com 2011 Electric Power Power Research Research Institute, Institute, Inc. All rights Inc. All reserved. rights reserved. 31 5
EPRI s Role Going Forward EPRI will very quickly develop a series of white papers on the adoption of standards by the electric utility industry The first white paper will present an adoption roadmap for standards in the electric utility industry The second and third white papers will provide mappings of CIM and 61850 to the adoption roadmap The fourth white paper will be a case study of a utility who has adopted one of the five NIST standard. 32
EPRI s Role Going Forward Wayne Longcore (Consumers Energy), Phil Slack (FPL) and Chris Knudsen (PG&E) have already volunteered to help develop the white papers George Arnold likes what is being proposed George Arnold has asked that EPRI organize a technical workshop to discuss the adoption of standards by the electric utility industry. 33