Much ink (including mine) has been spilled regarding cyber security regulations for the Bulk Electric System (BES). Whatever your opinion of them, the NERC CIP standards are in place. But the distribution system is another story. CIP doesn’t apply to Distribution, because it’s not part of the BES. This wouldn’t have been a problem even five years ago, since the distribution system was fairly ‘dumb’. There weren’t a lot of intelligent devices to attack – certainly not the meters, and very little of the distribution equipment in the substations. It was very hard to imagine how someone could cause a large-scale distribution failure, and almost impossible to imagine how such an attack could cause problems beyond the immediate areas affected.
But as we all know, Distribution is rapidly changing. There are millions of smart meters already deployed, and almost every utility has a substation automation project either in process or about to start; yet this is all just a down payment on what’s to come. Not only are there many more intelligent devices waiting to be attacked in the distribution system, but the consequences of those attacks could potentially be widespread – not just in one neighborhood or town.
This isn’t to say that there is a huge cyber security problem in the Smart Grid – in fact, I doubt there is. However, what I or you think is irrelevant. The fact is that wide deployment of the Smart Grid depends on the public’s acceptance of the fact that it will improve their lives (and remember, they have to be willing to pay for it). Were the idea to become rooted that the Smart Grid is insecure, that could very well mark the beginning of the end (Pacific Gas and Electric has already run into cyber security concerns regarding their smart meter rollout).
Which then raises the question: How can we prevent this from happening? Waiting until a substantial portion of the public has become convinced that the Smart Grid is insecure, then unleashing a fusillade of assurances from cyber security experts, is clearly not the answer. We all know who will win that one. I think the only thing that will assure the vast majority of utility customers is regulation. If regulations are in place that require a certain level of cyber security practices on the part of the utilities and the vendors, this will allow Smart Grid deployments to go forward despite the cyber security scares that will regularly show up, justified or not.
So who should do the regulating, the Feds or the states? I think the answer is fairly clear: On the Federal level, FERC and NERC don’t currently have authority to regulate the Smart Grid (or power distribution in general), and they have no desire to do so. The only other likely Federal regulator would be the Department of Energy, but they don’t have that authority and have made no attempt to obtain it. NIST developed – with much industry assistance – the comprehensive set of cyber security guidelines contained in NISTIR 7628. While this is a very useful document, it does not at all pretend to be regulations or even guidelines.
On the state level, the story is quite different. The state Public Utility Commissions already have extensive authority to regulate electricity distribution. And they are stepping up to the table to meet the challenge of assuring the public that the Smart Grid is “cyber safe”.
There are two documents that are particularly relevant to this. The first was published this June by Miles Keogh and Christina Cody of the National Association of Regulatory Utility Commissioners, entitled “Cybersecurity for State Regulators”. It is a very well written document that describes the cyber security and regulatory landscape as it relates to electric power, and lays out several steps that state regulators can take to help address the issue of Distribution-level (and especially Smart Grid) cyber security. The most important of these steps is to ask questions of their utilities regarding their cyber security policies and procedures. These questions are listed in Appendix A, and I recommend them as a great cyber security “pop quiz” for any electric utility (in fact, they would be very relevant to a lot of other organizations, such as gas and water utilities).
However, you won’t see a recommendation for actual cyber security regulations in this document. The authors don’t rule that out – and they discuss the relative advantages of “risk-based” and “compliance-based” approaches to cyber security – but they don’t make any recommendation for or against regulations.
The second document was published on September 19 by Elizaveta Malashenko, Chris Villareal, and J. David Erickson of the California Public Utilities Commission (CPUC). It is entitled “Cybersecurity and the Evolving Role of State Regulation”. Like the NARUC document, it is very well written, and includes a good overview of cyber security as it relates to electric (and gas) utilities, as well as an excellent review of government initiatives to address this – on both the Federal and state levels.
Unlike the NARUC document, this document (written by CPUC staff members) does call on the CPUC commissioners (page 22) to consider various options for regulation of cyber security for California electric power distribution in general and Smart Grid deployment in particular. But the document clearly doesn’t favor a prescriptive approach as in NERC CIP. Rather, the authors believe that a risk-based approach, in which each utility (with active guidance from the CPUC) analyzes its risks and decides how to address them, is best.
You may say, “OK, so California may regulate Smart Grid cyber security. I’m not in California – why should I care about that?” The point is that California has been the leader in many areas of regulation (I think about California every time I make a right turn on red, since they were the first to allow that). This is true in information security, where California SB 1386 (which came into effect in 2003) was the first law requiring organizations to notify individuals when their personal information was compromised in a security breach; there are now similar laws in effect in 46 states.
Indeed, the authors state (page 21), “If the CPUC takes action, it can not only potentially protect Californians from safety and reliability threats, but also provide an example for other State regulatory agencies.” So if the California commissioners take up their staff’s recommendation, Smart Grid cyber security regulation may truly be “coming to a state near you”!
NARUC has come out with Version 2 of this document. It is available here. I hope to update this post soon with a discussion of that.