State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
A Voice for Smart-Grid Security
Who will oversee the industry’s cyber standards?
smart-grid applications, and abstracted the problem in such a way that the document could be readily adapted to provide a foundation for overall smart-grid security. Now, almost all the same people have formed a follow-on project team to address precisely these two issues under an effort titled the “Advanced Security Acceleration Project for the Smart Grid” (ASAP-SG).
The resultant work products of ASAP-SG will provide multiple paths forward. The team is working closely with the DOE and NIST CSCTG, and will feed documentation into the NIST effort on a contributory basis. Likewise, the documents will be contributed to the UtiliSec Working Group as mature drafts for community review, commentary and approval—just as the AMI System Security Requirements were provided to the AMI-SEC Task Force. Regardless, these specifications will need to be coupled with technology-specific standards to facilitate secure implementations, and ultimately will need the endorsement of an authoritative organization. Until such an organization exists, the industry must rely upon self-regulation. However, the industry still may have some options to bolster what otherwise might be a weak enforcement solution.
One of the more interesting models to consider is a peer-pressure scenario involving differentiated rates or tiered pricing for utility-to-utility power purchases according to provable implementation of resiliency measures. This would necessitate utilities and their commissions accepting that cyber-security risks translate to real-world costs and allowing utilities to implement some form of agreement with neighboring utilities.
A peer-pressure model would provide two benefits. First, the model transfers the real-world costs of building a resilient organization to the origins of risk. Typically, it’s cheaper in the short term to build a low-resiliency organization. However, in a highly integrated and interdependent environment such as the electric power system, the risks invoked by building such an organization easily can propagate beyond the organizational borders and into neighboring organizations.
The peer pressure model could allow a utility essentially to provide a discount or rebate to an organization that could provide audit records illustrating the organization meets approved resiliency metrics. Conversely, the utility might adopt a higher baseline rate for organizations that fail to prove their resiliency. In doing so, the model would remove the ability of an organization to have a free ride at the expense of their neighbors in the longer term. Again, this model would depend on utility commissions accepting that cyber-security risks translate to real-world costs for their constituent utilities.
The second benefit of the peer-pressure model is that it empowers and encourages the utility community to successfully police itself. In fact, NERC was originally an industry-driven collaborative that only recently became the Electric Reliability Operator. However, registration and compliance were voluntary and utilities were responsible even for reporting violations. Incentive to participate was indirect at best. The incentive to participate for the peer-pressure model can be addressed by allowing a differentiated rate, if such a measure were approved by the appropriate commissioners. However, the peer-pressure model likewise would face the same tough challenge NERC CIP development faced: reaching industry consensus.
In order to achieve broad acceptance of criteria for monetary incentives, resiliency