State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
A Voice for Smart-Grid Security
Who will oversee the industry’s cyber standards?
have a significant effect on system stability. The simultaneous disconnect of large numbers of meters is another matter entirely. Traditional models assume large load sheds happen at points that see the entire load: a breaker fails, a transformer goes down, a line is cut. But what happens when a tailored virus infects an entire meter network and uses a timer to simultaneously disconnect every meter it touches?
Could this type of attack destabilize the grid? The answer of course depends on conditions, environment, and many other variables, but the NERC CIP threshold of 300 MW for an automatic load shed easily could be met by 100,000 homes at peak load—a significant number to be sure, but also a figure that might be handled within a single utility’s distribution system. If a portion of a single distribution system has the potential to destabilize the grid, then the industry must fundamentally re-think the importance of security, especially when it comes to distribution. No longer is a single utility safe so long as it implements security properly and effectively protects itself. Neighboring utilities are likewise at risk, and one utility’s failure to protect system stability can mean failures all around them.
A Common Forum
One of the more overlooked organizations that may play a role is the National Association of Regulatory Utility Commissioners (NARUC). For investor-owned utilities in the United States, the state utility commissions are the gatekeepers, as a utility must obtain their approval to recover project costs through retail rates. Utility commissioners could use this position to ensure any utility performing a major project does so with cyber security properly implemented.
But utility commissioners are not cyber-security experts, and in most cases neither are their staffs. Commissioners will need resources to which they can refer and education on how to use them. If the commissioners know the questions to ask, along with what the right answers look like, the dialogue between utility and commission can be improved. Commissioners and utilities alike would know what to expect. In the end, the industry has a way to start pushing cyber security at the distribution level.
Unfortunately this plan isn’t without flaws as well. Most municipal utilities and public power agencies are government owned and exempt from regulation, as are many electric cooperatives. These utilities don’t answer to state utility commissions, but rather to other varying governmental structures such as appointed or elected board members. The larger municipal utilities serve more than one million customers, so the load can be very significant even for an individual utility. And unfortunately, there’s no single unifying mechanism that can be used to apply pressure on municipal utilities to implement cyber security in any particular way.
Even for utilities regulated by state commissions, regulatory relationships often can be strained. Deregulation tended to set up a contentious dynamic that sometimes still exists. Utilities and commissions alike would have to recognize they share a common goal, and building the trust required to form this kind of partnership might take significant work.
Coming Full Circle
So how does the electric power industry find