The fact that FERC actually released an advance notice of proposed rulemaking in late June, on competitive markets of all subjects, has many in disbelief.
The Smart-Enough Grid
How much efficiency do ratepayers need—and utilities want?
When the applause dies down, the smart grid may turn out to be its own worst enemy. The California Independent System Operator (CAISO) explained this irony in comments it filed in May, after the FERC asked the industry for policy ideas on the smart grid.
On one hand, noted CAISO, the smart grid can improve reliability by “linking together more parts of the transmission and distribution system,” thereby creating “greater visibility over the electric grid and helping grid operators localize outage disruptions and prevent cascading failures.”
But by creating more linkages, said CAISO, system security can become weaker, increasing the risk of outages from “ill-intentioned actions.”
As CAISO notes, these additional linkages can force grid-system operators like ISOs and RTOs to become responsible for maintaining the security of systems that are beyond their control.
“Without proper regard for cyber security,” it warns, “the smart grid poses the danger of creating a one-step-forward, two steps-back circumstance.”
In its proposed smart-grid policy statement, FERC maps out the danger, which begins at the point where utilities connect their marketing operations to the Internet:
“While typically not connecting their more sensitive control center systems directly to the Internet, many entities have nevertheless upgraded those systems to use Internet-based protocols and technologies. This, coupled with the fact that the non-Internet-connected control center operations may be connected to the same corporate network as the Internet-connected marketing systems, means that there may be an indirect Internet vulnerability to those sensitive control systems.”
In short, the smart grid leaks, and these leaks could prove fatal.
To counter the risk, FERC has proposed to advise NIST (National Institute of Standards and Technology) to pay strict attention to cyber dangers when it carries out its mission under section 1305 of the 2007 Energy Independence and Security Act (EISA) to develop a framework of technical standards to assure the interoperability of various smart-grid elements.
FERC suggests that NIST must “take steps” to assure that each interoperability standard and protocol is consistent with both the cyber security and reliability mandates of EISA, as well as with the existing reliability standards approved by FERC under the Federal Power Act (see Smart Grid Policy Statement and Action Plan, Docket PL09-4, March 19, 2009, 126 FERC ¶61,253.)
FERC’s policy statement suggests the commission will expect NIST to consider characterizing smart-grid assets as critical cyber assets that must conform to the Critical Infrastructure Protection (CIP) standards (CIP-002 through CIP-009) finalized last year in FERC Order 706. But consider that the smart grid, as defined by Congress, includes virtually the entire bulk power system and anything attached to it, running the gamut from transformers to toasters.
It’s clear that CIP characterization could create a compliance nightmare. The Springfield (Oregon) Utility Board warns in comments it filed with FERC, such a scenario “exponentially increases the potential responsibilities of utilities.”
Allegheny Power observes, in addition, that if CIP standards are extended to residential, commercial and industrial customers, then the