State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
Better Safe Than Compliant
Protecting the smart grid requires a broader strategy.
the high voltage transmission systems, not the distribution grid. Unfortunately, a compliance checklist approach—which the NERC CIPs tend to require—might inherently lack the scope and adaptability needed to counter digital adversaries’ continually emerging and evolving strategies and tactics. In other words there’s a tendency by regulators and legislators to enforce security through compliance with the NERC CIP standards and not necessarily to focus on protecting the most critical assets or addressing the highest cyber risks.
“Hackers don’t have checklists,” said Chris Villarreal, the California Public Utilities Commission’s smart grid staff lead, at the Utilities Telecom Council’s Smart Grid Policy Summit in April, adding that utilities can’t think they’re secure by simply checking off a list of compliance requirements.
Having recognized the immediacy and scale of the smart grid cyber security challenge, utility management and regulatory officials understandably feel a great deal of urgency to show their customers, ratepayers and constituents that they are taking appropriate and effective protective action. Ironically, moving quickly without a complete understanding of the technical, policy and regulatory implications for the security environment can produce results that don’t necessarily address the highest threats.
For instance, compliance with the NERC CIP standards might not prevent Stuxnet-like attacks. Additionally, the NERC CIP standards don’t apply to the distribution grid, where most of the smart grid deployments are taking place.
In another example, consider the new smart meters that are now being installed. Currently there are no specific cyber security standards in place for smart meters; however, that doesn’t preclude aggressive testing of the meters to identify vulnerabilities and establish corrective fixes to make the meters more secure. Unfortunately in a compliance-focused environment, proactive security testing of meters might not be encouraged or even considered valid. And the expense of the testing isn’t considered “required,” and thus it’s excluded from the system design and deployment.
Lack of coordination among multiple federal, state and regional jurisdictions asserting authority over smart grid security is also likely to generate confusion, conflicts and unsupported confidence in system security. Already, the California PUC is expecting to issue its own cyber security standards in the face of early smart grid rollouts, and other states, including Ohio and New York, have similar inquiries in the works. But such action would still generate confusion and inconsistent implementation of these standards, because the California PUC only has jurisdiction over the investor-owned utilities in the state ( e.g., San Diego Gas & Electric, Southern California Edison, and Pacific Gas & Electric) thus excluding such large public utilities as Los Angeles Department of Water and Power (LADWP) and Sacramento Municipal Utility District (SMUD).
The combined effects of well-intentioned early action and incomplete or contradicting guidelines from various jurisdictions increases the likelihood that the policy and operational focus will remain on compliance—reporting and documentation that can be mandated and measured—rather than a more holistic, risk-based philosophy that has been used successfully in the non-utility world, and is a foundation of U.S. federal agency information security programs.
Holistic Risk-Based Answers
Because the smart grid’s ability to deliver intelligence will be the