When the applause dies down, the smart grid may turn out to be its own worst enemy. The California Independent System Operator (CAISO) explained this irony in comments it filed in May, after the FERC asked the industry for policy ideas on the smart grid.
On one hand, noted CAISO, the smart grid can improve reliability by “linking together more parts of the transmission and distribution system,” thereby creating “greater visibility over the electric grid and helping grid operators localize outage disruptions and prevent cascading failures.”
But by creating more linkages, said CAISO, system security can become weaker, increasing the risk of outages from “ill-intentioned actions.”
As CAISO notes, these additional linkages can force grid-system operators like ISOs and RTOs to become responsible for maintaining the security of systems that are beyond their control.
“Without proper regard for cyber security,” it warns, “the smart grid poses the danger of creating a one-step-forward, two steps-back circumstance.”
In its proposed smart-grid policy statement, FERC maps out the danger, which begins at the point where utilities connect their marketing operations to the Internet:
“While typically not connecting their more sensitive control center systems directly to the Internet, many entities have nevertheless upgraded those systems to use Internet-based protocols and technologies. This, coupled with the fact that the non-Internet-connected control center operations may be connected to the same corporate network as the Internet-connected marketing systems, means that there may be an indirect Internet vulnerability to those sensitive control systems.”
In short, the smart grid leaks, and these leaks could prove fatal.
To counter the risk, FERC has proposed to advise NIST (National Institute of Standards and Technology) to pay strict attention to cyber dangers when it carries out its mission under section 1305 of the 2007 Energy Independence and Security Act (EISA) to develop a framework of technical standards to assure the interoperability of various smart-grid elements.
FERC suggests that NIST must “take steps” to assure that each interoperability standard and protocol is consistent with both the cyber security and reliability mandates of EISA, as well as with the existing reliability standards approved by FERC under the Federal Power Act (see Smart Grid Policy Statement and Action Plan, Docket PL09-4, March 19, 2009, 126 FERC ¶61,253.)
FERC’s policy statement suggests the commission will expect NIST to consider characterizing smart-grid assets as critical cyber assets that must conform to the Critical Infrastructure Protection (CIP) standards (CIP-002 through CIP-009) finalized last year in FERC Order 706. But consider that the smart grid, as defined by Congress, includes virtually the entire bulk power system and anything attached to it, running the gamut from transformers to toasters.
It’s clear that CIP characterization could create a compliance nightmare. The Springfield (Oregon) Utility Board warns in comments it filed with FERC, such a scenario “exponentially increases the potential responsibilities of utilities.”
Allegheny Power observes, in addition, that if CIP standards are extended to residential, commercial and industrial customers, then the customer meter “would have to be housed and locked up with access only by approved personnel.
“In most cases,” adds Allegheny in its comments, “this would require moving meters from their current location and building some type of structure.”
Some voices in the utility industry now ask why they must endure such pain to empower what is today no more than a vision, whose cost-benefit credentials have yet to be confirmed. They suggest that the grid already may be smart enough or, if not, that it will reach that point very soon, given the current rate of investment in grid infrastructure, from smart meters to thousand-mile transmission lines.
All of this leaves FERC with two basic outs for getting the smart grid up and running. One option would have the commission mandate the mother of all cyber security rules. The other option would entail holding its nose, looking the other way, and passing the hot potato along to the state PUCs, on the theory that any smart-grid device, protocol or communications channel not connected directly to the interstate bulk power system or its control centers will be deemed to be part of the retail distribution network, lying beyond the reach of FERC.
The California Public Utilities Commission, which already has opened its own rulemaking case on smart-grid policy (R. 08-12-009, issued Dec. 22, 2008) argues that FERC should make the NIST interoperability standards voluntary, not mandatory, so that state PUCs have “leeway,” depending upon how far they have progressed in smart-grid deployments.
While it concedes that a “patchwork” of standards could be harmful, the CPUC nevertheless insists that the states—not FERC—“should have the authority to direct their electric companies to institute certain NIST-adopted standards to the state-jurisdictional distribution network” (see Comments of Cal. PUC, pp.5-6, filed May 11, 2009).
Southern Company Services notes that FERC’s December 2008 Staff Report on Demand Response and Advanced Metering had concluded (p. 18) that uncertainty over standards had made some state regulators reluctant to move ahead on AMI specifications out of fear that they might choose an unsupported technology.
Duke Energy advises FERC point blank that “an interoperability framework may not be economically viable if all smart grid assets are categorically subjected to all of the requirements of the CIP Reliability Standards.”
Duke reports that its pilot program in North Carolina soon will allow participating residential customers to install digital communications technology on home air conditioners and water heaters, with access to a Web site to monitor and control energy use by individual appliances. Yet, it still can imagine such devices operating without specific CIP coverage. Duke’s comments urge FERC to achieve interoperability in a way that would allow the utility industry to minimize the types of smart-grid assets deemed to be critical cyber assets. According to Duke, much of the distribution-level smart-grid equipment will impact “only localized areas” of utility systems. “Any potential infiltration of these devices,” writes Duke, “would be isolated and locally contained.”
Otherwise, notes Duke, the cost “could become prohibitive” and impede smart-grid development (see Comments of Duke Energy, pp. 2, 7-8, FERC Dkt. PL09-4, filed May 8, 2009).
Ohio Consumer Counsel Janine Migden-Ostrander joins the chorus of utilities and advocates who warn that the smart-grid initiative, when coupled with climate-change legislation, plus expensive new transmission lines to wheel renewable energy from West to East, will leave ratepayers in the lurch: “Consumers,” she writes, “are staring down the barrel of a host of extraordinary costs.”
Beyond the fact that the Feds could leverage the smart grid to gain a foothold inside state-supervised distribution networks, many in the power industry have serious questions:
• First, whether FERC has a realistic view of much time it will take to set standards;
• Second, whether FERC fully understands the quantum leap in complexity and risk posed by smart-grid integration; and
• Third, whether there is any real certainty of reaping benefits from smart-grid deployment.
Congress has set no specific deadline for finalizing the smart-grid interoperability standards. Yet, FERC in its policy proposal cites a certain “sense of urgency within industry and government” for the development of standards and ultimate deployment of smart-grid technologies.
Many in the industry envision standard-setting as a forever-evolving iterative process. FERC itself has directed the North American Electric Reliability Corporation (NERC) to continue to improve and refine its CIP standards. On May 9, NERC’s Board of Trustees voted on a new Version 2 for CIP standards 002 through 009.
San Diego Gas & Electric says it expects it will take between three to five months “of focused efforts” for NIST and its stakeholders to map out each point of interoperability among various smart-grid systems, but that the actual approval and development of consensus-based standards “could take as little as one year but possibly as long as 10 years, depending on the technical complexity and nature of the issues involved at each point of interoperability.”
Such pessimism is notable, given the fact that smart-grid standards already exist for a smattering of technologies and protocols. One example is the so-called “GWAC Interoperability Stack,” developed by the DOE’s GridWise Architecture Council — a fact well noted by Sempra senior regulatory counsel Alvin Pak, who filed the SDG&E comments.
As Pak explains, the GWAC framework “was developed in collaboration with the electric industry and other key stakeholders through a process involving extensive expert interviews, workshops and iterative drafts.
“This framework,” Pak writes, “enjoys a reasonably strong consensus of opinion and is quite familiar to the Institute [NIST], which had a considerable hand in its drafting” (see SDG&E comments, at p. 13).
For other examples of smart-grid standards already in use, refer to the copyrighted white paper: Overview of the Smart Grid–Policies, Initiatives, and Needs, ISO New England, Feb. 17, 2009. Table 2, page 15, lists “Existing Technical Standards for Smart Grid Applications.”
NRG, meanwhile, suggests that the existence of prior, state-approved smart-grid deployments should carry weight when FERC sits down to decide whether a consensus has been reached on standards.
The smart grid takes cyber risk to a whole different level. One reason: The simple step of requiring a smart-grid deployment to demonstrate that it will not jeopardize system security can itself create security risks.
As CAISO points out, system security is a matter of creating multiple layers of security. Further, a security feature of one piece of equipment cannot be understood without understanding the context of the entire web of interlocking layers of security. “Providing that context,” writes CAISO, raises the possibility that outside parties could identify and exploit any potential gaps.”
One tech company, Bochman-Danahy Research (Brookline, Mass.), finds fault with FERC for utilizing the Federal Power Act definition of “cybersecurity incident,” which focuses on attempts to disrupt the operation of hardware, software, and communications. Company partner Andrew Bochman finds that definition too limiting:
“We know from commercial experience and from recent disclosures regarding incursions into the existing Grid that cybersecurity incidents are often not immediately disruptive. Data theft can provide deep intelligence into grid logistics and operation, and passive malicious code is frequently left behind for later use as either a hidden inroad or a data egress mechanism… Power disruption may well be the ultimate goal … but the less obvious damage cause by information leakage and system compromise lay the groundwork for a more damaging or more widespread event in the future.”
Bochman adds that the sheer size of the smart-grid initiative might carry the seeds of its own demise:
“There exists within the security discipline the concept of composability, which relates to the construction of complex systems from individual elements or components. The reality of these assembled systems is that an amalgam of highly secured components will often demonstrate itself to be insecure in the whole, as there are areas, cracks, in the actual integration of the parts.
“Few currently scoped projects will be likely to have more individual elements than the currently conceived Smart Grid.”
One oft-cited benefit of smart-grid technology centers on the use of phasor measurement units (PMU) to allow grid-system operators to calculate dynamic transmission line ratings that reflect ambient temperatures and wind speeds. These dynamic ratings often will exceed the static thermal ratings, allowing operators to modify dispatch orders to increase line loads. In particular, the American Wind Energy Association (AWEA) has touted this so-called “use case” as a way to boost delivery and consumption of renewables, and especially wind, since high wind speeds often will correlate with higher dynamic line ratings. The North American Synchrophasor Development Initiative (NAPSI) has played a key role in developing this particular smart-grid technology.
Nevertheless, the industry comments on FERC’s policy statement suggest that the jury still is out.
NERC observes, for example, that despite growth in PMUs, “we do not yet have a definitive understanding of what real-time phasor data can tell us about present and near-term grid conditions.
“It may take several years of research before such understanding is fully achieved” (see comments, p. 17).
American Transmission Company appears to agree: “There are, however, many other operational challenges inherent in the switch from static to dynamic transmission line ratings.”
CAISO notes that frequency and voltage oscillations sometimes might prove more troublesome than thermal limits, as in the case of the California-Oregon Intertie, which has an operational limit of 4,800 MW, but a thermal rating “substantially above that.” CAISO agrees that wider deployment of PMUs could provide system operators with the data they would need to dampen oscillation and boost line capacity with a well-timed momentary pulse of electricity, but that would require improved energy storage capacity—yet another smart-grid technology awaiting development (see comments, pp. 8-9).
Wally Tillman, long time general counsel at the National Rural Electric Cooperative Association, provides some context:
“The commission … could theoretically encourage a transmission owner to install synchrophasors on every transmission line, every transformer or every delivery point on the bulk power system… Of course, that expense would be imprudent. There must be an appropriate balance… Utilities seeking to invest in synchrophasors should be required to demonstrate that they found the right technological balance.”
The strongest indictment of the smart-grid initiative and FERC’s proposed policy points comes from Scott Rozzell, executive vice present and general counsel of CenterPoint Energy, headquartered in Houston.
For CenterPoint, the so-called smart-grid revolution pertains primarily to local distribution networks, rather than the bulk-power transmission system, which, according to Rozzell, “has long operated as a smart grid.”
As Rozell explains, the benefit of smart-grid technology will come from “allowing the distribution utility to identify an outage remotely, to close breakers remotely, and to switch circuits remotely.” Yet at the same time, Rozzel adds, this automation of the distribution system “will not cause the bulk system to be any less automated or any more vulnerable to cyber attacks.”
Importantly, CenterPoint takes issue with FERC’s assumption (which is illustrated in the policy statement by a schematic diagram omitted here) that the fact of Internet connectivity between utility marketing departments and retail consumers, obtained through advanced metering, will put the bulk-power system at risk. Moreover, it argues that FERC’s apparent insistence that NIST must develop standards for all distribution-level smart-grid technologies, on the assumption that they could threaten the cyber security of interstate transmission networks and control centers, will end up delaying more deployments of smart meters and automated metering systems (AMS) by retail utilities.
Such delay is particularly destructive, CenterPoint suggests, because the billions of dollars in DOE funding, made available under the American Recovery and Reinvestment Act (ARRA), could be put at risk. In fact, DOE
has indicated in its FOAs (Funding Opportunity Announcements) that it might withhold funding if the applicant cannot show compliance with interoperability standards.
Here is Rozzel’s argument:
“The CenterPoint System does not look like the hypothetical system shown on Appendix A in the Draft Policy Statement. The CenterPoint Control Center is and will remain isolated from the CenterPoint inter-company system that manages the connections with retail customers through the smart meters. There is no communications link between CenterPoint’s customers and the CenterPoint Control Center or the ERCOT dispatcher…
“CenterPoint has a connection to the Internet through its website … but the various components of the intra-company system are separated by multiple layers of protection… The separate components of the CenterPoint intra-company system are isolated…
“Security begins with selecting a state-of-the-art advance metering system, which for CenterPoint includes the Itron OpenWay system using Itron’s Advanced Security architecture…(see Figure 1, CenterPoint Energy Utility System, p.30).
“A hacker would greatly complicate his task by trying to enter the CenterPoint intra-company system through the meter. He would have to steal the encryption keys, overcome the built-in hardware that cannot be altered, and if someone were able to do all that they would discover that there is a very small amount of capacity (1,900 B00 rate) in the link between the meter and the cell relay link to the CenterPoint data collection system. And all the hacker would have achieved would be to access a limited amount of customer usage data.”
Thus, Rozzell and CenterPoint say “there is no reason” why those utilities that have received state approval should not continue to proceed as quickly as possible with their own smart-grid deployments, even if FERC has not yet set its own policy.
“And no reason,” writes Rozell, “for DOE to delay funding their projects.”