Who will oversee the industry’s cyber standards?
Darren Reece Highfill (email@example.com) chairs the UtiliSec Working Group within the UCA International Users Group, and currently is working for Saker Systems on a long-term contract for Southern California Edison. Formerly he led the utility security practice at EnerNex Corp. Vishant Shah is a security architect with EnerNex, and previously was the deputy director of the control systems security program at the U.S. Department of Homeland Security.
The smart grid is starting to grow up. People are talking less about what it is and more about how to put it in place. The president has made the smart grid a priority, and suddenly the industry is moving in a gear it never knew it had.
However, sometimes growth is accompanied by growing pains. With the smart grid comes the need for cyber security; yet it remains to be seen how the industry will adapt and move forward. A singular authoritative voice might be essential in a domain where the weakest link breaks the chain.
Nevertheless, utilities, manufacturers, system integrators and others continue to find a way to get the job done through leadership, perseverance, and creativity.
While the government and industry choose a single voice, the chorus will carry the day. The successor might even find all the parts written, leaving only the need to lead the show.
Setting the Stage
The need for cyber security has become increasingly apparent over the course of the past year. Mounting political pressures, threatening adversaries, and escalating public anxieties have placed further demands on already accelerated efforts and primed the theater for a smart-grid security authority. The contenders are a disparate lot—from experienced players to savvy newcomers to industry naturals. Regardless, the stakes are high as the coming years will determine who is responsible for ensuring the appropriate level of security is built into the smart grid.
Whoever acquires this responsibility will have no shortage of issues to answer. A recent spate of eyebrow-raising publicity has managed to amplify an already elevated commotion around the importance of security for the smart grid. So who will ascend to this position as an industry prepares to spend untold fortunes on its next generation?
Several federal organizations are active in this space. Legislative bodies have discussed the concept of overarching authority (see sidebar, Congress Seizes Cyber-Sec). The White House just announced a cyber czar position on May 29, 2009. Yet as of this writing, much of the responsibility lies in the hands of the states—specifically with the individual utility commissions. Will the industry find a way to self-regulate? Will a choice be made by a federal agency? Congress? The White House? It remains to be seen who, how, and even whether, the decision will be made with significant, long-term consequences on the line.
Meanwhile, utilities are leading the process. An uncertain outcome provides no excuse for stasis. The work still must be done, and the utility community is driving work forward to secure the smart grid.
In the middle of March 2009, word spread like wildfire through U.S. utilities about an upcoming story on CNN regarding a “smart-grid security vulnerability.” What would be said? How bad would it be? Would it kill project funding?
Many a manager and executive watched with bated breath through hours of programming for a 5-minute trailing segment that was, in many respects, anticlimactic. While implications and inferences were cheap, traceable facts remained as elusive as their sources.1
The story propagated quickly via the news outlets. The few facts that could be found were twisted to the point that one outlet even issued a retraction in the following days.2 Email recipients went berserk with inquisitions and speculations, while the industry groped for a handle on its first prime-time encounter with a purported cyber-security threat.
A few short weeks later, the Wall Street Journal published an entirely different story about cyber security and the grid.3 While the article didn’t call out smart-grid technology in particular, the message was clear: The grid needs security, and a smart grid will need even more.
One of the oldest marketing tricks in the book is the use of fear, uncertainty, and doubt (or FUD). The tactic is particularly effective whenever there is a significant and visible knowledge gap between the target audience and practitioners of a complicated vocation. The only real countermeasure is positive education-oriented marketing and consistent public outreach.
The electric power industry isn’t considered easy to understand. Neither is information security. It’s therefore little wonder their combination requires knowledge so specialized it appears to lie somewhere between witch doctors and quantum physics.
To date, the utility security community has done little to lift the veil of complexity. When matched against the mature and polished machine of the mainstream media, engineers and scientists don’t stand a chance. The truth might well be that good solutions are at hand because competent people have been addressing the problem for years, but such stories don’t sell papers.
The general public just now is becoming aware that the industry wants to make the grid smart, and most people have no real idea what exactly that means. The off-base news stories were (and are) inevitable. The only real uncertainty is what technical errors they might make, and how they might shape public perception.
If anything beneficial has come from popular press coverage, it’s a reinforced focus on cyber security. No longer an afterthought, security gets top billing these days. Top billing, however, comes with a price—including questions and scrutiny.
While many utilities have been proactive on cyber security for several years, they also have sometimes struggled in obtaining sufficient rate recovery to fund their efforts properly. Accordingly, security experts developed a mature argument for why security should be an early and integral consideration. In the worst cases, practitioners had to figure out how to work security into mostly-baked solutions at the 11th hour. These were valuable survival skills in the days before security was fashionable, but they’re little help to security practitioners who suddenly find themselves in the lead and being asked what to do first.
All history aside, the utility security community now has a choice: Start to quickly make existing and future guidance easily consumable and designed for the beginning of the engineering process, or be seen as the dog that didn’t know what to do when it finally caught the truck. The opportunity is here now. No one can predict with certainty how long it will last. And in order to leverage it properly, the community needs a voice—preferably a single organization that can rightfully claim responsibility for securing the smart grid. Legislators, investors, and ratepayers all need a single entity that can say, “This is our job, and here is what we are doing.”
A most interesting portion of this story is unfolding at the federal level. Congressional hearings on smart-grid security are increasing in frequency. Legislation has been proposed. The White House has taken action. So who will answer for smart-grid security? The Federal Energy Regulatory Commission (FERC) might seem an obvious place to start looking for authority to secure the nation’s smart grid. After all, the Energy Policy Act of 2005 (EPAct) gave FERC authority over the reliability of the nation’s bulk electric system, and created the position of Electric Reliability Operator (ERO). The ERO was to be responsible for establishing and enforcing electric reliability standards.
FERC subsequently designated the North American Electric Reliability Corporation (NERC) as the nation’s ERO, and after significant dialog approved NERC’s Critical Infrastructure Protection standards (CIP). These standards dictate what utilities must do to protect cyber assets deemed critical to the reliability of the bulk electric system. So, why can’t the industry use these standards to secure the smart grid? Why isn’t NERC already the definitive authority in this space? The challenge of smart-grid security for both FERC and NERC is that their purview is explicitly delineated as matters involving interstate transmission, and at this point authority over security starts looking like a states’ rights issue. Both organizations were established to deal with issues that individual states weren’t positioned to resolve. And while globalization increasingly might influence individual daily lives and perceptions, it hasn’t changed the fact this country is still a federation of states. The nation’s laws and governmental structure are founded on a concept of states’ rights, which means individual states have jurisdiction over what utilities do inside their boundaries.
The issue of states’ rights, however, might not stop other federal entities from declaring their authority when it comes to national security. As commander-in-chief, the president has a responsibility to protect the country, and the National Infrastructure Protection Plan (NIPP) directs the Department of Homeland Security (DHS) and the Department of Energy (DOE) as the Sector Specific Agency (SSA) to protect critical infrastructure. The director of national intelligence (DNI) also has a role to play in this regard. Due to the country’s significant and growing dependence on electronic communications, the White House has designated cyber security as a national security issue. In truth, the same could be said for any number of economic components designated as critical infrastructure. How will this impact the cyber security of the smart grid?
While any of these organizations might lay claim to authoritative responsibility, much work would need to be done to ease political tensions and perceptions of governance by people the industry perceives as outsiders. Electric utilities are steeped in the belief that their world is different from any other for good reasons. Nowhere else does one find electric power’s combination of unique market structure, specialized technical knowledge, and obligation to public service and safety. In order to be accepted and effective as the entity responsible for smart-grid security, an organization will have to prove it understands electric utilities. This is no small task, and the pressures of the day simply might not provide the luxury of learn-as-you-go for an organization unfamiliar with the electric power market, drivers, and regulations.
One organization that’s no stranger to electric power is the National Institute of Standards and Technology (NIST). The Energy Independence and Security Act of 2007 (EISA) assigned NIST the responsibility to coordinate the development of an interoperability framework for the smart grid, and until recently this role was an unfunded mandate. However, the American Reinvestment and Recovery Act of 2009 (ARRA) provided NIST with substantial funds, $10 million of which were transferred from the Department of Energy to “develop a comprehensive framework for a nationwide, fully interoperable smart grid for the U.S. electric power system.”4 NIST subsequently contracted with the Electric Power Research Institute (EPRI) to help develop this framework, and work has been carried out at a furious pace since April of this year.
NIST is a proven leader in facilitating standards and technology development; however it lacks significant experience as an agency of enforcement. While the organization might be quite capable of such a role, the authoritative responsibility for smart-grid security would be a new type of endeavor for NIST and current indications don’t suggest it has any agenda on this front. The agency also is more than a bit busy at the moment, leading the industry in efforts to develop the interoperability framework. Assumptions are dangerous things, however, especially in the world of security. Even if NIST never makes a move in this direction, its activities certainly are worth tracking.
United We Stand
The security of the smart grid depends on the actions of many. Smart-grid applications will push communications technologies to the furthest endpoints of the electric system, from the transmission substation to the distribution system to the meter all the way into the customer premises. The magnitude of impact from this fundamental paradigm change is difficult to overstate. The grid is transitioning from a relatively isolated system operated by a very small, highly trained set of known individuals to a completely connected, fuzzily-bordered system that invites everyone and everything to participate. Security must not only be built into the smart grid from the beginning—it must be engineered at each point and every level.
The key point, however, is that the smart grid is pushing control further and further out into the system. The single remote disconnect of a meter might not have a significant effect on system stability. The simultaneous disconnect of large numbers of meters is another matter entirely. Traditional models assume large load sheds happen at points that see the entire load: a breaker fails, a transformer goes down, a line is cut. But what happens when a tailored virus infects an entire meter network and uses a timer to simultaneously disconnect every meter it touches?
Could this type of attack destabilize the grid? The answer of course depends on conditions, environment, and many other variables, but the NERC CIP threshold of 300 MW for an automatic load shed easily could be met by 100,000 homes at peak load—a significant number to be sure, but also a figure that might be handled within a single utility’s distribution system. If a portion of a single distribution system has the potential to destabilize the grid, then the industry must fundamentally re-think the importance of security, especially when it comes to distribution. No longer is a single utility safe so long as it implements security properly and effectively protects itself. Neighboring utilities are likewise at risk, and one utility’s failure to protect system stability can mean failures all around them.
A Common Forum
One of the more overlooked organizations that may play a role is the National Association of Regulatory Utility Commissioners (NARUC). For investor-owned utilities in the United States, the state utility commissions are the gatekeepers, as a utility must obtain their approval to recover project costs through retail rates. Utility commissioners could use this position to ensure any utility performing a major project does so with cyber security properly implemented.
But utility commissioners are not cyber-security experts, and in most cases neither are their staffs. Commissioners will need resources to which they can refer and education on how to use them. If the commissioners know the questions to ask, along with what the right answers look like, the dialogue between utility and commission can be improved. Commissioners and utilities alike would know what to expect. In the end, the industry has a way to start pushing cyber security at the distribution level.
Unfortunately this plan isn’t without flaws as well. Most municipal utilities and public power agencies are government owned and exempt from regulation, as are many electric cooperatives. These utilities don’t answer to state utility commissions, but rather to other varying governmental structures such as appointed or elected board members. The larger municipal utilities serve more than one million customers, so the load can be very significant even for an individual utility. And unfortunately, there’s no single unifying mechanism that can be used to apply pressure on municipal utilities to implement cyber security in any particular way.
Even for utilities regulated by state commissions, regulatory relationships often can be strained. Deregulation tended to set up a contentious dynamic that sometimes still exists. Utilities and commissions alike would have to recognize they share a common goal, and building the trust required to form this kind of partnership might take significant work.
Coming Full Circle
So how does the electric power industry find a means to address a cross-cutting concern such as cyber security? First and foremost, the industry must reach consensus on a set of requirements for smart-grid security.
The set of smart-grid security requirements with the broadest acceptance in the utility community today is the “Advanced Metering Infrastructure System Security Requirements” produced by the AMI-Security Task Force (AMI-SEC) as part of the UCA International Users Group (UCAIug). This work currently is being transformed from AMI-specific guidance into specifications for the entire smart grid through the activities of the U.S. Department of Energy (DOE), the UtiliSec Working Group (also part of the UCAIug) and the NIST Cyber Security Coordination Task Group (CSCTG).
The NIST CSCTG work represents the cyber-security component of NIST’s smart-grid interoperability framework effort. The organization is taking a broad sampling of input in this process, leveraging industry experts for core document composition, while engaging the industry in commentary, use-case review, requirements gathering, and feedback. NIST is receiving tremendous support from the industry in this effort, as participation in face-to-face workshops and the volunteer offerings among vendors, utilities, and consultants alike is strong. This activity offers clear proof the industry is ready and willing to step up to the plate when the call is made for cyber-security guidance. NIST’s challenge here won’t be in development of new material, but rather in coalescing a heterogeneous assembly of sound, high-quality standards and specifications.
The foremost organization defining these specifications today is the UtiliSec Working Group—a utility-driven industry collaborative focused on producing vendor-neutral requirements for smart-grid security. Interestingly, UtiliSec is following a pattern set by the AMI-SEC Task Force in 2008 of forming a public-private partnership to fund industry experts and get the real work done. This unique approach addressed two critical issues with industry collaborative efforts: lack of resource accountability and scarcity of essential knowledge and experience.
While volunteer efforts are commendable and illustrate industry support, the pace of the resultant technical work often suffers due to an inability to authoritatively assert priority in the schedules of key resources. In a single organization this may be overcome by managerial direction. But when critical participants are spread across numerous organizations, priorities have a way of slipping out of synchronization. The original AMI Security Acceleration Project (ASAP) proved that utilities, government, and academia could pull together to surmount the challenges of prioritization and resource availability by forming an actionable and accountable, project-oriented team. This team produced a landmark smart-grid security document in an extraordinarily short timeframe (about six months), titled “AMI System Security Requirements”—sometimes abbreviated and merged with the task force name as the “AMI-SEC SSR.”
While the AMI-SEC SSR has been very well received in the industry, it isn’t perfect and could stand for improvement in two primary areas. First, the AMI-SEC SSR is a thick, somewhat intimidating document that does not segment readily nor facilitate ease of consumption. And second, the document was written for those with an explicit understanding of advanced metering infrastructure. Fortunately, the ASAP team had the foresight to assume the underlying communications infrastructure of AMI might be used for other smart-grid applications, and abstracted the problem in such a way that the document could be readily adapted to provide a foundation for overall smart-grid security. Now, almost all the same people have formed a follow-on project team to address precisely these two issues under an effort titled the “Advanced Security Acceleration Project for the Smart Grid” (ASAP-SG).
The resultant work products of ASAP-SG will provide multiple paths forward. The team is working closely with the DOE and NIST CSCTG, and will feed documentation into the NIST effort on a contributory basis. Likewise, the documents will be contributed to the UtiliSec Working Group as mature drafts for community review, commentary and approval—just as the AMI System Security Requirements were provided to the AMI-SEC Task Force. Regardless, these specifications will need to be coupled with technology-specific standards to facilitate secure implementations, and ultimately will need the endorsement of an authoritative organization. Until such an organization exists, the industry must rely upon self-regulation. However, the industry still may have some options to bolster what otherwise might be a weak enforcement solution.
One of the more interesting models to consider is a peer-pressure scenario involving differentiated rates or tiered pricing for utility-to-utility power purchases according to provable implementation of resiliency measures. This would necessitate utilities and their commissions accepting that cyber-security risks translate to real-world costs and allowing utilities to implement some form of agreement with neighboring utilities.
A peer-pressure model would provide two benefits. First, the model transfers the real-world costs of building a resilient organization to the origins of risk. Typically, it’s cheaper in the short term to build a low-resiliency organization. However, in a highly integrated and interdependent environment such as the electric power system, the risks invoked by building such an organization easily can propagate beyond the organizational borders and into neighboring organizations.
The peer pressure model could allow a utility essentially to provide a discount or rebate to an organization that could provide audit records illustrating the organization meets approved resiliency metrics. Conversely, the utility might adopt a higher baseline rate for organizations that fail to prove their resiliency. In doing so, the model would remove the ability of an organization to have a free ride at the expense of their neighbors in the longer term. Again, this model would depend on utility commissions accepting that cyber-security risks translate to real-world costs for their constituent utilities.
The second benefit of the peer-pressure model is that it empowers and encourages the utility community to successfully police itself. In fact, NERC was originally an industry-driven collaborative that only recently became the Electric Reliability Operator. However, registration and compliance were voluntary and utilities were responsible even for reporting violations. Incentive to participate was indirect at best. The incentive to participate for the peer-pressure model can be addressed by allowing a differentiated rate, if such a measure were approved by the appropriate commissioners. However, the peer-pressure model likewise would face the same tough challenge NERC CIP development faced: reaching industry consensus.
In order to achieve broad acceptance of criteria for monetary incentives, resiliency criteria likely would need to be produced by a respected standards development organization such as the IEEE or IEC, and unfortunately this takes time. Some outstanding work already exists by the Software Engineering Institute at Carnegie Mellon in this realm,5 however it still would need to traverse the standards development process to receive the industry’s blessing.
The utility community will continue driving this work forward. But ultimately it will need a champion that can point to a body of work and authoritatively state which path the industry shall follow. The stage is set and the chorus is carrying the song. With any luck, the eventual leader will be able simply to pick up all the parts and start performing.
4. See citation: http://www.nist.gov/recovery/.
5. Reference: Resiliency Engineering Framework.