Security and the States

Deck: 

The regulator’s role in promoting cybersecurity for the smart grid.

Fortnightly Magazine - July 2012

No state regulator wants to wake up one day and learn that hackers have brought down the power grid in his or her state. At the same time, many state regulators want to encourage modernization of the electric grid. They realize that making the grid smarter could make it more vulnerable to cyber attacks. But state regulators struggle to define their role in promoting cybersecurity.

State commissions face several dilemmas. Even the largest states must work with tight budgets and limited expertise. Nor are individual electric utilities well prepared to handle the novel and complex challenges of cybersecurity. Cybersecurity standards at the federal and industry level are slow to be adopted. And it isn’t clear how regulation, state or federal, can be effective in producing desired results.

State regulators have confronted IT and security issues for many years, of course. In the months leading up to Y2K, it was hard to find a consultant available to help a state make sure its utilities were prepared. The sudden emergence of that computer code problem was a wake-up call. And we all remember where we were in September 2001 when we learned that the United States had been attacked by terrorists. The 9/11 attacks gave state regulators a crash course in the need to protect critical infrastructure, including the computer networks that support it. At first, we tended to think in terms of protecting buildings and equipment, rather than countering cyber threats. But questions about cybersecurity have emerged in recent years. And the advent of the smart grid has forced regulators to focus on the security of our utilities’ interconnected cyber assets. (See Fortnightly’s recent coverage of this issue).

Smart grid technology bumps up the threat potential significantly, by interconnecting previously stand-alone components of the grid, collecting unprecedented amounts of information, and linking parts of the grid to the Internet. The risks aren’t only that valuable information will be stolen, but that hackers can corrupt the operations of the grid. The success of the Stuxnet worm in setting back the Iranian nuclear program woke us all up to the risk of adversaries hacking into system controls—e.g., SCADA systems. Recent reports that the United States and Israel used such malware to slow down nuclear bomb development in Iran have raised concerns about possible cyber retaliation. The need for utility cybersecurity has reached the urgent stage.

State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to self-regulate. Another approach is to leave this job to the federal government. The industry and the federal government, however, so far haven’t developed and implemented adequate standards for securing the smart grid. Indeed, developing such standards is a mammoth, never-ending, and to some extent ultimately unsatisfactory task in the arena of cybersecurity. States can play a constructive role, albeit perhaps not in the form of traditional regulation.

Heads in the Sand

One clearly inferior option for state action is to ignore the problem. Commissions have a mandate to supervise utilities to ensure safe and adequate electricity.

The general public has become aware that complex interconnected cyber systems on which they depend have frequently been hacked. Almost everyone knows of someone whose identity has been stolen. The news media report daily that hackers have stolen customer account information and credit card numbers from the systems of major banks and on-line vendors. More recently, heightened attention to grid security has brought to public awareness incidents of cybersecurity violations that already have occurred in the U.S. electric industry.

As early as 1998, a team of hackers working for the Department of Defense showed that they could penetrate and damage the United States electricity grid. In 2001, hackers protesting the U.S.-China conflict hacked into electric power systems in the United States to show that it could be done. In 2003, a common computer worm shut down systems at the Davis-Besse nuclear plant. In 2007, a disgruntled California ISO employee shut down much of the ISO’s data center over a weekend—and would have shut down the market if the breach hadn’t been found and fixed before it opened on Monday. In 2009, the Wall Street Journal reported that an electricity grid in the United States had been penetrated by spies, possibly Russian or Chinese. The report, quoting industry and government sources, also noted that hackers had penetrated electrical systems abroad and tried to extort money. In 2010, a memo from the Federal Bureau of Investigation reported that a major electric utility in Puerto Rico had lost about $400 million in revenue because criminals had altered usage readings in customers’ smart meters for a fee.

Security experts will continue developing patches and fixes to prevent such breaches, but the hackers will continue to identify and exploit previously unknown vulnerabilities. The incidence of such violations will increase exponentially once the grid, from generator to home area network, is fully interconnected in cyberspace. For now, only nations are likely to have the resources and the motives to bring down whole sections of the grid. And a primitive form of mutually assured destruction has so far limited the risk that foreign powers will exercise their cyber warfare potential to black out grids in America. The probability of any given utility’s network being brought down on any given commissioner’s watch today is remote, but state commissions might find that cold comfort.

Leave It to Industry?

A regulator who doesn’t want to ignore the problem, but believes others are better positioned to prevent cyber mischief, might turn to the industry, both utilities and vendors. Many industry groups are in the process of developing standards for piece-parts of the smart grid, and such standardization could improve cybersecurity. Leaving it to the industry would make sense if the industry had the means and motivation to do the job well. But there are a number of reasons state regulators can’t rely on this approach.

First, given the complexity and consequences of cybersecurity issues, a commissioner might not be comfortable if a utility tries to go it alone in this area. Even the best-intentioned and solvent electric utilities face a steep learning curve, moving from securing physical assets to securing connections in cyberspace. The skill sets don’t overlap significantly, and electric utilities have to bring on information and networking experts specializing in securing cyberspace as opposed to substations. Further, no utility is an island—particularly when it comes to the smart grid, a system that depends on greater interconnections.

Several utilities and grid operators are leaders in the effort to implement strong physical and cybersecurity to protect their critical systems and assets. But given that so many regulated entities and non-utility participants are interconnected and interdependent in operating the bulk power system and the smart grid, no single organization can achieve and sustain even a minimum level of cybersecurity on its own. Grid operators, generators, power and demand-response providers, and distribution utilities will all have to develop management structures and expertise that recognize and act on the need to bake security into all phases of the business.

Initiatives such as the ZigBee Alliance and other vendor and user efforts to develop common standards also fall short because each addresses only a small portion of the varied technologies and systems that make up the smart grid. Another difficulty in taking this path to better smart grid security is that the industry efforts to promote security are delayed and sometimes distorted by the competing competitive goals of the various players. In theory such competition can produce a better mousetrap. But the smart grid industry is far from producing many essential cyber security mousetraps, at least not for huge subsystems within the smart grid.

In addition, such efforts focus on new technologies, and don’t address the cybersecurity of legacy technologies. The ultimate barrier might be doubt about whether standards translate directly to adequate security.

Leave It to the Feds?

Leaving the problem to the federal government might appeal to state regulators for a variety of reasons. The bulk energy system is almost all interstate. Criminal syndicates work across state and national lines, and cyber war is clearly a national issue. The federal government has a number of initiatives underway to pursue cybersecurity, and has the resources to look both broadly and deeply at the issues. But there’s nothing in place yet that occupies the field, and so far federal agencies don’t even have clear jurisdiction.

Under the Energy Policy Act of 2005 (EPAct 2005), Congress set up a system to promote reliability in the bulk power system. As part of that system, the Federal Energy Regulatory Commission has authority to review and promulgate critical infrastructure protection standards that have the support of a consensus of the industry. Once approved, the standards are enforced at the first instance by the North American Electricity Reliability Corp. (NERC), FERC’s designated electric reliability organization. Ultimate enforcement authority lies with the FERC, in the form of substantial after-the-fact penalties for non-compliance.

Under the EPAct 2005 rubric, NERC has developed several iterations of cybersecurity standards covering general security tools and practices. In 2008, by Order 706, the FERC approved and issued eight standards proposed by NERC, returning others for further work. These standards are commonly referred to as the “NERC CIP.”

States can’t rely on NERC CIP standards alone to safeguard the grid in their state. Those approved and under consideration don’t yet apply to all companies and elements touching the grid. Smart metering infrastructure includes distribution-level and customer-owned devices, and NERC jurisdiction doesn’t penetrate to this level. The NERC CIP also focuses as much on documentation and compliance issues as on detailed technical prescriptions, so it provides little guidance for detailed system design.

Under the Energy Independence and Security Act of 2007 (EISA)(Public Law No: 110-140, Sec. 1305), Congress has tried to push grid modernization along by designating the National Institute of Science and Technology (NIST) as facilitator of industry efforts to develop interoperability standards for the smart grid. Under EISA, NIST set up the Smart Grid Interoperability Panel (SGIP), primarily an industry group, to coordinate the efforts of the standard development organizations (SDOs) approved by the American National Standards Institute. At this writing, only six state commissions plus NARUC are participating members of SGIP. Another 11 have observer status.

For a number of reasons, states that are waiting for the NIST-SGIP process to solve smart grid cybersecurity issues shouldn’t hold their breath. These efforts, facilitated by the federal government, will produce many workable standards that should improve cybersecurity across much of the smart grid, but it’s a broad, long-term challenge. George Arnold, NIST national coordinator for smart grid interoperability, has cautioned that the scope of the standard-setting effort for smart grid is daunting. Hundreds of interoperability standards are needed to ensure the many elements of the smart grid will work together.

Also, NIST and the SGIP focus primarily on the seamless interoperability of the various components of the smart grid. Each SGIP standard is designed to achieve a specific technical end—such as defining a standard charging system for electric vehicles, or performance specifications for advanced meters. The industry standards also address interfaces between these subsystems—determining how the various functions and requirements should be configured and operated so that their operations flow cleanly into other links in the smart grid chain.

Alison Silverstein, aide to former FERC Chairman Pat Wood, has noted that the interoperability standards being developed under the NIST-SGIP process don’t protect an entire system. They’re being designed and written to cover piece-parts of the smart grid—a meter, the information flowing out of a substation, the plug for an electric vehicle, pricing for demand response, and so forth. Some were drafted and adopted before there was a formal SGIP focus on the cybersecurity chain, as well as the performance chain, across the smart grid.

DC PSC RFP Technical Consultant for Formal Case (FC) No. 1156

Also, only recently did the SGIP create the Cybersecurity Working Group (CSWG), to review interoperability standards once they’ve been proposed by the interoperability working groups, and to comment on the extent to which they meet security guidelines. The CSWG is helping to identify ways to make elements of the smart grid more secure, and to identify security gaps at the interfaces of systems. But there remain flaws or gaps between devices and roles, and likely cybersecurity weaknesses from a system perspective. Meanwhile, as cybersecurity threats become more sophisticated, legacy devices remain in the field. These will be protected primarily by asset owners’ own system-wide and specific cybersecurity efforts, including the NERC CIP requirements and good business practice—to the extent that’s been defined as yet in the emerging smart grid world.

Importantly, the NIST-SGIP initiative has produced guidelines for industry consideration, not mandates. Utilities and other smart grid industry players aren’t obligated to follow these guidelines. The NIST Framework and Roadmap for Smart Grid Interoperbility Standards , Release 2.0, and NIST Guidelines to Smart Grid Cybersecurity (NISTIR 7628) speak repeatedly of guidelines that are being developed or will be developed, but are fairly quiet on standards that have been established. Meanwhile, NIST-SGIP continues to identify additional gaps that will have to be filled.

When industry does achieve consensus on a smart grid standard, FERC can promulgate the standard as a regulation. EISA doesn’t define what constitutes consensus, however, and doesn’t specify the consequences of failure to meet a FERC-approved standard. Further, the FERC hasn’t reached a clear position on its jurisdictional reach under EISA. The smart grid will link devices and processes all the way from behind the meter, through the local distribution grid, and into the bulk power system. Federal and state jurisdictional divisions remain a problem.

As of late 2011, the General Accounting Office of Congress, in its report, “Electricity Grid Modernization: Progress Being Made on Cybersecurity Guidelines, but Key Challenges Remain to Be Addressed,” noted that FERC and the National Association of Regulatory Utility Commissioners (NARUC) are discussing how to facilitate the transition to a smart electric grid. As the GAO reports, however, “according to FERC and NARUC officials, FERC and the state PUCs have not established a joint approach for monitoring how widely voluntary smart grid standards are followed in the electricity industry or developed strategies for addressing any gaps.” (See GAO Report 11-117.) And the FERC-NARUC Collaborative on Smart Response process has touched on cybersecurity only in general terms. In a February 2012 letter to key members of Congress, FERC Chairman Jon Wellinghof described the FERC-NARUC coordination efforts as ongoing.

In any event, lack of consensus within the industry has prevented the FERC from approving any of the five standards forwarded from NIST so far. (See FERC Order on Smart Grid Interoperability Standards, Issued July 19, 2011.) While FERC still looks to the NIST-SGIP process for answers, NIST and SGIP haven’t sent any further sets of proposed standards for FERC action since the one set in early 2011. Even if the SGIP-NIST process were to develop specific design or performance standards, FERC as yet has no plans for enforcement of consensus standards that it adopts as regulations. Instead of being a confession of uncertainty, this posture of FERC’s might signal a recognition that mere checklists of compliance are inadequate to promote security. Utilities will go through the paperwork for the FERC, but some utilities might, in effect, work to code, considering the job done if the checklist is completed.

A utility that adopts and implements the relevant parts of the NIST guidelines should have a head start on cybersecurity. But filling in the details, developing protocols for the utility’s entire smart grid, and getting the system up to speed will take time and money. In addition, all the vendors and operators working in the smart grid area would have to do the same, an unlikely scenario.

Another part of the problem might lie with the sheer number of federal agencies, all trying to break the logjams and push out usable standards. In addition to Congress, federal agencies involved so far include the Department of Energy (DOE), Department of Defense (DOD), Department of Homeland Security (DHS), the White House, the FBI, the National Security Agency (NSA), FERC, NIST, and others. FERC and NIST appear to be the primary source of leadership in the power system arena, but military and law enforcement agencies have voiced a need for a coordinated approach to cybersecurity from their perspectives.

Thus, there are a number of of federally sponsored public and public-private initiatives that include the promotion of cybersecurity in the smart grid. However, a basic set of such standards that a utility can follow remains years in the future.

Avoiding Regulatory Pitfalls

It might not be productive for a regulator, federal or state, to set design standards as the primary means to protect the smart grid. Design standards refer to rules governing how the regulated entity builds and operates its system. So, for example, regulators following the design standard approach would find themselves drawn into such arcane questions as how to screen prospective employees, how frequently to change passwords, whether laptops can be used and taken away from a site, who can use thumb drives and who can’t for what purposes, how firewalls should be constructed, the extent to which the utility can or should use communications networks supplied by others, what third-party contracts must contain, and the like.

In addition, the smart grid already contains too many moving parts for a regulator to cover the entire field with specific design requirements. As new technologies are introduced, design requirements need to be updated. Regulation by design standards would be an enormous and never-ending job. Also, as noted above, setting particular design standards tends to create a work-to-code mentality at some utilities. At the same time, regulation by specific standards might give the public a false sense that the risks to the grid have been contained.

The other classic approach to regulation is to prescribe the desired outcomes, and leave it to the industry to achieve these outcomes. Under such a performance or outcome-based approach to regulation, the utility wouldn’t report its actions to keep the grid secure, but rather the results of its actions. If its performance fell below the regulated minimum, various consequences could follow, in an effort to push performance up to the minimum. An example of this approach in the smart grid world might be a requirement that breaches of certain types be limited to a certain number, or that consequences of breaches to the grid and to the public be limited in scope.

Such outcome-based regulations are impractical in the smart grid situation, at least at the present time. There isn’t enough experience with smart grids to identify a set of optimal and realistic outcomes. Another problem is that, whatever the form of regulation, there’s always the risk that the industry or the regulator might only establish lowest-common-denominator standards.

We know as a certainty that we can’t protect the smart grid 100 percent, but what level of protection is realistic, affordable, or attainable in an age of ever-evolving cybersecurity threats?

The kind of cyber attacks that might keep a state regulator up nights fall into the category of “high impact, low frequency” events. (See “High-Impact, Low-Frequency Event Risk to the North American Bulk Power System,” A Jointly-Commissioned Summary Report of the North American Electric Reliability Corp. and the U.S. Department of Energy’s November 2009 Workshop.) As such, they elude comprehensive and definitive risk management. HILF events by definition occur rarely, or haven’t ever occurred. As a result, there’s almost no operational experience to help identify security issues or develop security responses.

In addition, some fundamental cybersecurity questions have no easy answers. For example, banks, online vendors, and others with substantial cybersecurity experience still must continually decide between competing theories and techniques for how best to protect their networks, and the data and controls that use them.

One persistent debate among cybersecurity experts concerns the extent to which a breach in a system should be publicized. Some argue that publicizing a hacker’s success will simply teach the bad actors where to find the vulnerabilities, and will scare the public needlessly. Other cybersecurity experts argue just as vigorously that publicizing the breach allows the firm to get help in figuring out the vulnerability and to solve it, while not adding to the sophisticated hackers’ arsenal. Proactively publicizing the breach—and the patch—also reassures the public that the extent of the problem is known or will be known and remedied, and that the industry is learning from these unexpected vulnerabilities. Regulators will have to pick a side in this ongoing debate.

The Role of the States

Even the largest states lack the resources, the scope and the jurisdiction to take over and keep up with cybersecurity issues affecting their states. But one state has tried to push the work forward using tools at its disposal. In an effort to identify the characteristics of a successful utility cybersecurity program, the California PUC has established a Technical Working Group of staff and stakeholders to develop metrics for gauging cybersecurity efforts. As the commission said in its order establishing the working group, “these metrics should provide a means to measure the effectiveness of a utility’s cybersecurity policies and protocols as it applies to existing and new Smart Grid deployments.” (See Proposed Decision of Commissioner Peevey, Mar. 20, 2012, Cal. PUC Rulemaking 08-12-009, p.34.)

Among the members of the CA cybersecurity metrics working group are such well-known commenters in the field as Andy Bochman, author of the Smart Grid Security Blog. Bochman is known for saying that if you can’t measure what you’re doing, you can’t know if you’re successful. The California process should eventually be able to provide other states some workable security metrics, at least for some aspects of smart grid performance. Meanwhile, states wanting to proceed now with smart grid installations won’t have the benefit of this effort.

The Technical Working Group in California also will have to advise the PUC how best to motivate utilities to do the work needed to keep the smart grid safe. This is the classic problem of regulation. As noted above, it’s difficult to decide a workable approach in the arena of cybersecurity.

If a state can’t develop its own effective regulations for smart grid cybersecurity, what can a commission do besides wait on the initiatives now underway? One thing a state regulator can do today is to promote a robust cybersecurity culture among its jurisdictional utilities. Even if a utility isn’t planning to implement the full smart grid yet, such a serious approach to cybersecurity is warranted given the extent of cyber risk already hidden in the classic grid. Regardless of the action or inaction by other entities, state regulators are uniquely positioned to foster such a proactive security culture within the utilities they supervise. If such a culture is led from the top of the firm and pervades the utility, and if the utility has the resources to take the NIST-SGIP recommendations and guidelines to implement its own behavioral and performance standards, one foundation of cybersecurity will be put in place.

Utilities will have a better shot at achieving a cybersecurity culture if they create the position of chief security officer reporting directly to the CEO, and if cybersecurity becomes a strategic issue for the firm, with the ongoing attention of the board. A chief security officer (CSO) would have authority and responsibility to look at all aspects of the utility’s security functions, from data collection and storage through to protection of SCADA systems. To do a comprehensive job, the CSO ideally shouldn’t report through a chief information officer. While security involves many information technology systems, it’s needed throughout the organization, in a world where most functions of the organization are linked together electronically, even if only remotely.

Utilities might argue that they need pre-approval and current recovery of cybersecurity costs. Utilities and their smart grid industry partners sometimes claim that without such cost recovery, a utility will lack the ability and resources to pursue cybersecurity with vigor, presumably because in and of themselves, cybersecurity investments don’t generate revenue. However, the industry has it backwards.

If a utility executive says the firm won’t vigorously pursue cybersecurity absent a tracker to recover its costs outside the normal ratemaking treatment, the utility is signalling that it might not have fully embraced the goal of such security. And a utility that tries to reassure the commission that such guaranteed revenues can be clawed back on a later finding of imprudence might be hoping the commissioners are naive about how prudence reviews work.

There’s a huge difference between pre-approving and providing extra-rate-case recovery of utility investments in cybersecurity, and making it clear that the commission understands the need to change out obsolete equipment and technology, beef up staff, and make investments to protect the grid. But if a utility cares so little about cybersecurity that it won’t pursue the smart grid or the cybersecurity component of the smart grid absent guaranteed, dollar-for-dollar, few-questions-asked revenues awarded outside of normal cost recovery, this should be a red flag to the commission about letting that utility install the connectivity inherent in the smart grid.

To foster a culture of security, the commission can make it clear that such a culture is expected in the utilities it supervises. It shouldn’t need to assuage utility anxieties about cost recovery, but it might find it useful to do so. The commission can make clear that reasonable investments to that end will be considered components of a utility’s revenue requirement. The commission also can note that if the utility isn’t able to earn a reasonable profit at current rates, the utility can seek an increase in rates, and responsible cybersecurity costs will be reflected as would any other prudent investment or expense.

The commission’s expectation that utilities take cybersecurity seriously can be communicated in various ways, all the way from private meetings with senior utility officials to public hearings where the commission informs and hears from the public. Private meetings might encourage some utilities to be more forthcoming in describing the state of their efforts. But such meetings might not be legal in all states, and they aren’t good practice. They will draw criticism and engender suspicion when the public becomes aware that the commission is trying to regulate in this closed-door fashion. And they don’t enlist the support of the public for the goal of strong cybersecurity.

DC PSC RFP Technical Consultant for Formal Case (FC) No. 1156

By contrast, maximizing public awareness fosters greater trust in the long run. In addition, public and informal meetings on utility efforts generally will help educate the public on the choices facing the state. Such sessions also give the commission an opportunity to learn the preferences of the electricity consumers whose grid will be modernized and thereby made more vulnerable. The utility also can show the public its understanding of and commitment to maintaining cybersecurity.

Today, utility attorneys commonly ask for confidential treatment of any information relating to cybersecurity, and commissions typically grant such requests automatically. This course is safer than evaluating utility claims that publicizing any information about grid cybersecurity will educate hackers. Without engaging in the debate over the extent to which security is improved if breaches are publicized, reflexively granting such confidentiality requests constitutes an implicit decision on the side of the “keep all security information close to the chest.” It also deprives the commission of the input of stakeholders and the public on the choices that must be made regarding smart grid implementation. There might be limits on the extent to which certain relevant information can or should be publicized, but this issue deserves discussion.

Is Smart Grid Worth It?

None of the options available to state regulators today is clearly superior. In the end, each state will have to decide whether implementation of a smart grid at this nascent stage in the development of cybersecurity will bring benefits that are worth the added risks created by pushing intelligence and connectivity out into the grid and to customers’ premises. This is the acid test. Cybersecurity is only one issue in the determination to implement smart grid at this time, but it’s crucial. If a state regulator can’t be confident the the benefits of expanding smart grid interconnections outweigh the increased risks of a smart grid, it might make sense to hold back and let others make the inevitable mistakes of a new technology.

Other industries using cyberspace face the same problems, of course, with or without mandatory cybersecurity standards. Yet they continue using cyberspace. Such entities point to customer demand for the convenience of those online services as a counterweight to public concerns over privacy and security. We don’t yet know how much electricity customers value what the smart grid offers.