Cybersecurity Webinar 4 - CSG Knowledge...
Transcript of Cybersecurity Webinar 4 - CSG Knowledge...
1
Smart Grid Update
Christopher J. Eisenbrey
Director, Business InformationEdison Electric Institute (EEI)
The Council of State Governments (CSG)April 26, 2012
Edison Electric Institute (EEI)
The Edison Electric Institute (EEI) is the association of U.S.Shareholder‐Owned Electric Companies.Our members serve 95 percent of the ultimate customers in the shareholder‐owned segment of the industry, and represent approximately 70 percent of the U.S. electric power industry.
EEI provides public policy leadership, critical industry data, market opportunities, strategic business intelligence, one‐of‐a‐kind conferences and forums, and top‐notch products and services.
3
Why Is The Existing Grid “Intellectually Challenged”?
Limited communications ability• With customers—to share information on price and energy usage• With the supply system – to effectively manage increasingly decentralized
power sources (e.g., wind, solar, distributed generation)
Limited “situational awareness”
• Outage monitoring—relies on customers calling
• Inability to remotely identify developing T&D problems
Limited system self‐healing capabilities
5
Why Do We Need A “Smarter” Grid?
It will offset new infrastructure investment needs, while increasing the productivity of existing infrastructure
It will support environmental policy objectives through demand response and the easier integration of renewable sources of energy
Component of “all of the above” energy strategy—SOTU, 1/24/12
It will enable utilities to:
Empower customers to control and optimize their energy usage Rely on greater amounts of distributed generation, including wind,
solar, etc. Use electricity as a fuel for vehicles Enhance the reliability and efficiency of the power grid Provide the framework and foundation for future economic growth
Electric Utilities are Leading the Way
The Changing Nature of the Grid
Deployment of smart technology, particularly distributed generation and energy storage, will have a profound impact on the structure, design and operation of the T&D system
Customers will progressively pursue alternative power supply options that have the potential to supplement and/or replace power from the traditional utility: DOD initiatives
Colleges and universities
Commercial applications
Individual residential customers
The electric utility industry is developing a strategy to deal with this and other potentially disruptive smart technologies
Industry Smart Grid FocusTo Date
Initial industry smart grid focus has been driven by Administration goals and mandated state policies
Stimulus Awards
White House SG Subcommittee Policy Framework development
NIST/Smart Grid Interoperability Panel (SGIP)
Federal agencies—DOE, FCC, FERC
Early smart meter adopter states such as California and Texas
Two key federal activities that will continue in 2012 are:
The NIST/SGIP process for the development of interoperability standards
Federal funding for this activity will expire in 2012.
Some EEI member companies (in CA, TX, and MD) are actively engaging the Administration on the "Green Button" Initiative to provide standardized energy usage information to customers.
A Change In Direction In 2012
Industry smart grid focus is shifting to state‐level issues Customer acceptance/operational issues Identification of business opportunities arising from the
deployment of smart technology Implementation of regulatory changes necessitated by
the deployment of smart technology
Smart Grid Acceptance Challenges
Accuracy of meters
Radio Frequency
“Opt out” initiatives
Cost of Installation
Privacy concerns
Impact on “At Risk” customers
Dynamic pricing concerns
Over promising by vendors and others
Immediate benefits not being seen by customers
Regulator Pushback
Communications Campaign
Research Message Development Toolkit External
Advocacy
Sequenced, coordinated campaign with four phases guided by member company advisory working group
New Public Website: SmartGrid.eei.org
Get the BasicsFollow the NewsExplore the Research Join Our CommunityEEI Member Company
Communications “Toolkit”
Cyber Security: Federal and State Policy Overview
April 2012
Electric Utilities Support Cyber Legislation
Any legislation should embrace these principles:
Limit scope of any new emergency authority to imminent cyber threats against truly critical assets
Include all critical infrastructure sectors in a cyber security regime given their interdependence
Encourage more information sharing between government and industry stakeholders
Build on existing Federal Power Act process; we’re the only industry with mandatory and enforceable cyber standards
House of Representatives Asks:
Cyber Legislation: House
The House this week is considering 4 bills to: Improve public‐private information sharing;
Expand federal R&D on tech and human resources; and,
To strengthen protection for government networks.
Two bills that didn't make the cut for Cyber Week: the utility‐specific GRID Act and a bill giving regulatory authority to DHS for protection of critical cyber infrastructure
Improves Coordination in government: Gives National Institute of Standards and Technology the authority to set security standards for federal computer systems and develop checklists for agencies to follow.
Improves Coordination outside of government: Creates a federal‐university‐private‐sector task force to coordinate research and development.
Improves R&D: Establishes Cybersecurity research and development grant programs.
Improves quality of cyber professionals: Creates scholarship programs at NSF that can be repaid with federal service. Assessment of cybersecurity workforce needs across Govt.
H.R. 2096: Cybersecurity Enhancement Act (House Science, Space and Technology
Committee)
This legislation enhances the Federal Information Security Management Act (FISMA) of 2002 by improving the framework for ensuring security over information technology systems that support the federal government. It establishes a mechanism for stronger oversight through a focus on automated and continuous monitoring of cybersecurity threats and the implementation of regular threat assessments.
H.R.4257 ‐ Federal Information Security Amendments Act of 2012
The House Intelligence Committee Bipartisan Legislation:
Private sector entities would be permitted to anonymize or restrict the information they provide to others, including the government.
Threat information shared with the government would be exempt from disclosure under FOIA, treated as proprietary information, and would be prohibited from use by the government in regulatory proceedings.
Liability protection, classified information, modeled after the DIB Pilot, Privacy and Civil Liberties Oversight Board, Annual report to Congress
H.R. 3523: Cyber Intelligence Sharing and Protection Act of 2011
What’s NOT part of “Cyber Week”
H.R. 3674, the House Homeland Committee’s PRECISE Act
E&C’s Utility‐specific Grid Reliability and Infrastructure Defense (GRID) Act
Cyber Legislation: Senate
Meantime the Senate is in a stalemate over 2 bills, neither of which can overcome the 60‐vote threshold: The Homeland Security Committee bill known as Lieberman‐
Collins, which would give regulatory power to DHS; and,
The GOP Alternative which essentially encompasses the 4 bills the House is considering during Cyber Week.
Senate Committee on Homeland Security & Governmental Affairs
Sector‐by‐Sector Cyber Risk Assessments
Designation of Covered Critical Infrastructure
Advisory Standards, Guidelines and Best Practices
Sector‐by Sector Risk‐Based Cybersecurity Performance Requirements
Voluntary Technical Assistance
Senate Committee on Homeland Security and Governmental Affairs
Senate Cybersecurity Act of 2012 ‐S.2105
McCain disagreed, stating that if the “legislation before us today were enacted into law, unelected bureaucrats at the DHS could promulgate prescriptive regulations on American businesses, which own roughly 90% of critical cyber infrastructure," he said. "The regulations that would be created under this new authority would stymie job‐creation, blur the definition of private property rights and divert resources from actual cybersecurity to compliance with government mandates."
“Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act” (SECURE IT)
Information sharing between the government and private sector,
Federal Information Security Management Act (FISMA) Reform to protect government systems,
Criminal penalties for cyber crimes,
Research & development for cyber protection
Senate Cybersecurity Exercise
The Senate Cybersecurity Exercise lays out a hypothetical scenario of a cyber attack against the electric power grid of the United States. The attack focuses on the New York City area during a heat wave in the middle of summer. It is perpetrated by an unknown adversary to cause as much damage and disruption to the power grid as possible. This adversary is able to take advantage of vulnerabilities that exist in critical infrastructure systems today in order to cause a several day power outage for 9 million Americans. The scenario also walks through the US governmental response to such a crisis using the authorities that exist today. The exercise will highlight where new legislative authorities could help prevent and respond to cyber incidents of this type.
Senate Cybersecurity Exercise
While I think that could be a useful exercise, I find it stunning that DHS would set up a grid attack scenario and fail to include the grid’s primary regulators – our Electric Reliability Organization, called NERC, and the Federal Energy Regulatory Commission. Sen. L. Murkowski
“Major” Legislation passed in 2012?
In the absence of legislation
We expect status quo for the next year, meantime…
Unlike other sectors, we already have mandatory and enforceable standards for cyber security.
Our members are self‐assessing their systems and working proactively With government: DOE Cyber Security Maturity Model;
On an industry‐wide basis: a Threat Scenario Project with The Chertoff Group; and,
Myriad other pilots and initiatives that put national security information in the hands of grid operators.
State Perspectives
Asked how states are dealing with cyber security at a House Energy and Commerce Hearing in October 2009, NY Public Service Commission Chairman Garry Brown responded:
“It’s a mixed bag.”
State Perspectives
Transmission versus Distribution
Cost versus Risk
Economic regulators
Deployment of the Smart Grid
Q&A
QUESTIONS?