Embed Size (px)
Citation preview
Smart Grid Interoperability Standards
RM11-2-000 January 31, 2011
Agenda
1:00 – 1:05 p.m. Welcome and Opening Remarks by Commission Staff Introduction
The Energy Independence and Security Act of 2007 (EISA) requires that, once the work of the National Institute of Standards and Technology (NIST) has led to sufficient consensus in the Commission’s judgment, the Commission shall institute a rulemaking proceeding to adopt such standards and protocols as may be necessary to insure smart grid functionality and interoperability in interstate transmission of electric power, and regional and wholesale electricity markets.1
To offer guidance regarding the development of smart grid standards, the
Commission issued a Smart Grid Policy Statement in July 2009.2 This document, among other things, identified key priorities for standards development to consider cyber security, interoperability, and certain smart grid functions.3
In January 2010, NIST issued a Framework and Roadmap for Smart Grid
Interoperability Standards, containing a list of standards identified as applicable to
1 EISA § 1305(d), Public Law No. 110-140, 121 Stat. 1492, 1788 (2007) (to be
codified at 15 U.S.C. § 17385(d)).
2 Smart Grid Policy, 128 FERC ¶ 61,060 (2009).
3 Id. P 29, 40-45, 51-54, 61-62, 74-77, 81-82 and 90-91. The key functional areas included in the Smart Grid Policy Statement are wide-area situational awareness, demand response, electric storage, and electric transportation. Id. P 61-62, 74-77, 81-82 and 90-91.
Docket No. RM11-2-000 2
the smart grid. On October 6, 2010, NIST notified the Commission by letter that it had selected five families of standards as ready for consideration by regulators and posted summaries of those families of standards on its website.
The purpose of this conference is to obtain further information to aid the Commission’s determination of whether there is “sufficient consensus” that the five families of standards posted by NIST on October 6, 2010, are ready for Commission consideration, as directed by section 1305(d) of EISA.
1:05 – 1:20 p.m. Opening Remarks by George W. Arnold, National Coordinator for Smart Grid Interoperability, NIST Panel 1 1:20 – 2:50 p.m. The Smart Grid Interoperability Standards Process for
Reviewing and Selecting the First Five Families of Standards
The Commission seeks information on the NIST processes used to select the five families of standards posted by NIST on October 6, 2010, summaries of which are included in the record of this proceeding. Panelists are encouraged to address: The role of stakeholder4 participation in the NIST process for
reviewing and selecting these five families of standards, including the extent of agreement achieved among the participating stakeholders.
The diversity of stakeholder participation in the NIST process for
reviewing and selecting these five families of standards, including the extent to which stakeholders with relevant expertise participated in that process.
In response to these subjects, panelists are encouraged to discuss
topics that include, but are not limited to, the following: Time and resources devoted to the review of standards;
Contribution of standards to increasing interoperability;
4 The term “stakeholder” refers to the NIST identified list of 22 stakeholder
categories as well as experts from other industries involved in smart grid standards identification, development, or implementation. See http://collaborate.nist.gov/twiki-sggrid/bin/view/SmartGrid/SGIPCategories.
Docket No. RM11-2-000 3
The standards’ attention to cyber security concepts such as authentication, cryptography, integrity, and availability;
Consideration of legacy system integration issues;
The U.S. power industry’s familiarity with the five families of standards; and
Lessons learned from industries within and outside the power sector.
Panelists Daniel Thanos, Chief Cyber Security Architect, GE Digital Energy Darren Highfill, Founder, UtiliSec; Chair, Smart Grid (SG) Security Working
Group, UCA International Users Group (USAIug) Gib Sorebo, Chief Cybersecurity Technologist and Assistant Vice President for
Technology, Science Applications International Corporation (SAIC) John Lucas, Transmission Policy and Services General Manager, Southern
Company Transmission Dr. Andrew Wright, Chief Technology Officer (CTO), N-Dimension Solutions,
Inc. Ed Beroset, Director of Technology and Standards, Elster Solutions, LLC Frances Cleveland, President and Principal Consultant, Xanthus Consulting
International 2:50 – 3:00 p.m. Break Panel 2 3:00 – 4:30 p.m. The Smart Grid Interoperability Standards Development and
Identification Process Going Forward The Commission understands that the process for identifying smart grid standards at NIST has been and is likely to remain dynamic in nature. The Commission seeks information on the development and identification of smart grid interoperability standards going forward. Panelists are encouraged to address: Changes that have been made in the process for developing,
reviewing, and identifying smart grid standards subsequent to the process used by NIST to select the five families of standards posted on October 6, 2010.
How any revisions to NIST’s existing process to identify smart grid
standards for regulatory consideration will provide for the sharing of information, transparency and the development of consensus.
Docket No. RM11-2-000 4
The role of the Smart Grid Interoperability Panel standing committees and permanent working groups5 in providing input into the standards development, and identification process.
In response to these subjects, panelists are encouraged to discuss
topics that include, but are not limited to, the following: Time and resources devoted to the review of standards;
Contribution of standards to increasing interoperability;
The standards’ attention to cyber security concepts such as authentication, cryptography, integrity, and availability;
Consideration of legacy system integration issues;
The U.S. power industry’s familiarity with the identified standards; and
Lessons learned from industries within and outside the power sector.
Panelists Michael (Mike) Assante, CEO, National Board of Information Security Examiners
(NBISE) Ron Ambrosio, Global Research Leader, Energy and Utilities, Industries STSM,
IBM Research Dr. Nate Kube, Co-founder and Chief Technology Officer, Wurldtech Wayne R. Longcore, Director of Enterprise Architecture and Standards,
Consumers Energy Andy Bochman, Energy Security Lead, IBM Paul De Martini, Chief Technology Officer and Vice President of Smart Grid
Strategy, Cisco Systems 4:30 – 5:00 p.m. Wrap-Up FERC Staff, with George Arnold, National Institute
of Standards and Technology, and Previous Speakers
5 These include the Smart Grid Architecture Committee, Smart Grid Testing and
Certification Committee, and the Cyber Security Working Group.
Opening Remarks by George W. Arnold, National Coordinator for Smart Grid Interoperability
National Institute of Standards and Technology
Federal Energy Regulatory Commission Technical Conference on Smart Grid Interoperability Standards
January 31, 2011 Introduction Chairman Wellinghoff, Commissioners and staff, I would like to thank the Commission for organizing this conference and giving me the opportunity to describe NIST’s and our partners efforts to develop standards for an interoperable smart grid. To provide context for today’s discussion I would like to briefly review:
1. The overall process used by NIST in coordinating the development of the smart grid interoperability framework, and how the process is evolving,
2. How the five IEC standards fit within that process, and 3. Discuss the terms “consensus” and “adoption” and their relation to EISA.
The NIST process Congress, the Administration, and industry executives have repeatedly stressed the urgent need to establish protocols and standards for the smart grid. Achieving EISA’s vision of a smart grid in which the electric grid, smart appliances, electric vehicles, distributed renewables and other elements can interwork cannot be accomplished without moving away from the legacy proprietary, customized systems that characterize today’s system to a framework based on open, interoperable standards. Without standards, there is the potential for technologies now being implemented with sizable public and private investments to become prematurely obsolete or be implemented without adequate security. The urgency became even more pronounced with the announcement of plans to use American Recovery and Reinvestment Act (ARRA) funding to invest in smart grid deployments. Recognizing the urgency, in April 2009, NIST announced a three‐phase plan to carry out its EISA responsibilities.i In May 2009, U.S. Secretary of Commerce Gary Locke and U.S. Secretary of Energy Steven Chu convened a meeting of nearly 70 top executives from the power, information technology, and other industries. The executives expressed their organizations’ commitment to support the process established by NIST. ii The process had three phases:
Phase 1, which took place from April 2009 to January 2010 engaged stakeholders in a participatory public process to identify applicable standards and requirements, and gaps in currently available standards, and priorities for additional standardization activities.
Phase 2, which began in November 2009 and is ongoing, established a public/private partnership called the Smart Grid Interoperability Panel (SGIP) to continue development of interoperability standards and drive longer‐term progress.iii
Phase 3, which is also ongoing, is developing a testing and certification framework for the smart grid standards.
The NIST Release 1.0 Framework, published in January 2010, was the output of Phase 1. This document describes a high‐level reference model, and identifies 25 protocols and standards that are relevant and important to support interoperability of the smart grid. An additional 50 standards were identified for future consideration. The five IEC standards which are the subject of today’s conference were among the 25 standards. This document was drafted through an open public process that engaged the broad spectrum of Smart Grid stakeholder communities and the general public. Input was provided through three public workshops, in April, May and August 2009, in which more than 1500 individuals representing hundreds of companies participated.iv In June 2009 an initial list of 16 standards was published, which included the five IEC standards.v NIST employed two additional means to seek broader stakeholder input. Public comments were sought on the listed standards through three separate federal register notices, on June 9vi, June 30vii, and October 9, 2009.viii NIST is also using a web‐based collaboration site (called a wiki) on which all information developed through this process is publicly available and anyone can post comments. All comments received on the standards were considered and addressed in finalizing the NIST Release 1 Framework. The initial list of 16 standards was expanded to 25 on the basis of the comments received throughout the process. During the nine months in which comments were sought through the federal register notices and the wiki, the preponderance of comments on the standards was positive and no comments were received proposing deletion of any of the 25 standards identified in the NIST Release 1 Framework. The development of standards is an ongoing process. All standards undergo periodic revision to correct shortcomings, address new requirements, and incorporate new technologies. During Phase 1, gaps in the identified standards were noted as well as the need to develop additional standards. Sixteen Priority Action Plans were established coordinate development of revisions to the identified standards and accelerate the development of needed new standards.
To provide a more institutionalized process for the ongoing evolution of the standards and create a testing and certification framework, NIST established the Smart Grid Interoperability Panel. The panel’s formation marked the beginning of Phase 2 of the NIST process and it has been in operation for a little over a year. During its first year of operation the SGIP has focused its effort on establishing processes and procedures for its work; overseeing and expediting the completion of the Priority Action Plans established in the NIST Release 1 Framework; creating additional action plans as needed; developing the Cyber Security Guidelines for the Smart Grid including a methodology for reviewing the cyber security aspects of standards; and developing a testing and certification framework. The SGIP is also developing a process to maintain a Catalog of Standards that will contain descriptive information about the smart grid standards that will be helpful to regulators and the broader smart grid community. The process for developing and maintaining this catalog is still under development within the SGIP, and it is expected to be finalized by March. There are many standards needed for the smart grid and they are in varying stages of maturity. Some have been in existence for years and are already realized in products that are being used by industry; others are more recent and are appearing in products but not yet widely deployed; and yet others are still in draft form and will be used in future products when they are finalized. Some standards have well‐established testing and certification programs; others do not and these have yet to be developed. Some standards have reference implementations that can aid implementers in ensuring interoperability. It is important for all stakeholders in the process to understand the applicability of each standard, where it is in its lifecycle, limitations and issues with its use, the availability of testing programs and tools to support implementation, and any intellectual property issues that may affect its use. The SGIP’s vision for its catalog is not merely to list standards, but to provide descriptive information that will provide a more complete understanding of these and other attributes of the standards. It will provide factual information, vetted through a consensus process, that will be helpful to the smart grid community, including FERC and other regulators. The SGIP catalog of standards will be an important element of the NIST process going forward, when it is in place. Another critical aspect of the ongoing process is cyber security. The SGIP process requires each of the standards in the NIST Release 1 Framework to be assessed by the SGIP Cyber Security Working Group, using criteria described in the NISTIR 7628, Cyber Security Guidelines for the Smart Grid. CSWG assessments of the five IEC standards had been completed when we posted them in October and recommended updates to the standards were documented in the assessments. Since October, assessments of 7 additional standards have been completed. The cyber security assessment process will evolve as we obtain feedback on the standards we have reviewed; understand the boundaries or cyber security scope that the review must
be based on; document and take into consideration the implementation assumptions; and broaden the base of cyber security experts willing to volunteer to assist in these assessments. I would like to make one additional comment about the SGIP process, in relation to the representation of various stakeholder categories. In designing the SGIP, NIST has sought to ensure broad representation by all categories of stakeholders in the smart grid community, under a governance structure that ensures appropriate balance of interests. Ensuring balance is critical, and NIST regards its neutral role as critical to achieving this. A fundamental difference between the smart grid and the legacy grid is that the smart grid involves two‐way interaction and information exchange between the utility systems and systems and devices on the customer side of the meter. Thus the smart grid impacts everyone – the various categories of electric utilities, grid suppliers from many different industries, consumers both residential and industrial, the electric vehicle industry, appliance manufacturers and building automation providers to name a few. In designing the SGIP Governance structure, NIST listened carefully to the views of the electric utility industry that its critical mission required that it should play a super ordinate role in decision‐making in the SGIP. NIST also heard the views of other industrial sectors, including the electrical equipment manufacturers, information technology industry, communications equipment and service providers, appliance manufacturers, building automation suppliers, electric vehicle manufacturers and others, that their sectors needed greater influence in the process and that the utilities lacked necessary expertise that their sectors brought to the table. NIST designed a governance structure in which seven different sectors of the electric utility industry ‐ IOUs, municipals, rural cooperatives, transmission operators, independent power producers, energy traders, and renewable generation providers, each had an individual seat on the governing board, as well as the opportunity to run candidates for the three at large seats on the board. This gives the electric utility industry a minimum of 7 and potentially as many as 10 seats on the 25 person governing board. We continue to hear concerns from the electric utility industry that they are underrepresented on the governing board, as well as concerns by the other sectors that the governing board is dominated by the utilities. This is probably an indication that we have struck a reasonable balance. The SGIP Governing Board has established well‐defined mechanisms to introduce improvements to the structure and processes of the SGIP as it gains experience. Continuing improvement is an essential part of the process and suggestions from stakeholders are critical to our progress. The Five Standards The development and adoption of standards for the Smart Grid is a daunting undertaking and nothing like this has ever been done before. There are no relevant historical parallels and no “cookbook” on which NIST and FERC can draw to tell us
how to implement the respective responsibilities that Congress assigned our agencies. Few, if any, interoperability standards have ever been adopted in regulation for national infrastructures such as the legacy electric grid, the telecommunications system, or the internet. Considering the adoption of smart grid standards will involve significant and complex policy questions. Since deployment of smart grid technologies is already underway with significant investment of public funds, it is urgent to begin consideration of these policy questions now. NIST’s intent in identifying the the five standards as ready for consideration was to allow FERC to begin the process of considering how to move from the development of smart grid standards into adoption through the regulatory process, as directed by EISA. A practical issue that FERC faces is that the development of standards for the smart grid will be an ongoing process spanning many years and eventually result in hundreds of standards. How should FERC deal with this? The five IEC standards provide a good starting point to understand the complex issues involved. NIST picked these particular standards because they are important to interoperability, are mature, had strong consensus for inclusion in the NIST Framework, are being used in deployments either in whole or in their constituent parts, and had undergone a cyber security assessment by the CSWG. As I explained in my presentation at the November technical conference, interoperability in the smart grid requires a “common language” of data models and identifiers to enable communication across systems and applications, and these standards play an important, although not exclusive role, in filling this need. I refer to the presentation made by George Bjelovuk, Secretary of the SGIP and an executive at American Electric Power, at the November technical conference, in which he stated: “AEP selected the well‐established IEC standards as the basis for many of its system deployments ‐ NIST’s selection of five IEC standards are among the most mature in the industry.” There are two other suites of standards (DNP3 and Multispeak) included in the NIST Release 1 Framework that provide alternatives to some of the functionality in the five IEC standards and are widely used. DNP3 is a legacy standard that is widely deployed and will continue to be supported. Multispeak is a simpler standard better suited to the needs of the rural cooperatives. The NIST Framework allows these standards to coexist, serving different marketplace needs, and established Priority Action Plans to develop mappings between the standards so they can interoperate. NIST did not include DNP3 and Multispeak in the initial set of standards for FERC consideration because the CSWG had not yet done cyber security assessments on these standards. These assessments are scheduled. Consensus, Adoption and Relation to EISA
EISA directed NIST to “coordinate the development of a framework that includes protocols and model standards for information management to achieve interoperability of smart grid devices and systems, soliciting input and cooperation from private entities” and other stakeholders. EISA further directs FERC to “institute a rulemaking to adopt such standards and protocols as may be necessary to insure smart‐grid functionality and interoperability” at any time after NIST’s work has led to “sufficient consensus” in the Commission’s judgment. Consensus in NIST’s work needs to be determined at two levels: consensus on what standards should be included in the NIST framework, and consensus on the technical content of individual standards, Consensus about the standards that should be included in the Release 1 NIST framework ‐ because they are relevant and important to achieving smart grid interoperability ‐ was clearly established through the process I described earlier. The ongoing work of the SGIP will establish consensus on additional standards to be added to future releases of the framework. Consensus on the technical content of the individual standards in the framework is determined by the standard development organization that produces them. NIST requires that all standards included in the NIST Framework be produced by SDOs with a robust consensus process, consistent with the principles of OMB Circular A119 and the National Technology Transfer and Advancement Act (P.L. 104 ‐113). This does not mean that the standards are perfect – all standards can be improved. That is why standards undergo periodic revision. The SGIP processes have been established to provide requirements to the ongoing evolution of the standards. A more difficult question to answer is whether the Commission should adopt some of these standards because their adoption “may be necessary to insure smart grid functionality and interoperability.” The consensus standards process cannot answer this question – only the Commission’s process can. Although this question is not the subject for today’s conference, it is really the question everyone has in mind and is difficult to separate from the subjects we will be discussing today. Industry has legitimate concerns that if standards are adopted in regulation, the resulting regulation may not allow enough flexibility in applying the standards to accommodate legacy equipment, timeframes for transition and other important considerations and this may have costly unintended consequences. In general, industry has a strong preference not to see standards adopted in regulation. This concern will naturally motivate many industry participants to cite various reasons why FERC should not consider adopting these or other standards ‐ even though these participants participated in and supported the NIST‐coordinated process and already use these standards on a voluntary basis.
United States standards policy and practice generally acknowledge and reflect this industry concern. In the US, the vast majority of standards are accepted by the market on a purely voluntary basis without any regulatory action or consideration. However, standards are sometimes adopted through regulation when policy makers decide this is necessary to accomplish some policy objective, for example safety, security, or promotion of competition. The provision in EISA that directs FERC to consider adoption of smart grid standards clearly indicates that Congress believed that implementation of smart grid standards might not occur if left entirely to the market and therefore might need some regulatory support. This reflects a very significant policy choice for the smart grid, because if we look at other infrastructures such as the telephone system or the internet there are few if any interoperability standards that have been adopted in regulation. What is different about the smart grid? For one thing, the electric grid has a tradition of using many proprietary customized systems, and there has never been a need for information systems on the utility side of the meter to interact with systems and devices on the customer side of the meter. Implementing the smart grid requires a movement away from proprietary systems to interoperable systems based on open standards. Cyber security considerations also mean that the grid needs to move away from past practice of “security by obscurity” to systems incorporating best current practices in cyber security. With 3200 electric utilities, and hundreds of suppliers from industries that have never before had to work together, provisions in EISA reflect a desire by policy makers that this transition take place in a timely manner, which may not happen if left entirely to market choice, and that regulation might need to play a role in making it happen. In considering whether it is necessary to adopt standards for the smart grid, it will be important for the Commission to keep in view this overarching policy issue and not become bogged down in the weeds. An important question the Commission should seek to understand is whether the smart grid standards will be adopted by industry in a timely way, or whether it is necessary for the Commission to use its regulatory authority to encourage their use. The Commission has clearly stated on a number of occasions that it does not believe EISA gives it the authority to mandate or enforce smart grid standards, so I infer that the Commission’s intent is not to micromanage decisions best left to industry or to enforce compliance with individual standards. I infer that the Commission’s goal is to provide forward‐looking guidance to insure realization of smart grid functionality and interoperability as envisioned in EISA. A procedural question the Commission must decide is whether to do rulemaking on individual smart grid standards or families of standards, as it does today with NERC and NAESB standards. This may not be the right approach for the smart grid. By the time the Commission adopts rules on the many individual standards in the NIST Framework, which could take years, significant investments in grid modernization
will already have occurred, and there is the danger that a lot of investment will continue to be made in proprietary systems that do not support smart grid interoperability. I recommend that the Commission consider taking a different approach that focuses on the question of whether regulatory adoption is needed to insure use of the standards by industry to achieve smart grid interoperability. For example, the Commission might request information on industry’s roadmaps and plans for implementation of the standards in the NIST framework. Based on the information received, the Commission could ascertain whether industry use of the standards will naturally occur in a timely way, or whether regulatory adoption and encouragement is needed. The Commission might consider adopting the interoperability standards at a more “macro” level and adopt policies that provide motivations for their use. If encouragement is needed, it must be provided soon if it is to influence the significant investments in grid modernization that will occur over the next several years. Thank you for the opportunity to provide opening remarks for this conference and I look forward to the discussion. i http://www.nist.gov/smartgrid/smartgrid_041309.cfm ii http://www.commerce.gov/news/press‐releases/2009/05/18/locke‐chu‐announce‐significant‐steps‐smart‐grid‐development iii http://www.nist.gov/public_affairs/releases/smartgrid_111909.cfm iv http://www.nist.gov/smartgrid/smartgrid_wksp_072409.cfm v http://edocket.access.gpo.gov/2009/E9‐13514.htm vi http://edocket.access.gpo.gov/2009/E9‐13514.htm vii http://edocket.access.gpo.gov/2009/E9‐15467.htm viii http://edocket.access.gpo.gov/2009/E9‐24429.htm
PREPARED STATEMENT OF DANIEL THANOS
CHIEF CYBER SECURITY ARCHITECT OF GENERAL ELECTRIC DIGITAL ENERGY.
BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION
Technical Conference on
SMART GRID INTEROPERABILITY STANDARDS
January 31, 2011
Prepared Statement of Daniel Thanos GE Digital Energy
January 31, 2011
Page 2 of 3
I want to start by thanking Chairman Wellinghoff, Commissioners, officials, and all of the staff involved for the opportunity to speak at the technical conference for smart grid interoperability standards and putting the technology in place to allow it to happen. I would also like to thank the SGIP governing board, NIST CSWG, and GE for allowing me to dedicate considerable amounts of time to this and another important efforts. Most of all I would like to thank my wife Isel, she allows me to donate large amounts of our personal time because she believes in me and this work that I see as my mission. As my video is coming to you live from the Internet, whose performance we do not control, I ask your patience if there is any temporary losses of image, my audio will continue over the teleconference bridge. The views and opinions that I will communicate are my own; they do not necessarily represent those of my organization. It has been a real honor and privilege to work with people across many different private and public sector organizations with a diversity of technical and professional backgrounds in the process of helping form the NISTIR 7628 Guidelines for Smart Grid Cyber Security. I feel fortunate enough to have learned from my work in the various CSWG subgroups as much as I have contributed. The voluntary work that went into developing the NISTIR for the scope of systems and rapid time frames involved has been monumental. It has been a true testament to the hard work and expertise of the whole CSWG volunteer core and the leadership of the group, and I believe it is a model for how innovative public-private initiatives should work. It is that hard and innovative work I am here to represent and preserve for the good of the public and broader industry. In that spirit I also wish to make sure that the good standing and reputation of all stakeholders involved is continued and that is the basis of any critical analysis I have to offer in the standards review process. I would also like to state that I have a high regard for the entire panel, and I have immensely enjoyed working with all of them. I am sure everyone has had a chance to read panelist biographies and realize there is an excellent depth of knowledge and expertise that will be heard from, I am just a small part of that. Thus I will not dedicate much time on my background beyond giving a context of my involvement in the NIST effort and the industry. I helped co-lead the following NIST CSWG subgroups: BU technical analysis, R&D, and Cryptography and Key Management. I also contributed to many of the other subgroups. I am involved in IEEE, OpenSG, NERC, DHS, and IEC working groups engaged in developing security best practices/guidance and standards. I continue to be very engaged in the CSWG where I co-lead (with Annabelle Lee) the newly formed Design Principles Group that will work to show how to apply the NISTIR at a practical and technical level. In my role for GE I am deeply involved in researching, designing, and developing security hardware and software technologies for a broad range of automation and communication systems and devices. My perspective comes from someone that has to build the technology and ensure it can be reliably operated by a very large and globally distributed customer base in Smart Grid and other critical infrastructure industries. Thus I understand very well the need to make principled and sound decisions at this critical juncture. I also equally understand that for sake of continuing to increase security and reliability in the Smart Grid we must be solution focused in how we move forward with accepting the standards in question. I am here to try to offer a balanced view and be part of the process of solving the problems that are needed to keep industry momentum moving forward.
Prepared Statement of Daniel Thanos GE Digital Energy
January 31, 2011
Page 3 of 3
The NIST standards review process was taken up by very dedicated and hardworking volunteers who we should all thank as they were asked to perform considerable amounts of work under aggressive time lines. My views are in no way meant to detract from their dedication and work. However, I do have concerns with declaring the review work that has been completed thus far as final and sufficient to garner total acceptance of the standards under consideration. This work was a start and it has identified issues that simply need to be addressed as acceptance without a solution for correction would cause confusion and hamper the trust and reputation that has been vested in all the organizations involved. This is because there are fundamental security errors in the standards and confused concepts when trying to give informational backgrounds for various security terms and technologies. There is also need of an update to the standards to reflect the work of the NISTIR with special attention to the cryptography requirements. Time does not allow me to make this a forum to discuss each issue, nor is that needed as all parties involved are aware of them, and you can find some in the NIST standards review reports, and I touched on them in my presentation in the last FERC technical conference. As I have discussed in the previous FERC technical conference on the adoption of these standards, there is a need for a more broad and open analysis of the standards in question especially by members of the security community. Also the underlying process and criteria that reviews are done under need to be improved and more formalized to allow for less interpretation and stricter evaluation against the NISTIR itself. I also believe there needs to be a better functional and system context by which these standards are evaluated. To this end there still continues to be some debate and evolution of the criteria which is used to evaluate the standards. While this is good and we are all trying to learn in this process, it is clear that because the criteria has not been finalized and broadly accepted that we need to address this before standards can be deemed to meet the needed requirements. I hope this conference provides valuable input for the purpose of developing those criteria. Lastly standards have normative references to other standards, which in turn may reference other normative standards, it is not clear how detailed these references have been reviewed if at all, yet they may also be accepted in the process. That should cause us some pause while we also make sure that referenced standards are indeed the best most current ones to use. There are instances where this is not the case and this also needs to be addressed. What is important to emphasize and work on now is the fact that none of these mentioned problems are intractable and without a straight forward solution. We only need the will and leadership to get it done. Depending on what solution path is taken there might be a relatively expedient resolution. To that end what I recommend for the acceptance of the current IEC standards is the development of a correcting and overriding security addendum that must be adopted along with the standards. I believe this would address all concerns. The addendum would correct all errors, reference the most current and secure standards, and provide any needed modifications to meet NISTIR requirements. The addendum should be developed under an open process and ensure review by all needed technical experts. Alternatively we could require the standards development groups to revise the standard per addendum before it is accepted, but this maybe a considerably longer process. In parallel to addendum development the standards review process needs to improve and introduce more phases and rigor as to give better assurance of clarity, consistency, and broad acceptance. I look forward to discussing these and other topics with the panel.
Statement of Darren Reece Highfill
Founder, UtiliSec
Before the United States of America Federal Energy Regulatory Commission
Technical Conference on Smart Grid Interoperability Standards
January 31, 2011
Statement of Darren Reece Highfill Founder, UtiliSec January 31, 2011
1
Good afternoon, Chairman Wellinghoff, Commissioners, and staff of the Federal Energy Regulatory
Commission. I would like to thank all of you for this opportunity to speak to the issue of smart grid
standards recommended by the National Institute of Standards and Technology (NIST) for consideration
in a rulemaking. My name is Darren Highfill, and while my personal clientele includes investor-owned
utilities and the U.S. Department of Energy, I am here today as an independent consultant serving in
several industry roles relevant to smart grid standards. Specifically, I am the Chair of the Smart Grid
Security Working Group within the Utility Communications Architecture International Users Group
(UCAIug), a member of International Electrotechnical Commission Technical Committee 57 Working
Group 15 (IEC TC57 WG15 – the group responsible for IEC 62351), and an active participant and
subgroup lead in the NIST Smart Grid Interoperability Panel (SGIP) Cyber Security Working Group
(CSWG). Today I will speak to two primary issues: the process for achieving consensus on the five IEC
standards recommended to FERC by NIST, and considerations for implementation of technical standards
through regulation.
Since the passage of the Energy Independence and Security Act of 2007 (EISA 2007), NIST has spared no
effort in its coordination of building an interoperability framework for the smart grid. The last three
years have witnessed a monumental push by the entire industry to accelerate this work. NIST should be
given credit for achieving some remarkable accomplishments while undertaking a broadly-defined task
of enormous scope and complexity. Under NIST’s leadership we have created a conceptual model with
which to frame our industry, established a forum for all stakeholders to discuss and resolve issues, and
instituted a central clearing house for publishing smart grid information. However our processes were
not wholly and perfectly conceived at the outset, and thus have changed as we have learned. We must
continue to learn as we move forward, and therefore would benefit from consideration of some specific
items in the evolution of these processes.
While NIST has established a process that includes checks and balances, we must still consider and
refine the weighting of the stakeholder representation model in light of the impact upon specific
stakeholder groups as well as the overall industry. Currently the SGIP is structured such that someone
who decides to open a one-person business has the same vote as a utility that is responsible for safely,
reliably, and cost effectively serving millions of customers. This person may have no background or
understanding of the industry and no investment in the process beyond registration with the SGIP, yet it
is this very process that will most directly determine the future of our utility’s systems. The
entrepreneur plays an important role in this ecosystem, but we must also recognize the importance of
wisdom, experience, responsibility, and accountability. Our process for achieving consensus needs to
align with what is at stake for industry and society, and it will require our collective effort, focus, and
time to get it right.
Unfortunately time is not an asset this industry has been offered. While placing a national priority on the
smart grid sounded good to me as a technologist, it has also created a political environment with
extreme pressures and forced leaders to weigh expedition against technical integrity. Make no mistake
that the realities of strong political pressure take a toll on development, understanding, and execution
of complicated technical processes – and the smart grid is nothing if not complicated. The process used
Statement of Darren Reece Highfill Founder, UtiliSec January 31, 2011
2
to achieve consensus on the five IEC standards was sincere, however it was also informal and to some
degree affected by the pressures to start producing answers to our interoperability standards questions.
As a result, we sacrificed understanding within the industry about the process that was used and what
its implications would be as we sit here today.
The formal consensus-building process we have in place today called the Smart Grid Interoperability
Panel is a relatively recent development, while the process of selecting standards for recommendation
to FERC was one of our first priorities and activities that began many months before the establishment
of the SGIP. In short, we built the process we need to use for establishing consensus in parallel to
selecting an initial group of standards for recommendation in the interest of saving time. However this
same time-saving reaped from running efforts in parallel has also cost us in our ability to make claims in
regards to the adequacy of consensus. Regardless, the process of designating consensus for these
standards was not the same process as is used today, and even today’s process may need more rigor
and sophistication if it is to support the weight of regulatory rulemaking.
Fortunately for the standards under consideration, the IEC process is one of the most technically sound
and mature for developing standards relevant to the electric power industry. With this maturity comes
stability - an attribute that, when coupled with technical integrity, allows technology to develop to the
point of providing a rich ecosystem of available solutions. However maturity and stability also come at
some expense of agility, and today's cyber security realm moves quickly. This discrepancy requires
specific attention when considered in the context of regulatory enforcement.
In particular, some of the cipher suites specified in IEC 62351 need to be updated to reflect recent
changes in the cyber security landscape. Cyber security research tends to operate like age and use on a
rigid structure: fissures (or failures) tend to appear without warning and go to unpredictable depths. A
cipher suite may go for decades without any significant attack, then suddenly encounter an assault that
immediately compromises its use - sometimes partially and sometimes fully. This characteristic
fundamentally distinguishes cyber security requirements from business requirements. Therefore, any
reference to cyber security standards must provide a means to accommodate change and transition.
This is an area where we cannot be too prescriptive, and must allow standards to evolve with
advancements in technology.
This need to allow for evolution and advancement takes on special meaning in the environment of utility
operations. The utility's fiduciary responsibility to ratepayers, commissioners, and sometimes
shareholders dictates that decisions are considered very carefully and frequently drives technology to
long deployment lifecycles. Utilities must develop strategies that allow for ongoing change in security
technology and provide means to address legacy equipment concerns. Binding utilities to a frozen
snapshot of an evolving standard will ultimately hobble innovation and force systems to expose
vulnerabilities. We do not want to compromise tomorrow in our haste to find a solution today.
Today and for tomorrow, the industry needs a publicly visible process that delineates each step along
the way from nomination of a standard to rulemaking. If we are to understand the implications of our
Statement of Darren Reece Highfill Founder, UtiliSec January 31, 2011
3
decisions at each step along the way, we must be able to trace the lines out through the end and back
around to the beginning. The processes established in the SGIP represent a worthwhile first attempt to
address a slice of this cycle. These processes need refinement, and even more importantly, we need to
understand what happens after the SGIP.
In light of the questions raised by FERC for this conference, we would do well to consider the meaning of
the terms “consensus” and “adoption” in this environment. Specifically, we need to ask the question,
“consensus to what end?” The five IEC standards recommended by NIST are extremely detailed, highly
prescriptive technical specifications, down to the point of directing which bytes go where in electronic
packets on the wire. What are the implications of mandating this level of prescription through
rulemaking? What happens when we mandate a standard that seems adequate today but turns out to
need an immediate update tomorrow? How do we use regulation to protect the safety and security of
customers against a rapidly moving adversary in a constantly changing landscape? Who owns the
process for updating a standard?
I recommend the Commission carefully consider these questions prior to making any decision about
implementation of the five IEC standards recommended by NIST. We need engagement between those
that understand technical law and those familiar with the implementation of such standards in the real
world. We need a transparently defined process that illustrates how detailed, implementation-specific
standards can be updated within the context of regulation. I further recommend the Commission work
with NIST and industry to produce a detailed lifecycle depicting the process for industry engagement,
achieving consensus, relevant rulemaking, and subsequent assessment.
In summary, the five IEC standards recommended to FERC by NIST are helpful and powerful in their own
right, but potentially dangerous tools in the context of regulation if not implemented properly. We must
address concerns regarding the procedure for arriving at consensus to ensure we maintain industry and
consumer confidence, and be exceptionally mindful to allow for resolution of technical standards issues
essential to maintaining the long-term operational integrity of regulated utilities. Both the industry and
the standards must invest the time and effort to come together on technical issues, cultivate fair and
transparent processes, converge on appropriate use and implementation, and find a way to evolve and
change together.
Respectfully submitted,
Darren Reece Highfill
Founder, UtiliSec
113 Greywood Place
Oak Ridge, TN 37830
(865) 806-8675
FERC TECHNICAL CONFERENCE The Smart Grid Interoperability Standards Process for
Reviewing and Selecting the First Five Families of Standards
COMMENTS BY GIB SOREBO, CHIEF CYBERSECURITY TECHNOLOGIST, SCIENCE APPLICATIONS INTERNATIONAL CORPORATION (SAIC)
Introduction I am pleased to provide FERC with written comments associated with my participation on a panel addressing the process of reviewing and selecting the First Five Families of Standards. Before I begin, I want to state that my comments are directed at cybersecurity and I am deferring to others on the interoperability details. However, I did want to address the wisdom of FERC endorsing standards of this nature from both an interoperability and cybersecurity perspective. To me, FERC’s first priority should be to provide overarching guidance to ensure that utilities are implementing a comprehensive program that addresses interoperability and cybersecurity in all aspects of their smart grid projects. This was the intention of the guidance the Department of Energy mandated as part of the Smart Grid Grant program. Utilities had to provide a Cyber Security Plan as well as describe how interoperability goals would be met. Documents like NIST Interagency Report 7628, while still in draft form, are probably the best model for providing initial guidance. When combined with regulations like NERC CIP, utilities have good direction even if some of the details need to be addressed later. Challenges with Endorsing These Standards Moving forward with the Five Families of Standards would unnecessarily confuse utilities. I already have had customers ask whether they need to talk about how they comply with IEC 62351 in their Cyber Security Plans. Such an issue is far too granular to be discussed in the document. I would strongly urge the commission to provide more comprehensive guidance. In my opinion, all parts of a utility should comply with NERC CIP1 at some level. That control framework is largely consistent with security best practices across multiple industries. And while technical feasibility exceptions will be needed, the growing sophistication of smart grid technology means that smart grid components effectively address NERC CIP requirements right out of the box. As I noted, the Five Families of Standards is not appropriate as broad-based guidance for cybersecurity. In fact, only one, IEC 62351, devotes a significant amount of attention to cybersecurity. Rather than recommend these standards at face value, I would suggest that they be treated as procurement guidance. For example, NIST2 could develop a smart grid procurement guide addressing interoperability and cybersecurity issues that would map recommended requirements for particular applications (e.g., control center to control center communication, substation automation, distribution management systems, energy management systems) to specific standards for different parts of an infrastructure. Such a document would be easier for vendors, utility procurement officials, managers, and 1 CIP – Critical Infrastructure Protection 2NIST – National Institute of Science and Technology
engineers alike to refer to as needed. The “Smart Grid Interoperability Panel – Cyber Security Working Group Standards Review Phase 1 Report (October 7, 2010)” is written at a highly technical level that is hard to follow. Utilities need guidance and not exhaustive analysis of an abstract standard. As it stands now, a FERC decision to endorse these standards would leave many utilities with no choice but to purchase the standards to determine where they apply and where gaps need to be addressed. Asking them to spend thousands of dollars to purchase standards that may not be even relevant to what they’re doing is likely to lead to more confusion and frustration. While these standards are potentially useful, the commission needs to ensure that the guidance is targeted and includes easy-to-understand explanations that describes how the standards are to be used and for what purpose. The current NIST document does not do that. The Standards Evaluation and Endorsement Process My involvement with the standards subgroup that evaluated these standards was limited. While I was technically a member of the subgroup, other commitments prevented me from devoting much time. Consequently, I am relying on the documentation generated through e-mails, minutes, spreadsheets, and reports to assess the overall process. I would first like to acknowledge the dedication of the active members of the subgroup. They devoted significant time and energy to this activity voluntarily and should be commended for their efforts. However, my concern is that the process followed is inconsistent with what FERC is considering here. Specifically, the process did not define evaluation criteria to determine whether cybersecurity is sufficient for the standards. Instead, the report and prior discussions focused on identifying areas where cybersecurity is addressed and where gaps are found. This is a very useful exercise, but it does not provide sufficient information for FERC to endorse or recommend these standards from a cybersecurity perspective. While it may be true that these standards are important for implementation of the smart grid, and some, such as IEC 60870-6, have already been in use for decades, it seems a bit random to pluck out five standards and declare them ready for deployment. While I may not be privy to all the discussions involved in this selection process, it is less than clear that evidence supports a formal FERC endorsement. Moreover, I question the value of FERC getting involved in endorsing these specific standards. Even though the endorsement would not constitute a requirement that utilities or vendors adopt these standards, other regulatory bodies may seek to make these voluntary standards mandatory. That creates other challenges such as the lack of sufficient audit criteria to verify compliance with the standards as well as any guidance on what extensions to these standards may be permitted. As threats change, it is important that product vendors keep cybersecurity features current. The application of mandatory standards could slow that process down. Conclusion For the above reasons, I recommend that FERC not take any action on these standards but instead emphasize its longstanding support for interoperability and cybersecurity for both
standards and their eventual implementation. FERC should further emphasize the importance of NERC CIP to cybersecurity for the electric grid, including smart grid applications, and should encourage all utilities to adhere to its requirements to the greatest extent possible. Additionally, FERC should encourage NIST to continue its critique of the various smart grid standards to promote cybersecurity and interoperability but should refrain from endorsing specific standards absent a compelling need to do so.
UNITED STATES OF AMERICA BEFORE THE
FEDERAL ENERGY REGULATORY COMMISSION
Smart Grid Interoperability Standards ) Docket No. RM11-2-000
_______________________________________________
PREPARED COMMENTS OF JOHN E. LUCAS OF SOUTHERN COMPANY SERVICES, INC.
_______________________________________________
Good afternoon. My name is John Lucas, and I am the Transmission Policy and Services
General Manager of Southern Company Services, Inc. (“Southern”). Southern is a participating
member of the Smart Grid Interoperability Panel (“SGIP”) established by the National Institute
of Standards and Technology (“NIST”) and is active in certain related Priority Action Plans
(“PAPs”) and Working Groups. Southern also is actively involved in the standards setting
process through the North American Energy Standards Board (“NAESB”) and the North
American Electric Reliability Corporation (“NERC”). I recently served as a NAESB board
member and others at Southern are similarly involved in leadership positions.
Southern very much appreciates the Commission Staff’s leading this conference and the
opportunity to participate on this panel. The methods for establishing and determining whether
sufficient consensus exists on Smart Grid Standards referred by NIST to the Commission is
especially important not only to Southern and the electric industry, but also to our State
regulators and, ultimately, consumers.
Transparency Issues
Southern has followed and participated in the SGIP’s work on interoperability standards
and anticipates participating at an even increasing level in the future. With regard to the five
2
families of IEC standards now before the Commission, however, I must admit Southern is among
those who were not aware that these standards would be the first standards provided to the
Commission by NIST. Southern also remains uncertain as to how, when and which of the other
75 standards or families of standards “identified” by NIST will be provided to the Commission.
Accordingly, and as will be discussed in more detail below, Southern believes NIST’s
efforts to identify and provide standards to the Commission should proceed pursuant to a more
formal and transparent process so that there is broad, documented industry consensus as to
exactly when and which standards will be provided to the Commission.
Consensus Issues
To the best of my knowledge, regulated electric utilities have had only limited
involvement in the IEC process for the referenced five families of standards. Further, past
consensus on voluntary standards, such as the IEC standards, for one purpose does not
necessarily constitute “sufficient consensus” (under the Energy Independence and Security Act
of 2007) so that such standards are ready for a Commission rulemaking. Also, of course, the
referenced IEC standards did not go through the current SGIP consensus process.
With regard to NIST’s and the Commission’s efforts to gauge consensus on the IEC
standards, Southern would emphasize that mere attendance by numerous parties at NIST and
SGIP Domain Expert Working Group meetings and Workshops should not necessarily be
characterized as evidencing broad consensus. Similarly, and in light of the sheer volume of
NIST’s and the SGIP’s work product, silence from the industry should not be deemed as
constituting consensus on any particular standards.
As the Commission is aware, there are only a limited number of industry subject matter
experts, and there are significant expenses associated with meaningful participation in the
process. For example, while some standards are conditionally available at no additional cost in
3
the ANSI Catalog, Southern’s cost for obtaining adequate copies of just the initial five families
of IEC standards submitted to the Commission by NIST is approximately $25,000.00, not to
mention the significant human resources necessary to review and comment on the approximately
3,500 pages of documentation included with these families of standards.
Due to these constraints, the industry needs a clearer outline of exactly which standards
will be delivered to the Commission and on what timeframe so that the industry can better
manage participation and review and comment on the standards in an organized, effective
manner. Clearly, the current pace and broad scope of the process is inconsistent with
establishing true and informed industry consensus.
Process and Participation Issues
While there is diversity in stakeholder participation, stakeholder participation is not
properly balanced. In particular, Investor-Owned and Publicly-Owned Utilities as well as State
and Local Regulators are underrepresented in the process. For example, Investor-Owned and
Publicly-Owned utilities are collectively designated only one of the 25 SGIP Governing Board
seats. Similarly, State and Local Regulators are also only designated one SGIP Board seat, the
same number, for example, as provided to Venture Capitalists. It also should be noted that
participants from vendor and vendor-related categories constitute approximately 50% of the
SGIP participating members, further emphasizing the need for balanced participation and
voting.1
Recommendations for Change to Current NIST/SGIP Process
For these and other reasons, Southern believes the IEC and existing NIST/SGIP
processes should not yet be relied upon as establishing industry consensus for the Commission’s
adoption of standards. To help remedy that situation, Southern would suggest three changes to
1 The numbers of participating members used in these comments are as of January 14, 2011.
4
the current process used to develop consensus as well as a couple of checks on that consensus
process.
First, each standard (including IEC and other existing standards) should be subject to
review and vote by the entire SGIP pursuant to a balanced voting process before being placed in
the SGIP’s Catalog of Standards or being provided by NIST to the Commission.
Second, similar to the NAESB process (which the Commission has previously cited with
approval), not only should a standard have approval of a “super-majority” of voting members, it
should also have a level of support from all industry segments. Under current SGIP/Program
Management Office (“PMO”) rules, approval may be based solely on a 75% affirmative vote.
However, if every Investor-Owned and Publicly-Owned Utility and State and Local Regulator
who is a participating member in the SGIP voted against approval, consensus could still be
deemed achieved by the SGIP by virtue of the fact that Investor-Owned and Publicly-Owned
Utilities (45 participating members) and State and Local Regulators (11 participating members)
collectively only constitute approximately 10% of the SGIP participating membership.
Third, and perhaps most important, the procedures adopted by the SGIP, the PMO, PAPs
and related Working Groups to establish and confirm consensus should be subject to comment
and approval by the entire SGIP (pursuant to a balanced voting process).
In addition, two checks on the consensus process would help provide assurance to the
Commission that “sufficient consensus” has been achieved and that identified standards were
ripe for the Commission’s consideration.
First, NERC’s formal review and reliability impact assessment of a standard should be a
prerequisite to any standard being placed in the SGIP’s Catalog of Standards or referred to the
Commission.
5
Second, while broad stakeholder support is helpful, no voluntary standard should be
referred to the Commission without the documented support of Commission-regulated entities.
Similar to a recommendation that Southern understands will be made later this afternoon,
Southern would support the establishment of a “review council,” consisting of representatives of
those primarily responsible for the safety and reliability of the grid, to review and approve any
interoperability standard provided by NIST to the Commission.
In conclusion, Southern appreciates NIST’s efforts to date, but urges NIST, the SGIP and
their leadership to advance a more robust and balanced consensus-building process as described
above. Such enhanced consensus process and the Commission’s related analysis should
recognize the unique responsibilities of the regulated entities, who, along with their customers,
will be among those most directly impacted by any interoperability standards adopted by the
Commission. Southern believes the changes it has suggested today would prove helpful not only
in building and establishing real consensus, but also in helping ensure a proper foundation for
any action ultimately taken by the Commission on interoperability standards.
Thank you again for convening this technical conference and providing us with an
opportunity to participate in this important discussion. Southern looks forward to working with
the Commission, NIST, the SGIP and other stakeholders to help develop and participate in a
balanced, more robust process so that real and meaningful consensus on interoperability
standards may be timely achieved.
Dated: January 31, 2011
Opening Statement to FERC Technical Workshop Andrew Wright January 31 2011 I have been involved in NIST’s CSWG since its inception in the spring of 2009, and to a limited degree in some other efforts of the SGIP. I proposed and co-led the Bottom Up Analysis subgroup of the CSWG that developed section 7 of NISTIR 7628. Consequently I have been reasonably involved and informed in the work of the CSWG throughout its entire process. It is my opinion that there has not been sufficient consensus to consider the five families of standards posted by NIST as ready for Commission consideration in a rulemaking proceeding. I offer four points, most of which focus on cyber security, since that is my area of expertise. 1. What consensus process? I have been involved in the SGIP and the CSWG since their inception. I was never aware of the initiation of any public consensus process that would lead to posting of standards for FERC consideration. I recently asked about a dozen colleagues, many of whom have also been involved in the NIST effort, and excluding NIST employees, none of them knew about any such process either. 2. There are serious cyber security problems with the standards. The cyber security reviews of these standards performed by the CSWG identified a number of serious problems with the ones that address cyber security. Some of the problems are due to use of outdated cryptography - per recommendations from NIST’s Computer Security Division. Some of the problems are due to references to outdated IETF standards. Many of these problems appear to have been outstanding for several years. Even if the standards can be fixed to address these problems quickly, this leaves the problem of ensuring that they continue to be updated on a timely basis as the IETF standards and NIST cryptography recommendations evolve. 3. The standards under consideration have significant limitations to access, primarily in the form of costs and license requirements. These limitations to access discourage open review that might otherwise uncover cyber security vulnerabilities. Designing algorithms and protocols that operate correctly and are free of undiscovered flaws is difficult at best. There is general agreement in the security community that openly published and time-tested algorithms and protocols are less likely to contain security flaws than those held in secrecy, because their publication enables scrutiny by the entire community. Limitations on access to standards may pose challenges to smaller commercial entities implementing Smart Grid products, solutions, or systems. But in addition, these limitations may discourage inspection and review by security researchers, academics, and other interested parties, and may thereby increase the risk that Smart Grid standards contain security vulnerabilities.
While the standards under consideration are open in the sense that anyone can gain access to a standard, they are not as open or freely accessed as the IETF and W3C standards that define the Internet and that can be downloaded free of cost and restrictions. The standards NIST has recommended must be purchased from the Switzerland-based IEC organization, and a complete electronic set of these standards costs 10,738 Swiss Francs, or about $11,000 USD. Furthermore, purchase requires agreement to a license that restricts use of the standard to one person. NIST recognized that financial costs alone would impose a significant barrier to NIST’s own review, and negotiated special access through a web portal for a limited number of people within the CSWG to review standards. The IEC standards became available through this portal about May of 2010, but became unavailable about October of 2010 in the transition to a new portal, and as of January 21 were still not available on the new portal. Consequently, any member of the CSWG whose interest in reviewing the IEC standards was elevated by the announcement of the NIST posting has been unable to do so using this access. 4. There has been insufficient consideration of relevant cyber security standards, technologies, and best practices outside of the realm of power system standards. The standards under consideration address some aspects of cyber security; however, they do not provide comprehensive coverage. A number of common IT security standards, technologies, and best practices can significantly contribute to security in practical deployments of these standards. NIST’s own PAP1 effort identifies several such standards and technologies, including IPSEC, TLS, MPLS, and firewalls. I would add to these standards such as SSH, RADIUS, and LDAP; technologies such as intrusion detection and network access control; and best practices such as NIST SP800-53, SP800-82, and SP800-64. These time-tested standards, technologies, and best practices are in wide use today to secure corporate desktops and networks, branch office connections, web commerce, Internet banking, and many other critical applications. Where applicable, their use can significantly reduce cyber security risks with deployments of new technologies utilizing Smart Grid standards. With the exception of PAP1, the NIST and SGIP processes have largely neglected these standards, technologies, and best practices that address critical issues in securing the collection of systems that will form the Smart Grid. A FERC rulemaking that accelerates adoption of Smart Grid standards without requiring associated use of existing relevant cyber security standards, technologies, and best practices risks reducing the reliability of the grid. Thank you.
Statement of Edward J. Beroset
Elster Solutions before the
Federal Energy Regulatory Commission
Hearing on Smart Grid Standards
January 31, 2011
Mr. Chairman, members of the Commission, thank you for inviting me to speak today.
My name is Ed Beroset. I am the Director of Software and Test for Elster Solutions. By
way of background, I am an embedded systems engineer with over thirteen years of
experience in electric metering and in smart metering solutions. I participate in numerous
industry standards-setting organizations and co-chaired the American National Standards
Institute C12.19 standard development panel. I currently chair the committee on ANSI
C12.22, the IEEE 1703 committee and cochair the Advanced Metering Security Working
Group operating within aegis of the Smart Grid Interoperability Panel. The company I
work for, Elster, has designed and manufactured utility meters for over 170 years and is a
world leader in Advanced Metering Infrastructure (AMI). Elster was the first to market
with true two-way Advanced Metering Infrastructure, we pioneered radio-frequency
mesh communications for smart meters; and we have manufactured 200 million meters
worldwide in the last ten years, including 5 million two-way smart electric meters in
North America. We are passionate about seeing the promise of the smart grid brought to
reality.
My concern today is that the process and timing of the adoption of IEC standard 61968-9
Application integration at electric utilities - System interfaces for distribution
management: Interfaces for meter reading and control not impair our ability to achieve
that promise.
On October 6, 2010 the National Institute of Standards and Technology forwarded 5
International Electrotechnical Commission (IEC) standards from the Smart Grid
Page 2 of 5
Interoperability Panel (SGIP) catalog of about 100 ‘vetted’ standards to the Federal
Energy Regulatory Commission for consideration for making into regulations pursuant to
the Energy Independence and Security Act of 2007. FERC acknowledged receipt of the
standards on October 7.
One of the standards, IEC-61968 Part 9, was only finalized in late 2009 and is not in use
in meters in any North American utility deployment, nor in meters by any European
manufacturer. This standard is an abstract data model intended to represent metering data
in the utility’s enterprise but not intended to be used as a concrete representation for
implementation in meters directly. For that purpose, there are a number of jointly
produced ANSI and IEEE smart metering standards being used in the US and Canada.
These ANSI and IEEE standards are in the SGIP catalog, and many of them will likely be
forwarded to FERC in future tranches for possible regulatory use. Today, there about 35
million smart meters installed in North America based on these ANSI and IEEE
standards.
The suggested 61968-9 application is limited to establishing a Common Information
Model interface in utility back office systems. Elster supports the recognition of IEC
61968-9 as one option for smart meter deployments. In fact, Elster is a leading developer
of IEC 61968-9 in the context of the common information model (CIM) in utility back
office systems, the application NIST proposes.
However, IEC 61968-9 is only one of scores of standards an AMI project might satisfy.
NIST is still working through the numerous other SGIP catalog standards which will
ultimately be sent to FERC. Because this process is ongoing, it would not be prudent to
start a rulemaking that might require the use of IEC 69168-9 in the interim.
For metering communications, international metering standards in the SGIP catalog,
include ANSI C12.18/IEEE P1701/MC 1218 Protocol Specification for ANSI Type 2
Optical Port; ANSI C12.19/IEEE P1377/MC 1219 Utility Industry End Device Data
Tables (ANSI) and Utility Industry Metering Communication Protocol Application Layer
Page 3 of 5
(End Device Data Tables) (IEEE and MC); and ANSI C12.22/IEEE P1703/MC 1222
Protocol Specification for Interfacing to data Communications Networks. While there is
some recognition that a significant degree of standards harmonization is underway in the
background narratives that go along with the five IEC standards sent from NIST to
FERC, this is apparently lost when it comes to recommended actions.
Given that, my concern is not that the Commission would recognize the IEC meter data
model standard. It is rather that in moving to adopt IEC 61968 without acknowledging at
the same time the many other SDO-adopted and NIST-recognized meter interoperability
standards pending in the NIST smart grid pipeline, FERC will give utilities and regulators
the mistaken impression that the IEC standard is the only acceptable meter data format at
any and every point in the system. And we know from discussions with both the NIST
and FERC staffs that is not the agencies’ intent.
Today every meter manufacturer and U.S. utility uses smart meter equipment employing
the ANSI C12.19/IEEE 1377/MC 1219 table standard. The standard is mature, well
understood and extremely practical and useful for transporting meter data within the AMI
system. It has both an established track record of meeting the needs of deployed systems
and a demonstrated capacity to accommodate innovations as AMI system needs evolve..
To adopt the IEC standard without also adopting the other SDO-approved, NIST-
recognized, currently deployed meter table standards would cause serious market
disruption and could freeze AMI deployments for the next year or longer.
Another factor ignored in the rush to endorse 61968-9 is cyber security. The
implementations of the ANSI/IEEE/MC standards include cyber security, while 61968-9
does not, but rather replies on other IEC standards, some of which are not even yet
written. Obviously, cyber security must be implemented in the field installation.
By contrast, ANSI C12.22/IEEE 1703/MC C1222 provides robust security employing
NIST-approved AES-128 encryption and offers better authentication and integrity
Page 4 of 5
features than any previous metering communications standard. Elster has included a
White Paper on how security is implemented in our system releases.
Unfortunately, many of the state utility commissions don't have the technical expertise
available to thoroughly understand the scope and applicability of these standards without
federal guidance. They are simply looking to check the NIST/FERC standards
compliance box on smart meter projects. The fact that the CIM of 61968-9 is being
proposed in the very limited context of utility back office systems is just one example of
a subtle but extremely important detail unlikely to be understood by regulators.
Encouraging state commissions to adopt the NIST transmitted/FERC approved standards
without further clarification will leave states and utilities seeking tomorrow's standards
on today's technology or, perhaps worse, application of standards to areas outside their
useful domain.
Even more, unless federal regulators address NIST’s ongoing mapping effort between
ANSI C12.19 and IEC 61968, utilities may not understand their investment in ANSI
standards-based systems was not wasted. Utilities and regulators must have assurance
that legacy AMI systems will continue to have value.
Toward that end, we hope you will approve adoption of the IEC 61968 standard in
tandem with the adoption of additional AMI table standards included in the SGIP catalog.
At the very least, FERC must make clear that adoption of the IEC standard is not meant
to forestall the use of other NIST SGIP catalog-recognized AMI standards, that the
government is working to map the interface between ANSI C12.19 and IEC 61968, and
that later tranches of standards are expected to include additional acceptable standards for
AMI deployment.
Without FERC's assurance and public recognition that the standards it is presenting are
not exclusive, and are evolutionary, we believe utilities will place planned deployments
on hold until IEC 61968-9 is deployed in back office systems, essentially halting
Page 5 of 5
smart meter deployment for the next 18 months to two years -- an outcome no one
desires.
Mr. Chairman, I appreciate the opportunity to share Elster’s concerns and would be
happy to answer any questions you or the Commission might pose.
FERC Adoption of 5 IEC Standards 1 January 31, 2011
CChhaalllleennggeess,, OOppppoorrttuunniittiieess,, aanndd SSuuggggeesstteedd PPrroocceesssseess ffoorr FFEERRCC’’ss AAddooppttiioonn ooff 55 SSmmaarrtt GGrriidd IIEECC SSttaannddaarrddss
JJaannuuaarryy 3311,, 22001111 TTeecchhnniiccaall CCoonnffeerreennccee
FFrraanncceess CClleevveellaanndd
Key question: Do these 5 IEC standards have sufficient consensus for adoption by FERC?
Challenges for FERC Adoption of the 5 IEC Standards
• Lack of functional review. Although these 5 IEC standards are rightly seen as key in the development of the Smart Grid, “sufficient consensus” can only be based on complete and thorough assessments: – The 5 IEC standards were not formally assessed on their functionality, only on their
cybersecurity aspects – Although all 5 IEC standards are based on state-of-the-art concepts and
technologies, they vary tremendously in their scope, maturity, completeness, testing status, and interoperability certification
– As a participant in the development of all 5 of these IEC standards, I am very aware of many issues that can affect their viability and interoperability in the Smart Grid.
• FERC’s term “adoption” is unclear in what it implies for stakeholders. For instance: – While "adopt" does not mandate a standard, should stakeholders be urged to use
them? – Will the “market” feel pressured to use them, regardless of applicability – Will utilities feel that it is “safer” to specify these standards, regardless of cost or
interoperability? – Will vendors feel obligated to implement them prior to full conformance and
interoperability testing and certification? – Since cybersecurity must reach across multiple users, systems, field equipment and
communication interfaces, how can true cybersecurity be achieved if only 5 standards are “adopted”?
• The 5 IEC standards are just a subset of a larger set of standards. – What is the implication of adopting them without adopting those other standards?
FERC Adoption of 5 IEC Standards 2 January 31, 2011
– Will preference be given to these standards, even if other standards are adequate, or possibly better suited to the functional requirements?
• The cybersecurity reviews identified the lack of cybersecurity in IEC 61968 and IEC 61970, the CIM-based standards. These CIM-based IEC standards do not address cybersecurity because they are primarily abstract information models. However: – Cybersecurity must be required for actual CIM implementations – The reviews recommended that cybersecurity guidelines be developed for such
implementations, with references to appropriate cybersecurity standards. – Therefore, should these standards be adopted before such cybersecurity guidelines
are developed?
Opportunities for Managing “Adoption”
• A “FERC Adoption Framework” could be developed which describes different FERC Adoption Categories to handle the nuances of the differing maturity and scope of the standards – Certain categories of adoption could be used to get recognition of promising
standards so that vendors will implement and test them, without pushing the industry to implement them so fast that better solutions are ignored or testing is incomplete
– Maturity would measure:
* Completeness of specification within the standard * Conformance testing of implementations against the standard * Interoperability testing of implementations against each other * Formal certification process has been established
– Scope would cover:
* A standard can be made up of different Parts. If so, identification must be made of which Parts of a standard are to be included in a particular scope. For instance, one Part might be judged to have one scope, while other Parts might be combined into a single separate scope
* Different scopes could be placed in different “adoption” categories, depending upon their status. For instance:
Parts still under developed could be identified as potential but not ready for adoption
“Informative” Parts (such as introductions and glossaries) could be categorized separately
* Specific profiles of combinations of standards could be adopted, (e.g. requiring the IEC standards to use the IP-based set of standards, or identifying what protocol the abstract information models would be mapped to)
FERC Adoption of 5 IEC Standards 3 January 31, 2011
Possible FERC Adoption Framework with the following Adoption Categories:
• Adoption Category 0: Information. These Parts of a standard are information, including introductions, glossaries, and guidelines
• Adoption Category 1: Potential Adoption. These Parts of a standard could be of significant value to the Smart Grid, but have not yet been adequately specified or are still under development.
• Adoption Category 2: Complete Specification. These Parts of a standard have been completely specified, but have not been implemented or tested.
• Adoption Category 3: Conformance Testing Certification. These Parts of a standard have been implemented by at least one vendor and have been tested for conformance with the appropriate Parts of the standard.
• Adoption Category 4: Interoperability Testing Certification. These Parts of a standard have been implemented by more than one vendor, and these implementations have been certified to be interoperable.
• Adoption Category 5: Cybersecurity Certification. These Parts of a standard have been certified as meeting the interoperability testing and cybersecurity requirements.
Suggested FERC Adoption Processes
• Before a standard is submitted to FERC for possible adoption, it must go through both functional and cybersecurity assessment.
• During functional assessment, each Part of the standard is reviewed with respect to maturity and scope – Each Part would be assessed with respect to which FERC Adoption Category it might
fit – Additional profile requirements would be included, if necessary – Recommendations for next steps to achieve the next Adoption Category could be
included
• During cybersecurity assessment, each Part of the standard would be reviewed for its cybersecurity requirements – Each Part should be assessed on whether it does include cybersecurity or whether
that is provided by another Part or standard – If the Part does rely on another standard for cybersecurity, that standard should also
be assessed for cybersecurity before the Part could be adopted into the Cybersecurity Certification Category.
FERC Adoption of 5 IEC Standards 4 January 31, 2011
– Each Part of the standard should reviewed separately, or in combination with other Parts if they are reliant on each other.
• Once assessed, the standard is submitted to FERC with suggested Adoption Categories for each of the Parts – FERC follows normal procedures to determine which, if any, Adoption Category to
place a standard or a Part of standard. – As the Parts of a standard go through conformance and interoperability testing, and
as cybersecurity requirements are provided, FERC can update the Adoption Category of the standard.
FERC Adoption of 5 IEC Standards 5 January 31, 2011
Example Functional Assessment of the 5 IEC Standards
1. IEC 60870-6 (TASE.2 or ICCP) is the IEC standard for the exchange of information between control centers, and even between control centers and power plants. – ICCP is the most mature standard of the 5 IEC standards, and has been widely
implemented for many years. – Cybersecurity for ICCP is available through its Bilateral Tables, IEC 62351 (Parts 3 &
4), and typical “IT” security technologies (VPNs, firewalls, role-based access control, etc.), although these security measures are not always implemented.
– This standard could be placed in the Adoption Category 4: Interoperability Testing Certification, with the recommendation that additional testing with the cybersecurity technologies could allow it to reach the Adoption Category 5: Cybersecurity Certification.
2. IEC 61850 is the IEC standard for communications with field equipment, including monitoring and control of devices. It is first being implemented in substations, but is increasingly being implemented in other domains, such as Phasor Measurement Units, Distributed Energy Resources (DER) generation and storage, wind power plants, and hydro power plants. – IEC 61850 standards for substations have been implemented by most major
substation vendors and have been tested and certified through formal testing procedures. The primary Parts for substations are IEC 61850-5, 6, 7-2, 7-3, 7-4, 8-1, 9-1, & 10.
– These substation Parts could be placed in the Adoption Category 4: Interoperability Testing Certification, with the recommendation that additional testing with the cybersecurity technologies could allow it to reach the Adoption Category 5: Cybersecurity Certification.
– IEC 61850 standards for hydro power plants are being implemented in Europe. The primary Part for hydro is IEC 61850-7-410.
– This hydro power plant Part could be placed in the Adoption Category 2: Complete Specification.
– IEC 61850 standards for DER (originally stemming from the widely utilized IEEE 1547 standards for DER electrical connectivity) are being implemented by vendors of DER generation and storage, including renewable generation such as wind, photovoltaic systems, combined heat and power, batteries, etc. This is particularly true in Europe where laws and regulations are mandating the rapid response of DER devices to power system conditions. The primary Parts for DER are IEC 61850-7-420 and 90-7 (under development).
– These DER Parts could be placed in the Adoption Category 2: Complete Specification.
FERC Adoption of 5 IEC Standards 6 January 31, 2011
– IEC 61850 standards for Wind are being implemented in Europe, but are not yet implemented in North America. The primary Parts for Wind are IEC 61400-25-2 & 25-4.
– This Wind Part could be placed in the Adoption Category 2: Complete Specification.
– The IEC 61850 standard for PMUs is under development. The PMU Part is IEC 61850-90-5.
– This PMU Part could be placed in the Adoption Category 1: Potential Adoption.
3. The IEC 61968 series of standards provides distribution level “application to application” messaging, typically within a utility’s corporate environment. It covers distribution operations, distribution planning, asset management, meter reading (from the AMI headend into the meter management system), and customer service. It is primarily an abstract model, and is expected to be implemented using XML-based messages. It contains no cybersecurity requirements.
– Part 9, Interfaces for meter reading and control, specifies the exchange of information between a metering system (AMI headend) and other systems within the utility enterprise. This standard recognizes and models the general capabilities that can be potentially provided by advanced and/or legacy meter infrastructures, including two-way communication capabilities such as load control, dynamic pricing, outage detection, distributed energy resource (DER) control signals, and on-request read. An interoperability test is being defined which expects to be carried out in early 2011, while updates to the standard are being developed.
– IEC 61968-9 could be placed in the Adoption Category 1: Potential Adoption.
– Part 13, the CIM RDF Model exchange format for distribution, specifies the format and rules for exchanging modeling information based upon the CIM (Common Information Model) and related to distribution network data. The intention of this part of IEC 61968 is to allow the exchange of instance data in bulk. It describes only differences with IEC 61970-452.
– IEC 61968-13 could be placed in the Adoption Category 2: Complete Specification.
4. The IEC 61970 series of standards consists primarily of an abstract Common Information Model (CIM) specified in the Unified Modeling Language (UML) in the Enterprise Architect tool, with additional standards to define the rules and format for exchanging this modeling information. The purpose of these standards is to define an application program interface (API) for an energy management system (EMS). The common information model (CIM) specifies the semantics for this API. The component interface specifications (CIS), which are contained in other parts of the IEC 61970 standards,
FERC Adoption of 5 IEC Standards 7 January 31, 2011
specify the content of the messages exchanged. It contains no cybersecurity requirements.
– The CIM UML model is an abstract power system model that is used as a base for extracting subsets of the model to be used for specific implementations. It is continuously being updated and expanded to meet new requirements. Only the extracted snapshots, such as IEC 61970-301, are standardized.
– IEC 61970-301 could be placed in the Adoption Category 1: Potential Adoption.
– IEC 61970-4xx series describes Component Interface Specifications (CIS) that are Platform Independent Models (PIMs), that are independent of the underlying technology used to implement them. IEC 61970-4XX CISs specify the functional requirements for interfaces that a component (or application) should implement to exchange information with other components (or applications) and/or to access publicly available data in a standard way. The component interfaces describe the specific event types and message contents that can be used by applications for this purpose.
– IEC 61970-4xx series could be placed in the Adoption Category 2: Complete Specification.
– The IEC 61970-501 specifies the format and rules for producing a machine readable form of the Common Information Model (CIM) as specified in the IEC 61970-301 standard. It describes a CIM vocabulary to support the data access facility and associated CIM semantics.
– IEC 61970-501 could be placed in the Adoption Category 2: Complete Specification.
5. IEC 62351 series, Parts 1-7, Information Security for Power System Control Operations, are explicitly security standards for the IEC communication standards based on TCP/IP, the Manufacturing Messaging Specification (MMS), IEC 61850, IEC 60870-6, and IEC 60870-5 (not included in this set of 5 IEC standards), and Network & System Management. Although vendors are starting to implement these standards, none of the standards have yet gone through formal conformance testing or interoperability testing.
– Part 3 of the IEC 62351 series provides technical specifications on ensuring the confidentiality, tamper detection, and message level authentication for SCADA and other telecontrol protocols which use TCP/IP as a message transport layer between communicating entities. TCP/IP-based protocols are secured through specification of the messages, procedures, and algorithms of Transport Layer Security (TLS).
– Part 3 could be placed in the Adoption Category 2: Complete Specification.
– Part 4 of the IEC 62351 series provides specifications to secure information transferred when using ISO 9506, Manufacturing Message Specification (MMS)-
FERC Adoption of 5 IEC Standards 8 January 31, 2011
based applications; specifying which procedures, protocol extensions, and algorithms to use in MMS to provide security.
– Part 4 could be placed in the Adoption Category 2: Complete Specification.
– Part 5 of the IEC 62351 series specifies messages, procedures, and algorithms that apply to the operation of all protocols based on/derived from IEC 60870-5, Telecontrol equipment and systems-Part 5: Transmission protocols. The focus of this 62351-5 is on the application layer authentication and security-issues that are a result of application layer authentication. While authentication of sources and receivers is considered the most important requirement and confidentiality is not considered important, encryption can be included by combining this standard with other security standards, such as IEC 62351-3, TLS.
– Part 5 could be placed in the Adoption Category 2: Complete Specification.
– Part 6 of the IEC 62351 series addresses security for IEC 61850 profiles through specification of messages, procedures, and algorithms. IEC 61850 specifies a number of different profiles which have different constraints, performance requirements, and security needs, but the primary requirement is for authentication of sources of data, receivers of data, and data integrity.
– Part 6 could be placed in the Adoption Category 2: Complete Specification.
– Part 7 of the IEC 62351 series provides an abstract model of network and system data elements that should be monitored and controlled. Its focus is network and system management, one area among many possible areas of end-to-end information security. The primary focus is the enhancement of overall management of the communications networks supporting power system operations, by specifying monitoring and control of communication networks and systems. Intrusion detection and intrusion prevention are addressed.
– Part 7 could be placed in the Adoption Category 2: Complete Specification.
PREPARED STATEMENT OF MICHAEL J. ASSANTE
PRESIDENT AND CHIEF EXECUTIVE OFFICER NATIONAL BOARD OF INFORMATION SECURITY EXAMINERS OF THE UNITED
STATES INC.
BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION
Technical Conference on
SMART GRID INTEROPERABILITY STANDARDS
January 31, 2011
Prepared Statement of Michael J. Assante
January 31, 2011
1
Good afternoon, Chairman Wellinghoff, Commissioners, and staff. I want to thank the Commission for convening this technical conference on smart grid interoperability standards and for the opportunity to provide these remarks. My name is Michael Assante. In addition to my experience as the Chief Security Officer at American Electric Power (AEP), I most recently served as the first Chief Security Officer of the North American Electric Reliability Corporation (“NERC”), which has been designated the Electric Reliability Organization (“ERO”) in the United States and much of Canada. Since departing NERC, I have remained active in efforts to enhance the security, survivability, and resilience of electric power systems in North America. I am providing comments based on my past experience associated with the challenges of developing industry standards and more limited experience involving the five families of standards before the Commission. I believe properly developed technical standards will play an important role in establishing a strong foundation for future electric system reliability and security. The Commission properly identified areas that deserved high priority in the smart grid standards development process. These areas include two cross-cutting issues, system security and inter-system communication, and four key grid functionalities: wide-area situational awareness, demand response, electric storage, and electric vehicles. I recognize the growing desire, as significant investments are already being made, to adopt standards that will shape smart grid technologies to promote system interoperability and security. I fully believe we must achieve these important goals and that urgency in this matter is warranted, but I caution against allowing haste to overcome a deliberate and extensive review of these important guides that will be so crucial to the development of the future smart grid. In my comments today, I will focus on both the security considerations and the standards consensus process associated with the five technical standards before the Commission at this time. It is my strong belief that technical standards, particularly where the electric power system is concerned, must first and foremost do no harm. A successful standard must demonstrate that, if implemented in a prudent manner, it will result in outcomes that will not adversely affect the reliability or cybersecurity of the system, whether in part or in whole. Thinking through the real-world outcomes of proposed standards requires that many minds come to the table—from those that design the technology, to those that implement it, to those that must secure it. The question of whether there is “sufficient consensus” that the five families of standards posted by the National Institute of Standards and Technology are ready for Commission consideration in a rulemaking proceeding is, therefore, and important one to ask. I would like to recognize up front the contributions and active involvement from important segments of the power industry, researchers, academics, and technology providers. From the onset, NIST has provided a valuable means for stakeholder input into the smart grid standards development process through formation of the Smart Grid Interoperability Panel (SGIP), a public-private partnership of 22 stakeholder groups supporting NIST in the ongoing coordination, acceleration and harmonization
Prepared Statement of Michael J. Assante
January 31, 2011
2
of standards development for the smart grid. The distillation of such a complex topic as smart grid has benefited from the active participation of many industry segments. I am concerned however, that an insufficient number of experts in cybersecurity were engaged throughout the review process. Even though the IEC process is well-established and technically sound, it, like many other efforts, is struggling to address the dynamic nature of cybersecurity. I have been disappointed with the low level of participation by cybersecurity experts in the original development, drafting, and approval of the family of IEC standards, as is highlighted by gaps and security principles that would benefit from greater clarity and correction. NIST’s review, specifically the hard work of the Cyber Security Working Group (CSWG) Standards Subgroup, did identify areas to be addressed, but that effort also lacked consistent engagement by objective security experts. Greater involvement by various domain security experts would further highlight potential areas of concern and gaps, as well as potential solutions. Over my career, I have been involved in many efforts that relied upon the generous contributions of individuals volunteering their time and expertise and know all too well how important it is to be respectful of their other commitments and responsibilities. Many security experts indicated to me that they were too busy working in their primary field or industry and found the process to be cumbersome and extremely time-consuming. I am also concerned that the process did not prioritize input from utilities that will be responsible for implementing, operating, and maintaining the technology in a secure manner. These specific standards identify worthwhile technology targets that will certainly enhance efficiency and enable greater flexibility. For example, IEC 61850 substation architectures provide significant benefits, to include lower cost over the life of the system compared to existing architectures. These benefits, however, also introduce security concerns as critical functions and components would share a common network, common naming, and automatic point configuration; rely on peer-to-peer messaging; and would thus be more susceptible to data storms, setting changes, and malicious programming. Today, right or wrong, substations are designed to follow a virtually unlimited number of physical and cyber architectures. The amount of knowledge required to conduct a coordinated attack on the power system is thereby difficult to attain. Adding commonality to the design and architecture of these systems makes it much easier for an attacker to immediately understand his cyber “whereabouts” in a given location and to gauge the effects of his subsequent actions with a much higher degree of certainty. It is not always intuitive, but the idiosyncrasies of a large and diverse system developed over many years and operated by over 3,000 different entities have offered some risk reduction in requiring attackers to conduct discovery to formulate a deliberate non-opportunistic attack. It is also important to consider the implications of field automation sharing networks for control and protection functions, which can make an attacker’s task of causing damage in the physical world much easier. Some legacy industrial systems relied on physically separate and functionally independent control and protection systems that made it difficult to remotely manipulate system settings. This is significant as the removal of this physical separation and functional independence between control and protection systems introduces the opportunity for
Prepared Statement of Michael J. Assante
January 31, 2011
3
an attacker to explore and manipulate the safety system to remove planned safeguards before misusing the control system to create a dangerous condition. There is an important trade-off to consider between the benefit of achieving greater efficiencies by doing away with silos and leveraging shared network resources and the potential for increased vulnerability to a cyber threat from making more available to an attacker who gains access to the network. The benefits might be deemed to outweigh the potential risks, but this requires a greater scrutiny of the necessary security approaches to manage those risks. As a security professional I am always challenged to measure the risk associated with designs and specifications on paper without having a detailed reference or model to evaluate. I have worked with engineers and security assessors that have implemented systems that followed specific portions of these standards. Each of them referred to the standards as guides that failed to offer demonstrated implementations to inform technology and configuration decisions. The standards have been criticized for not addressing existing and new substation architectures, failing to map with more widely accepted implementations and legacy systems, and not being harmonized with existing initiatives to include synchrophasor efforts. Many experts have argued that there is a concerning lack of security features being built into existing smart grid systems. The technology provider community has been criticized for developing and deploying solutions that have not been designed with a strong security architecture and lack important security features, including strong authentication, event logging, and forensics capabilities, which are necessary to analyze attacks. In my opinion, the existing standards do not make sufficient progress in establishing paths to significantly enhance the security of electricity delivery systems. In some instances these standards simply call on system owners to implement security features that counter, within appropriate user and cost constraints, certain key threats, specifically denial of service and illegitimate use. The greatest concern is raised by engineers that have characterized the standards as being based more on experimentation than on implemented field experience, particularly in the U.S. Security challenges are always complicated by tough trade-off decisions that are made when trying to implement a system in a non-laboratory environment. The lack of implemented systems relative to the number of design options certainly makes it difficult, if not impossible, to gauge whether the standards will result in outcomes that will not adversely affect the reliability or cybersecurity of the electric power system. For example the IEC 61850 family of standards explains the need for confirmation of a control message response, but does not identify appropriate security to address integrity and confidentiality concerns for the response. It is also interesting to note that IEC 61850 currently has little penetration in the U.S. market. The most popular substation standard, DNP-3, was not one of the standards being provided by NIST. We must strive to avoid technical standards that either falls short of requiring a solid core of built-in security features or possess known security challenges without identified security solutions. At AEP, I learned the tough lesson of having to bolt on additional protective measures after a system had been developed. As a former asset owner, I would rather set a higher bar for systems in the design and development phase, as it is far more effective and cost efficient to deal with the security challenges, such as those that have been identified by the NISTIR 7628
Prepared Statement of Michael J. Assante
January 31, 2011
4
Guidelines for Smart Grid Cyber Security and by the NIST Risk Management Framework, before systems have been installed and are operational. As a former regulator, I also know all too well what happens when insufficient standards are adopted and the problems created in attempting to enforce compliance and trying to fix those standards while they are being implemented. Even the many entities acting in good faith faced difficulty in interpretation and implementation—and I have seen the same issues already beginning to arise here. I will remain uncomfortable with the current NIST standards until model systems built using the existing standards are tested in both laboratory and field settings. There are too many questions left at the discretion of implementers, integrators, and asset owners with inadequate guidance and a lack of practical and demonstrated security approaches to inform their decisions. Furthermore, the standards under consideration contain many decision branches and configuration decisions that would certainly introduce difficulties to achieving ready-made interoperability. Efforts to modernize our nation’s electric power infrastructure through the overlay of two-way digital communications and highly-automated digital control (to create the “smart grid”) are based on the desirable promise of greater energy efficiency and system performance. Indeed, the smart grid may well pave the way to an entirely new way of considering electricity supply and demand. Of course, more technology typically adds more complexity and interconnectedness, which tend to increase system fragility and vulnerability to perturbations. We should continue to seek progress, but also recognize the need to close the gaps in the software and system engineering foundations necessary to ensure that new smart grid functionality will be secure, safe, survivable, reliable, and resilient. I don’t believe my concerns are insurmountable, but they should be addressed before setting a precedent by adopting the standards in their current form. There are several approaches that could be considered to improve the standards, to include remanding the technical standards until security is uniformly addressed or direct necessary addendums to address concerns and provide credible security guidance. Efforts should be made to establish an agreed-upon set of review criteria by type of technical standard to evaluate its impact on system security. These reviews should include an evaluation of pilot implementations where possible. I am not necessarily advocating a long and drawn-out process and surely recognize the value in setting direction while the opportunity to do so still exists. I would ideally like to see an intensive but timely review process undertaken, utilizing the resources at utility test beds and technology labs across the country. The existing review process would benefit from engaging a more diverse group of cybersecurity experts to include individuals working in other sectors, particularly in the field of control system cyber security, and in the field of general information technology. Again, I appreciate the opportunity to speak before you today and commend the Commission and NIST’s efforts to tackle this important and growing issue. I would be pleased to answer any questions you may have.
Prepared Statement of Michael J. Assante
January 31, 2011
5
Respectfully submitted, /s/ Michael Assante
Michael Assante President and Chief Executive Officer National Board of Information Security Examiners of the United States, Inc. 2184 Channing Way, #304 Idaho Falls, ID 83404 (208) 557-8026 (973) 860-0921 – facsimile [email protected]
Ronald Ambrosio Global Research Executive, Energy & Utilities Industry
IBM Thomas J. Watson Research Center
Statement prepared for:
FERC Technical Conference on Smart Grid Interoperability Standards
Good afternoon and thank you for asking me to participate in this panel and to make comments on the
ongoing smart grid interoperability standards coordination process being conducted by the Smart Grid
Interoperability Panel (SGIP) and NIST. I believe my research activities in interoperability software
frameworks and standards for nearly 15 years, and my deep involvement in both IBM’s and the utility
industry’s smart grid activities over the past decade will allow me to provide an informed perspective in
this area:
My technical background and research at IBM and elsewhere have involved a combination of
embedded real-time systems and enterprise-scale distributed computing systems, and how to
bring those two worlds together – interoperability - so I have extensive practical experience on
this topic.
Since the late 1990’s I’ve been the working party lead and editor of an ISO/IEC Joint Technical
Committee 1 standard series on interoperability for premises automation systems, so I’m
intimately familiar with the challenges of standards development, coordination and
harmonization.
As a member of the GridWise® Architecture Council (GWAC) since its formation in 2004, and
Chairman over the past two years, I was part of the small community who first identified, and
then worked to raise the industry’s level of awareness about the critical need for
interoperability in all dimensions if we are to achieve an effective and sustainable
transformation of our electricity system.
I’ve been working directly with the NIST team starting in January 2008 when they were assigned
this role, and I am the Chairman of the SGIP Architecture Committee and have an ex-officio seat
on the Governing Board, so I am directly involved in the current process and how it is evolving.
The involvement of a broad community of stake-holders is essential
I was asked by DoE to attend the spring 2009 meeting between FERC, DoE and NIST that was held to
determine the best way to accelerate the progress on interoperability standards coordination. At that
meeting, I advised that it was critical to have strong industry and other stakeholder participation in the
governance of any process that would be defined, to facilitate both participation in the process and
acceptance of the results. NIST took that idea, and the observation of how healthcare had used a similar
approach, and eventually defined 22 stakeholder categories and a Governing Board of representatives
from those categories.
Such stakeholder participation and governance continues to be an important part of the process in the
SGIP, and there is also recognition that there may need to be new stakeholder categories added in the
future as the ecosystem of smart grids mature.
I do note one concern in the current by-laws that allows Governing Board seats to be held by individuals
whose organization does not belong to the stakeholder category of that of the seat. This can result in
stakeholders being represented on the Board by individuals who are not part of their stakeholder
community. In my original recommendation I had envisioned a more direct representation.
The need for a transparent and inclusive process
In a process that brings together such a variety of perspectives, objectives, concerns and agendas, there
must be as much transparency as possible. Transparency helps to mitigate the tension that might
develop between stakeholder communities with differing goals and requirements. Closely related to
transparency is the need for inclusiveness (or at least the opportunity for participation) in activities that
have an impact on a stakeholder community.
I believe there is a proactive effort to make the general SGIP process accessible to all interested
participants, through web technologies and remote meeting access. It’s not perfect, but it’s workable
and has improved as the SGIP community and the SGIP leadership and administrator have become more
experienced in conducting such meetings.
I encourage the Governing Board and the various committees and working groups (including the
Architecture Committee that I Chair) to proactively strive for as much transparency and inclusiveness as
are practical, balanced with the need for timeliness and efficiency in making progress.
This requirement for transparency and inclusion must extend all the way through to the end-result of
NIST preparing recommendations to FERC. One idea that has been put forward, and which I support, is
to assure that NIST select only standards that have been added to the Catalog of Standards (CoS),
thereby assuring they have completed the SGIP life-cycle and they have documented stakeholder
support.
The need for a living process that continues to improve
My experience to date has been very positive with respect to the evolution of the SGIP internal
processes and their ongoing improvement through feedback from the participants. For example, the
Priority Action Plan (PAP) life-cycle has matured and improved greatly, and my observation is that the
SGIP leadership and the administrator have operated in with a spirit of continuous improvement in
mind. As an example, a change was quickly made to the close-out portion of the life-cycle when I
pointed out that the Architecture Committee and the Cybersecurity Working Group both needed to be
part of the review process for documents being published by a PAP at its completion, to assure there are
no unresolved architectural issues or cybersecurity concerns.
There are also additional process changes and improvements in progress related to the handling of
standards that don’t require the formation of a PAP to address technical or harmonization issues. This
parallel path will still involve similar reviews as described above, and will provide a path for standards to
become part of the Catalog of Standards (CoS).
Stay focused on key interoperability interface points
The effort to coordinate the development of interoperability standards should not expand to include all
standards related to smart grids at all points in the system. Interoperability is about standardizing key
interface points within the smart grid system of systems. At the first major workshop that NIST hosted
in late spring of 2009, I was immediately concerned as I visited several of the sessions – it seemed that
everything was being put on the table for discussion, far beyond the scope of interoperability interfaces.
I spoke to a number of my GridWise Architecture Council and NIST colleagues to assure there was
consensus with my observation, and I then met with George Arnold and Dean Prochaska over lunch to
explain the concern and recommend that we quickly develop a Conceptual Model of the smart grid that
could be used to structure the subsequent workshops and activities, and get the community focused on
what needed to be accomplished. This resulted in the formation of an ad hoc team to create the first
version of the Conceptual Model in time for its use at the second workshop.
This concern of staying focused on standards for key interoperability interface points remains. It’s easy
for an activity of the scale and complexity of the SGIP to drift beyond that core charter, and I believe we
all need to be attentive to this issue. If not, we may fall into the situation of over-standardizing portions
of the system that should be left more loosely constrained, to encourage innovation and open-market
technology competition and evolution. It should always be remembered that interoperability is as much
about enabling innovation to continue with minimal impact on the system as it is about getting the
system running in the first place.
Closing
I continue to support the activities of NIST and the value of the SGIP. While there are always challenges
with any undertaking of this scale, I strongly believe that we are in a better position with the SGIP in
place than if we had not established it. The importance of bringing all the stakeholders to the table, and
facilitating a process to encourage collaboration can’t be over-stated.
In our governance of this process, we need to continuously self-examine ourselves to assure that we
stay focused on the correct issues, and strive for an open environment that achieves outcomes that can
be supported by all the stakeholder communities affected. We also have to fully consider the
implications of any actions resulting from this process, which can go far beyond the technical realm, and
proceed with careful consideration of all factors.
From the office of:
D r . Na te Kube te l : 604 .669 .6674 fax : 604 .669 .2902 nkube@ wur ld tech .com
Wurldtech Security Technologies | Suite 1680 – 401 West Georgia Street | Vancouver BC Canada | V6B 5A1
MEMORANDUM Attention: Sarah McKinley
Re: Introductory Comments – FERC Panel, Jan 31,2011
Before I begin, I would like to complement the NIST team for their excellent work developing NISTIR 7628. NISTIR’s 197 requirements align well with other frameworks, such as those offered by the International Society for Automation (ISA) – known as ISA99 or IEC 62443. In regards to content, the five core standards are a good start, but as currently written are neither comprehensive (communication centric) nor do they provide any specifications for security certification, which is required to build (and verify) security into Smart Grid products and services offered by system and component suppliers. In regards to process, U.S. participants representing Owner/Operators was very limited. As a result, the initial development of the IEC standards cited is not comprehensive from an operational security point of view.
In contrast, consider the WIB 2.0 (October 2010) requirements, offered by The International Instrument Users’ Association. WIB security requirements coupled with vetted Vendor evidence requirements for certification are in place and successfully tested for Smart Grid Advanced Metering Infrastructure (AMI) systems and services. WIB vetting involved the leading suppliers and stakeholders to establish a solid consensus of the requirements for certification as well as validation by performing certifications, which improved the processes. I believe this approach is stronger than the approach to use “selected experts” to identify the five families of core standards.
Furthermore, I am concerned that many important contributions to design security into the Smart Grid infrastructure are not addressed by these families of core standards, but are addressed in other guidelines and recommended practices; patching for example. These contributions may not use the same security framework as IEC 62351, but do provide adequate security for a wider class of deployed Smart Grid components and systems. Wurldtech discovered this defect when testing Smart Grid AMI systems and services for security certification. One possible solution may be to include these additional guidelines as normative references thereby integrating them into the standards under consideration.
WIB 2.0 also offers the distinct advantage of strong asset owner/operator buy-in (they were integral in its development). This “pull strategy” results from major electrical power utilities telling their suppliers that to continue selling their products and services, they must successfully certify their security policies and practices. By the utility telling their Public Utility Commission (PUC) that Smart Grid systems are secure, this strong security requirement represents a commitment to the PUC.
From the office of:
D r . Na te Kube te l : 604 .669 .6674 fax : 604 .669 .2902 nkube@ wur ld tech .com
Wurldtech Security Technologies | Suite 1680 – 401 West Georgia Street | Vancouver BC Canada | V6B 5A1
The approach offered by WIB (end user driven, certifiable, operational security requirements) has gained serious recognition and momentum across a wide-range of process control communities, including the energy sector. Since posting WIB 2.0 on their web site in November 2010, vendors providing products and services to the process control industry have requested over 1000 downloads. Many of these vendors provide products and services for the Smart Grid, which again proves the strength of support and consensus to adopt and implement the WIB requirements. The figure below details my recommendations pictorially.
In conclusion, NIST has provided an excellent framework of Smart Grid security requirements in NISTIR 7628. The five core standards recommended are an excellent first start. Add WIB 2.0 to the mix: vet with the large utilities who must operate this equipment safely and securely, and you have fixed the glaring defects.
Yours truly,
Dr. Nate Kube, CTO
Supplemental Documentation of Wayne Longcore
Director Enterprise Architecture & Standards Consumers Energy Comments prepared for:
FERC Technical Conference on Smart Grid Interoperability Standards
Docket No. RM11-2-000 Good afternoon, Chairman Wellinghoff, Commissioners and Staff of the Federal Energy Regulatory Commission. Thank you for asking me to present on what should be the future process for smart grid interoperability standards. I am pleased to present my comments today as someone deeply involved in the standards process as the Director of Enterprise Architecture and Standards at Consumers Energy, an investor-owned electric and natural gas utility serving 6.5 million of Michigan’s 10 million residents. My comments today also include my perspective as:
Vice chairman, Board of Directors for UCA International Users Group (UCAIug). This not-for-profit corporation has more than 7,000 people participating in collaboration teams through face-to-face and virtual meetings and collaborative websites. This organization has 61850 users’ groups and the CIM (61968 and 61970) users’ groups. These are three of the proposed five standards from the National Institute of Standards and Technology (NIST).
One of the 13 members of the US Department of Energy (DOE) funded GridWise Architecture Council (GWAC) working on interoperability directions of the smart grid.
A Governing Board member representing stakeholder category 13 (Professional Societies, Users Groups and Industry Consortia) of the Smart Grid Interoperability Panel (SGIP). The SGIP was created by NIST to fulfill the requirements for reaching sufficient consensus on standardization of the smart grid according to the Energy Independence and Security Act of 2007.
o I am the Governing Board representative to the SGIP’s Program Management Office o I am a member of the Smart Grid Architecture Council (SGAC) and one of the authors of
the NIST smart grid conceptual model o I am a member of the Vision Mission and Roadmap team of the Governing Board o Several of Consumers Energy’s employees and contractors, UCAIug members, and my
GWAC peers work on various Priority Action Plans (PAPs) and as part of standing committees such as the Cyber Security Working Group (CSWG) of the SGIP and the Smart Grid Testing and Certification Committee (SGTCC).
I am here to discuss the process that has been designed for identifying, developing, and reviewing smart grid standards that have evolved from the process used by NIST to select the five standards posted on October 6, 2010. I will provide a description of the direction and future process to identify and prepare smart grid standards for FERC consideration, including information transparency and the development of consensus within the industry on those standards. Based on the mandate of the US Energy Independence and Security Act (EISA) of 2007, NIST embarked on a three phase process in early 2009 to carry out those responsibilities. The result in Phase I was the identification of relevant standards, major gaps, priority action plans, and a detailed conceptual model to frame industry participation. This work has involved a large group of stakeholders to ensure that a consistent process is followed to reach consensus on the standards development and selection. Achieving the attributes of the smart grid, as stated by the DOE, will require standardization of devices and security to a point that customers and utilities are able to purchase, install and configure systems and devices that conform to level of standards that allow them, without a significant amount of work by these parties, to be interoperable. Standards for those key interfaces from a physical connection, an information and security level, to a regulatory level are required. Late in 2009, NIST initiated Phase II of the plan and created the SGIP, a single organization that is a focal point for identifying these interoperability requirements and standards, and to build consensus moving forward.
NIST has developed a process for standards to be reviewed by the standing committees (the Architecture Committee, the Cyber Security Working Group) as well as the Governing Board, and the entire plenary. The websites used as forums for documenting the NIST process act as one common point of collaboration for stakeholders. Other industry organizations and users groups such as the UCAIug have liaisons in place with standards organizations that give them access to pre-standard work materials allowing stakeholders in those groups to evaluate standards and influence direction prior to finalization. The Smart Grid consists of many different Standard Setting Organizations (e.g. ANSI, IEC, etc). Due to the varying financial and access requirements for these standard setting organizations, access to all of these standards for all stakeholders to review has been challenging. There is no single source of standards, such as these, that all stakeholders have access to review The SGIP has developed a process with ANSI to make a large subset of completed standards to be made available to SGIP members. The main value of the SGIP however is in developing requirements and consensus on new and existing standards through relationships with the SSO’s considering input. Many organizations across the nation are working to achieve consensus on the direction of standards required for the smart grid. These groups include utilities, current and future vendors, academics and governmental agencies. They are joined by members of professional societies, user groups, consultants and industry consortia together working toward a process of open review and collaboration on the standards required to reach interoperability within the smart grid. At last count, there were 647 organizations with 1,681 individuals participating in the NIST Smart Grid Interoperability Panel process. One should not take from those numbers that only 1,681 people are working on standards. Those involved represent much larger organizations such as liaisons or information focal points. SGIP voting members such as Governing Board member Bob Saint, who represents the National Rural Electric Cooperative Association (NRECA), are also involved.
Establishing a mechanism for reaching consensus amongst a variety of interest is a major challenge for the standards process. NIST worked diligently to create an SGIP governance model with many checks and balances to ensure that a mechanism existed for all stakeholder voices to be heard - big and small - and maximize the ability to uncover new ideas, assess them, and generate broad consensus. A potential side effect of this approach is that some key groups could have a less than desired voice in the process if not mitigated. Of specific concern is that the utilities that are responsible for safely, reliably and cost effectively operating the grid are only “one voice among many” in the SGIP community and NIST process. Unchecked, the mechanism of reaching consensus could theoretically favor small companies where even a one-person consultancy striving to create a new market has the voting equivalence at the SGIP Plenary level to thousands of people working together as an Investor Owned Utility. Like any other form of representative governance, NIST has ensured that there are mechanisms to address issues such as uneven representation. One of those mechanisms in the SGIP is its Governance Board elected by vote of the 647 organizations that guarantees seats on the board for all SGIP stakeholder categories including each segment of the electric utility industry: the Investor Owned Utility stakeholder group, municipals, the rural cooperatives, independent power producers, transmission operators, and energy market traders.
The Governing Board is designed to equitably represent the various stakeholder groups no matter what the stakeholder demographics are of the SGIP as a whole. The Governing Board has put in place a Program Management Office (PMO) to manage the process, to report out on the status of the various Priority Action Plans (PAP)s and to communicate status, schedule and resources issues. Priority Action Plans were created for managing major areas needing consensus and status changes. There are defined standing committees that are responsible for Architecture, Testing and Certification and Cyber Security.
The Governing Board meets on a monthly basis, and there is a bi-monthly meeting of the entire plenary. A monthly status score card is created by the Program Management Office. The standing committees meet in many small working groups and periodically as the larger teams. There are public websites set up to enable individuals and organizations to review the progress of each PAP, each standing committee, the PMO and the Governing Board. A process has been set up for standards to get published to a Catalog of Standards (CoS) that requires documented consensus of these groups. This process requires that the Cyber Security Working Group and the Smart Grid Architecture Committee perform an assessment of the standard for fitting into the larger Smart Grid Conceptual Model, security paradigms, and the described layered architecture principles. Within the SGIP, PAPs are projects established by the Governing Board to address standards gaps or overlap. PAP Working Groups (PAP WGs) are formed to address the gaps/overlap and develop a list of requirements necessary to resolve those issues. Once these requirements have been addressed by a SSO, the standard is passed back to the PAP WG. The PAP WG then convenes to determine whether the requirements developed by the WG were met by the standard. A 75 percent super majority consensus by the PAP WG is necessary to ensure that requirements have been met to recommend inclusion to the CoS. It is important to note that if the requirements were not met, the PAP WG can communicate with the SSO to achieve requirements compliance. If that activity has been exhausted and the SSO will not make any additional changes, the PAP WG may decide NOT to recommend the standard for inclusion. A similar process is used by Domain Expert Working Groups (DEWGs) and other SGIP WGs when reviewing existing standards for inclusion in the CoS. WGs review the standards, identify any gaps or overlap issues and make a recommendation to the Board for inclusion. If issues are identified, a PAP is proposed and handed to the Board for consideration. If no issues are identified, the WG develops a standards review package which includes reviews by the CSWG and SGAC. The same process is followed for adding to the CoS with a plenary vote, although this has not actually happened yet since it is a new process that is currently under review.
For each standard, the CSWG and SGAC review to ensure that cyber security and architectural requirements have been achieved. If not, the standard is returned to the SSO responsible for the standard development and rework is performed. Once these groups (the PAP WG, SGAC, and CSWG) determine that their requirements have been met, the standard is introduced to the Governing Board for review. The Governing Board then votes on whether the original objectives were met and whether to recommend the standard for inclusion in the CoS. This is a key step in the consensus process for the SGIP since the Governing Board is made up of equal representation from 22 different stakeholder categories, ensuring that all stakeholder communities have had a chance to discuss any issues, comment on the standard, and perform a vote. The Governing Board’s recommendation is included on the standards ballot for the SGIP members to consider and a vote is conducted by the SGIP members in “good standing” (good standing requires minimal participation and prevents the opportunity for non-participants to enter at the last minute and disrupt the voting results). The Governing Board recommendation only serves as a recommendation and the final decision on whether the standard is included in the CoS is in the hands of the SGIP Plenary (the entire SGIP). Of the participating organizations, the Plenary’s voting members must achieve 75 percent consensus to determine that a standard should be added to the CoS. This open and transparent process ensures that all entities have a chance to read and understand the implications of a standard being added to the SGIP CoS.
It is important to have a clear consensus process for proposed standards. While each of these standards definitely had review during Phase I of the NIST process and possibly had the greatest consensus of any standards at that time, it is important to note that these first five standards were chosen prior to the development of the SGIP CoS process. They were, however, recognized as leading candidates to be submitted for such a consensus review based on the need for interoperability and capabilities described in the smart grid vision. We expect the consensus and standards review process to continue to evolve. It may not be necessary to vet standards previously reviewed using newly developed and improved processes. Indeed, this could present a bottleneck and an opportunity for some special interests to block progress through process churn. However, if a significant number of stakeholders find that a standard accepted in an earlier process was flawed by either the process itself or its implementation, then there should be a means to review them again using the current process in exceptional circumstances. Equally important is to recognize different realms of consensus. Examples of this are consensus that a standard is itself technically sound, consensus that a standard is relevant to the smart grid, and consensus that a standard should be implemented in some time frame under specific conditions. These are all very different forms of consensus and need to be addressed individually.
Standards, when implemented appropriately, can drive economy of scale and increase entrepreneurial opportunity by reducing risk of vendor lock-in of proprietary systems. They also can reduce early obsolescence, financial and reputational risks associated with implementing stranded technologies. At the same time, standards when implemented improperly can also create early obsolescence, stranded investments and remove entrepreneurial opportunities. It is important for the industry to have a clear, open and transparent process to achieve consensus, to assure their relevancy to the Smart Grid standards environment. When standards are proposed to FERC, there should be a further review by a review board that is more heavily weighted towards those that are responsible for the safety, reliability, and cost effectiveness of the grid. This review board (as yet to be created) should deal with the impacts and timelines required for adoption of such standards to the vendor community including development timelines and production considerations. Timelines should also be created for implementation for entities such as utilities, service providers and customers. Those timelines should account for legacy impacts both on systems and devices, including stranded assets and resource commitments. If anything has been learned from other industries that have grown to the scale of the smart grid, it is that standards must be layered and allow for evolution away from a specific protocol or “layer” without having to throw away the entire system. It is important that we not require the usage of only one technology in each layer. Imagine if, when we initially communicated remotely with modems on physical phone lines, we had said no remote terminals will ever be allowed to work any other way. TCP/IP as a packet network would never have developed to form the internet and wireless would never have enabled mobility. Developers, manufacturers, and the various end consumers of systems and devices matching these interoperability standards will be significantly aided by a clear and formal testing and certification process for systems and equipment that are claiming to meet a required standard prior to implementation. There must be a clear statement of implications for non-compliant system and devices and how cost recovery will be managed for those impacted by the move toward standardized functionality, interfaces and security methodologies. A roadmap of standards deployment and evolution must recognize that not all assets have the same replacement lifecycles. Meters, transformers, cars and refrigerators have different life cycles than TVs, laptops and cell phones. Standards, especially security standards, must be crafted very carefully so they don’t preclude upgrades that will correct or mitigate various issues as yet unexpected. In conclusion, NIST should be commended for what it has accomplished in gathering a very large stakeholder community and developing an open process with significant open status reporting. I suggest the following as possible next steps:
Require future proposed standards to FERC to be in the SGIP Catalog of Standards to openly
and transparently assure consensus for standards that are being created or updated are deemed relevant to the smart grid. Many people are participating in that process and future proposed standards to FERC should be in the CoS.
Assemble an implementation and roadmap working group of those who are responsible for the equipment, safety, reliability and cost effectiveness of the grid to put in place to review standards proposed to FERC and their impacts to the grid.
Require Phase III of the NIST plan to be implemented assuring testing and certification of standards to assure interoperability and impacts to the owners and users of the electric grid.
Clearly define and articulate a process that matches the standards coming through the CoS process to show their relevance to the grid, the process of the Implementation and Roadmap working group, and the adoption by regulators of standards.
Adopt the five standards that were selected prior to the current process being complete only when clear implementation and roadmap issues are defined and articulated.
1
Statement of Paul De Martini Smart Grid Chief Technology Officer & Vice President, Strategy
Cisco Systems, Inc.
Before the United States Federal Energy Regulatory Commission Technical Conference on Smart Grid Interoperability Standards
Docket No. RM11-2-000
Good afternoon, Chairman Wellinghoff and Commissioners, thank you for this
opportunity to speak to the issue of smart grid standards recommended by the National
Institute of Standards and Technology (NIST) for consideration. My name is Paul De Martini, I
am the Chief Technology Officer and Vice President, Strategy for the Smart Grid Business Unit
at Cisco Systems. I am also a member of the Governing Board of the NIST Smart Grid
Interoperability Panel (SGIP) holding one of the at-large seats representing a broad industry
perspective. Prior to joining Cisco last spring, I led Smart Grid development and standards at
Southern California Edison.
The central role strong Internet Protocol (IP) based interoperability standards play in
communications networks long pre-dates the Smart Grid. The broad adoption of
interoperability standards has made possible competition among vendors who make the
different devices that communicate across networks, devices as diverse as mobile phones,
computers, and networking products. Cisco anticipates that interoperability standards can play
the same role in the emerging Smart Grid, by ensuring that utilities and their customers will
benefit from choices among open and IP based standards-compliant devices that together will
comprise the Smart Grid.
Cisco participates regularly in standards development activities in a range of standards
development organizations (“SDOs”) across the IT sector and increasingly over the past few
years in the power systems and energy management sectors including active participation and
leadership in the SGIP, International Electrotechnical Commission (IEC), IEEE, the North
American Synchrophasor Initiative (NASPI), UCAIug OpenSG, ZigBee Alliance and others. Cisco is
2
also currently supporting Smart Grid interoperability standards development and adoption
across North America, the European Union, India, Russia, Australia, Brazil and China. On any
given day, dozens of Cisco employees are attending meetings of standards development
organizations or preparing technical contributions. We regularly contribute proprietary
technology to standards development efforts. And we regularly implement a wide range of
standards in our products to meet our customers’ needs.
Today, I will address three areas, a) consensus on the five IEC standards, b) standards
lifecycle and implications toward implementation and adoption and c) considerations regarding
intellectual property rights in standards adoption.
Five Standards Consensus
In the three years since the passage of EISA 2007, NIST has overseen the development
of one of the most sophisticated and largely voluntary organizations in the world with the
primary focus of identifying relevant standards or requirements for new standards to enable a
smarter grid, vetting the technical and security attributes of such standards, and achieve
consensus for federal and state regulatory and public power boards to consider for adoption.
The several large sessions in Phase I that drew hundreds of participants representing a broad
range of stakeholder interests evolved into the Smart Grid Interoperability Panel. Today, SGIP is
comprised of nearly 660 domestic and international organizations and over 1,700 individuals
participating in the process. NIST’s achievements in Phases I and II in standing-up the SGIP
organization and associated processes are remarkable.
The five standards proposed are a good starting point to enable a 21st Century grid that
is interoperable, leveraging open and IP based standards and secure. These specific standards
also represent not only the broad industry consensus evaluation in Phase I, but also the
rigorous long-term development within the IEC including extensive global technical peer review
and approval. The strength of the SGIP process and that of the IEC and other SDOs is their
processes for continuous improvement. Standards by nature are not static and will continue to
evolve both in terms of refinement and to address new requirements as technology and uses
change. The SDO and SGIP processes ensure that any gaps that have been identified will be
3
resolved in subsequent revisions. This means that consideration of these five can move
forward today in the context of the standards adoption lifecycle considerations below and with
the understanding that material technical gaps will be sufficiently addressed prior to
implementation. Cisco supports the SGIP consensus and vetting process that resulted in these
five standards being selected by as the first for regulatory consideration.
Standards Adoption Lifecycle
As challenging as the process for identification and evaluation of standards in the SGIP
process, it is only one of several steps toward ultimate adoption in utility systems. The FERC,
state commissions and public power boards will need to also consider the state of maturity of
any specific smart grid standard. Specifically, Cisco believes that any proposed standard for
utility adoption should also be assessed on the following aspects:
a) Established standard compliance and interoperability testing regimes
b) Products from multiple suppliers are “commercially available”
c) Successful reference implementations
d) Backward compatibility assessment or legacy migration considerations
Implementation of standards in products must be tested for adherence to the standard
as well as interoperability and security. Such testing needs to be carried out by responsible
organizations using recognized testing protocols. Products, of course, need to be commercially
available for utilities to adopt. This requires technology suppliers to develop appropriate smart
grid products that incorporate standards that have been tested. It is typical to expect that
technology product development time to incorporate new standard including proper testing for
commercial release may take between 12-24 months.
As with any new technology products on critical infrastructure like the electric system,
small pilots or demonstrations are usually performed to validate the technology in an
operational environment. These reference implementations are an important step in the
4
overall adoption cycle and reduce the potential technology risks and often provide useful
information to improve the products and considerations for utility wide scale adoption.
Additionally, much of the existing technology on the US electric system is incompatible
with the emergent standards, including the five proposed. Except in a few instances, like smart
metering, it is uneconomic to consider wholesale (forklift) replacement of existing technology.
This means legacy proprietary networks will continue to operate as long as regulators and
utilities consider them useful. The objective, of course, is that new build-outs use the
interoperable architecture leveraging open and IP-based standards, and all vendors are able to
sell into them, resulting in cost savings and increased performance for the utility. In time, the
IP-based interoperable architecture therefore dwarfs the legacy proprietary networks.
Therefore, the issue of migrating from an existing technology to a new open standard or
security scheme must be considered. This necessitates an assessment of potential backward
compatibility of standards and/or gracefully transitioning from the existing system to the new
system while ensuring the overall effectiveness of the operation of the grid is not
compromised. This often requires technical solutions to effectively integrate the old with the
new, which Cisco is already addressing for utility customers worldwide.
The FERC, state commissions and public power boards need to consider these lifecycle
maturity and utility adoption considerations in not only which specific standards may enable a
smart grid, but also assess utility proposals for implementation. Such implementation will need
to be based on sufficient maturity of a standard as demonstrated in standards compliant
commercially available products, effective technology transition plans to maintain reliable
operations, and cost effective deployment. The use of smart grid roadmaps and architectural
reference models by utilities in the regulatory process can be an effective means to have an
informed discussion among the all the smart grid stakeholders, including customers, utilities
and technology and services providers regarding adoption.
Intellectual Property Rights in Standards
FERC has also asked this panel to address lessons learned from industries within and
outside the power sector. One lesson Cisco has learned by developing and implementing
5
interoperability standards in the networking products our company makes, standards like
Ethernet and WiFi, is about the importance of transparency and predictability of licensing terms
for patents that are necessary to implement standards.
Implementing interoperability standards may require licenses to dozens or hundreds of
patents per standard. Standards development organizations have intellectual property rights
policies that specify that participants will license patents essential to implement standards on
reasonable and non-discriminatory (“RAND”) terms. Unfortunately, there is no consensus on
what licensing terms are reasonable. This leads to a situation in which businesses developing
products that implement standards, have very little visibility into licensing costs and terms.
As the SGIP process continues, it’s critical that participants in that process include
information about IP licensing as part of their evaluation of which standards to recommend for
industry adoption. Where we are considering the selection of an existing standard, knowing as
much as possible about the IPR policy under which that standard was created will help industry
participants make intelligent choices about which standards to select and regulators to adopt.
Where SGIP recommends the creation of new standards, those standards should be developed
under policies that provide participants and implementers of those standards with information
about what patents will be essential to implement the standard and the terms under which
licenses to those patents will be made available. Regulators need to consider the implications
of the intellectual property rights within any standards under consideration for adoption.
Summary
In closing, Cisco is pleased to have been a significant contributor to the formation of the SGIP
and an active participant leading to this key milestone. We believe the process has been robust
and inclusive to achieve consensus. And while not always perfect, the demonstrated continuous
improvement and solid governance will continue to ensure a quality outcome. So the
discussion naturally shifts to how regulators and utility boards should consider adoption of
standards. Cisco believes that for each standard proposed it is essential to consider the
maturity of the standard in terms of successful implementation in commercially available
product and cost effective and technically sound utility adoption plans. Additionally, regulatory
6
rulemaking should put the standards into context of a holistic smart grid architecture,
recognizing that these are the initial set of standards for adoption and that the standards will
evolve over time, as will policy, and regulation should anticipate the evolution of technology,
business and regulatory needs.
PREPARED STATEMENT OF ANDREW A. BOCHMAN
ENERGY SECURITY LEAD, IBM/RATIONAL
BEFORE THE
FEDERAL ENERGY REGULATORY COMMISSION
TECHNICAL CONFERENCE ON
SMART GRID INTEROPERABILITY STANDARDS
31 JANUARY 2011
Prepared Statement of Andrew A. Bochman IBM/Rational
January 31, 2011 Revision 2
Opening Remarks Good afternoon, Chairman Wellinghoff, Commissioners, staff and all involved. I want to thank the Commission for convening this conference and for the opportunity to provide a few remarks. I’m Andy Bochman, a former Air Force communications and computer officer, veteran of several cyber security start-up companies, and today am the Energy Security Lead for IBM Software Group’s Rational Division, which focuses on software tools. Here we work to ensure that the software out of which the Smart Grid is being constructed is secure. I’ve also been a blogger on energy topics since 2004 including the Smart Grid Security Blog (http://smartgridsecurity.blogspot.com) and DOD Energy Blog (http://dodenergy.blogspot.com), and a member of government and industry working groups including NIST’s Smart Grid Cyber Security (CSWG), and the Grid Wise Alliance group on Smart Grid Interoperability and Security With FERC poised to recommend these standards for consideration, there’s a distinct possibility that State Public Utility Commissions (PUCs) and other regulatory organizations might quickly promote them to fill what they see as a void in guidance. But I ask you to consider the activities that led to the development of these draft standards a thorough learning and warm-up exercise that puts us in excellent position to now get it right. Actually, this is my main point. As this panel’s task is to consider and comment on the future of these processes, I suggest we allow enough additional time going forward to do two things: 1) to adjust how we do this job based on what we’ve learned to date, and 2) to set future milestones that are aggressive, but not so aggressive that the quality of what we build suffers. I will now touch on some of the topics we were asked to consider: How changes to existing NIST processes for identifying standards for consideration will promote: information sharing, transparency and consensus development.
AB: My experience with this standards development process has been that it provides all three of these desirable attributes in abundance. Community members have as much access, and as loud a voice, as their time, energy and experience allow.
Role of the SGIP committees and working groups in providing input for development and identification
2
Prepared Statement of Andrew A. Bochman IBM/Rational
January 31, 2011 Revision 2
AB: It seems to me that providing thoughtful input is what these groups are all about. I’ve had direct experience with the CSWG and some of its sub-groups, have participated in conference calls and reviewed drafts. It’s amazing how dedicated these teams of experts are at getting the standards fleshed out as quickly, accurately and comprehensively as possible.
Miscellaneous
AB: The time and expert human capital required to do this work well are substantial. The standards before us today have not had nearly enough cyber security scrutiny as evidenced by the fact that experts and informed laypersons alike have found glaring security problems with them. Regarding legacy integration, I’d like to cite this warning from Erich Gunther, Founder and CTO of Enernex, something I included on my blog in 2010:
One must keep in mind that there will be far more poorly coded, totally untrustworthy firmware and software in the field for decades (that’s the existing installed base) than new, more secure systems following sound development practices installed over the same time period. Dealing with this reality and the fact that the old stuff will not be ripped out should be a priority.
Lastly, my interactions with them reveal that power industry cyber security professionals have a wide range of familiarity with the SGIP and other security-related standards, with many dozens of highly skilled practitioners leading the way at our larger utilities, but with diminishing expertise and capabilities in smaller organizations.
In addition to these, here are three additional cyber security issues related to the five foundational standards and others that merit greater attention in the near-term:
Implementation of measurement/metrics for cyber security controls across the grid and Smart Grid
Greater emphasis on lab testing of new and updated products. And as Stuxnet showed us, we need greater attention to supply chain security issues
Better forensics and preparations for recovery from successful cyber attacks by utilities and regional operators
3
Prepared Statement of Andrew A. Bochman IBM/Rational
January 31, 2011 Revision 2
4
It’s been an honor and a privilege to be a part of the community imagining and developing guidance for the future grid. While the interoperability and cyber security challenges are formidable, I believe the Smart Grid’s rewards greatly outweigh the risks. Given more time, I believe we have in us, collectively, the experience and expertise to craft guidance and standards that will ensure very strong outcomes for the grid and the nation. And FERC’s willingness to hear from the industry’s developers is a good indicator that the results will be positive. Respectfully submitted, Andrew A. Bochman Energy Security Lead IBM/Rational 1110 Beacon St, #1C Brookline, MA 02446 Cell: 781 962 6845 Email: [email protected]
