1. Alan Rivaldo Public Utility Commission of Texas Regulators
Role in Smart Grid Security What They Want to Know
2. BACKGROUND Utilities are typically monopolies and therefore
are highly regulated. Unlike with most other stock investments, for
the most part utility investors are guaranteed a certain rate of
return on their investment. Any capital investments made by
utilities are ultimately paid by ratepayers their customers. 2 3.
CUSTOMERS AND REGULATORS Therefore, customers need to know what
they are getting and how much theyre paying for it. Customers are
typically disengaged from the process (at least beyond the bottom
line on their utility bill). Regulators are the ones who are
charged with knowing about the capital expenditures made by
utilities. 3 4. RATE CASES Utilities recapture capital investments
through rate cases Rate cases are conducted in open hearings This
process is nothing new: ~100 years Any infrastructure: Water and
Wastewater Electric service 4 5. WHAT IS NEW? In past few years,
commissions became aware of cybersecurity as a pressing issue.
Unfortunately, some awareness has come in the form of alarmist
reports in the media: Mass outages Chaos Imminent take-overs by
foreign governments 5 6. WHATS NOT SO NEW? Risk that legislatures
may overreact Try to pass comprehensive bills that may: Cause
unintended consequences Impede meaningful progress Interfere with
commission direction Classic conflict: legislative vs. executive 6
7. THE CHALLENGE Utilities have difficulties finding qualified,
knowledgeable staff for energy operations. Commissions are in the
same position; engineers have to be recruited from an industry in
which there traditionally hasnt been much turnover. 7 8. THE
CHALLENGE (CONT.) States budgets are being cut Recruiting from
industry and the private sector is a challenge PUC staff knowledge
limited to conventional energy operations technologies
Electromechanical devices Not advanced, data-intensive technologies
8 9. WHAT TO DO? Commissions train existing staff Hire new people
to ask intelligent questions of: Utilities Vendors Staff within the
agency Ponder implications of technology on policy Ponder
implications of policy on technology 9 10. ASK UTILITIES QUESTIONS:
STRATEGY What is your security strategy? Update your security
plans? How often? Test your plans? Have you conducted vulnerability
assessment of: Back Office information systems? Control Systems? 10
11. ASK UTILITIES QUESTIONS: RISK How do you manage risk? Use a
Risk Management process? How was it derived? From DOE/NIST/NERC or
some other authority? 11 12. QUESTIONS: UTILITY ENGAGEMENT Have you
worked with Department of Homeland Security regarding
cybersecurity? Aware of work with DHS National Cyber Security
Division (NCSD)? US-CERT? ICS-CERT? etc. NESCO (National Electric
Sector Cybersecurity Organization) Law Enforcement, i.e. Fusion
centers Local chapter of InfraGard (FBI public private
partnership)? DOE, SANS, others? 12 13. NERC CIP We may ask about
NERC CIP Not necessarily the utilitys status NERC CIP is outside of
a states jurisdiction No double reporting or double jeopardy NERC
CIP compliance is only marginally interesting to state regulators.
We care more about distribution: SAIDI and SAIFI Upstream
cybersecurity issues may have an impact upon SAIDI and SAIFI 13 14.
NERC CIP (CONT.) NERC CIP is compliance-based. Commissions are
compliance-focused out of tradition, but Compliance doesnt ensure
security. Cybersecurity isnt about checking boxes on a form.
Hackers dont have checklists Folks at utilities: Trying to get
their CIP compliance paperwork in order to satisfy some NERC
auditor Hackers: Working diligently to upset the apple cart 14 15.
LESSONS FROM NERC CIP PUCs are more interested in knowing how many
resources a utility has tied up in doing NERC CIP compliance
paperwork Is NERC CIP compliance a value-added activity? Compliance
puts a utility only on the ground floor of security Compliance
doesnt set a ceiling Compliance makes security people contemplate
the roof 15 16. LESSONS FROM NERC CIP Utilities have to graduate
beyond compliance Utilities should have compliance mastered by now,
right? Utilities must find their way up the stairs to a higher
floor in the building Compliance mindset vs. Security 16 17.
PERSONNEL What kind of people do you have? Individuals specifically
assigned cybersecurity responsibility? IT staff responsible for
cybersecurity in energy operations? Does energy operations have its
own security staff? What kind of training and experience does
cybersecurity staff have? Engaged in cybersecurity standards
activities of: NIST SGIP Cybersecurity Working Group? NESCOR,
UCAIug, NERC, etc.? 17 18. PERSONNEL / VENDORS What background
checking is performed for those with access to key cyber
components? Vendors and other third-parties that have access to key
cyber systems How are they vetted? How do you screen who has access
to your systems? A lot of support comes from vendors and
integrators. 18 19. CAPITAL EXPENDITURES Review: Commissions are
tasked with approving surcharges in rate cases so that utilities
can recoup the costs they have incurred by making capital
expenditures on the infrastructure. Is the equipment a utility buys
robust when it comes to security? Will it continue to be robust in
the future? Traditional equipment lifetime is as long as 40 years.
19 20. CAPITAL EXPENDITURES Moving toward new paradigm May call for
more regular replacements of infrastructure components Precedents:
IT and mobile phone infrastructures Will no longer be in terms of
multiple decades But anticipated replacement cycle wont be as brisk
as mobile phone infrastructure 20 21. CAPITAL EXPENDITURES Prefer
not to have to replace devices at all Hope/wish replacement wont be
for reasons of security Smart Grid continues to evolve More
palatable reasons for replacement: Expanded functionality Larger
quantity of data Higher data rates 21 22. CAPITAL
EXPENDITURES/VENDORS Regulators want assurance that: Proposed
investments are prudent Solutions are cost effective Firms hired by
utilities are: Capable Reliable Understand their ultimate
responsibilities 22 23. CAPITAL EXPENDITURES/VENDORS Regulators
want utilities to: Do their due diligence when securing their
infrastructure Prove it Hold their vendors accountable for doing
their part Everyone plays a role in security, and everyone should
be accountable for holding up their end of the bargain. 23 24.
VENDORS Regulators and therefore the utilities want: To know that
products and processes are secure From concept to design to
manufacture to deployment to support in the form of issuing of
firmware updates, to the eventual decommissioning of these devices
and systems. 24 25. VENDORS AND UTILITIES Concept/ Specification
Design/ Development Integration Deployment Operation Product
Suppliers System Integrators Realms of Security Assurance Utilities
Maintenance S.I. V 25 26. VENDORS ROLE Third-party assessment of
products - proof Installation of products - field testing of
configured, deployed infrastructure Deliver what was promised
Anything that touches or comes near a device is doing what its
supposed to do Maintain integrity of the data Without latency 26
27. UTILITYS RESPONSIBILITIES Ensure the safe and secure delivery
of energy and energy-related data Maintain the accuracy of the data
being transmitted Ensure data is handled with care Secure Policies
in place and followed Ensure customer privacy 27 28. REVIEW
Commissions take a look at the numbers we want to see what the
public is or will be paying for. If incorporating security costs a
little bit more upfront, then that should be reflected in the
numbers and filed in the rate case preferably itemized, if
possible. At the same time, costs must be reasonable and reflect
whatever level of risk is acceptable. 28 29. REVIEW AND CONCLUSION
We must accept that risk is inevitable and cannot be completely
eliminated only mitigated to an acceptable level. Risk is difficult
to calculate, but commissions want to know how you made your
determinations; make us a part of the process. We all play a role
in security. 29
