By John M. Shaw. GarrettCom
On the surface, North American Electric Reliability Corp. (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards and the implementation of the smart grid appear to be complementary and interrelated. Both deal with the expansion and integration of advanced information technologies and communications into utility operations. Smart grid technologies deal with controlling customers’ electricity use and broadly impact the reliability and efficiency of power distribution as electricity applications become ever more embedded in daily lives and critical business operations. Thus, the smart grid needs to be made secure from invasive cyberthreats, misuse and careless operations. The NERC CIP cybersecurity standards are the most visible reference model for how this system integrity should be achieved for advanced power grid operations, and thus would appear applicable to all smart grid infrastructure.
In practice, however, these initiatives are often less well-aligned, even disconnected. Some separateness is definitional; some deal with real technological differences and some with differences in regulatory treatments. There is no absolute need to coordinate many of the near-term smart grid and NERC CIP initiatives, but utilities can benefit from applying common practices across these areas, both short term and long term. In addition, policymakers can help these important initiatives reinforce each other rather than conflict.
Contrasts in Several Areas
The relationship between smart grid and NERC CIP depends a lot on how smart grid is defined. Broader definitions of smart grid encompass most all applications of computer and communications technologies to improved grid operations, including backbone transmission systems and associated substation automation and phasor-management systems. More narrow definitions emphasize applications such as advanced-metering infrastructure (AMI), demand response (DR) and distribution outage management (OM)—all dealing more at the distribution level of the power system. AMI is the most visible of the smart grid initiatives, involving smart meters, residential gateways, home area networks and direct interaction with customer power usage.
By statute, the Federal Energy Regulatory Commission’s (FERC’s) mandates on NERC CIP standards are applicable only to the bulk electrical system (BES). With the current Phase 1 standards, many utilities further interpret the applicable “critical assets” as involving only the higher levels of the transmission hierarchy—the largest substations serving the high-voltage backbone of the transmission network. So the most visible smart grid initiatives (distribution-focused) vs. mandated NERC CIP compliance (BES) largely apply to different parts of the power system, and, in many cases, to different operating companies.
This separation of the CIP and smart grid initiatives is exacerbated by the efforts of many utilities to minimize the scope of NERC CIP compliance, even to the point of total avoidance, spurred on by the punitive orientation of the NERC CIP compliance framework. Minimizing the scope of CIP compliance involves minimizing the number of critical substations and avoiding the classification of critical assets as cyberassets by not having dial-up or routable (IP protocol) connections to critical substations. To avoid costly CIP compliance obligations such as upgrades to substation physical security, some utilities disconnect existing dial-up or IP-based connections to substations or use legacy nonroutable protocols to communicate with substation devices. This strategy might be called a CIP-avoidance strategy. It stands in sharp contrast to the spirit of smart grid and related stimulus legislation that specifically promotes pervasive use of open-architecture, IP-based communications.
NERC CIP also focuses primarily on utility-owned and -operated assets, particularly head-end systems and substation assets. By contrast, smart grid systems, particularly AMI and demand management applications, can include customer-owned devices and customer-operated communication networks. AMI and DR applications can deal with customer-specific proprietary information and consumer privacy issues not generally part of NERC CIP. AMI wide-area and neighborhood-area networks also often use third-party wireless communications services to connect with customer meters and gateways.
These wireless service providers will also need to participate in any comprehensive cybersecurity strategy. Such hybrid architectures raise security issues not directly addressed in current CIP standards such as authentication of meters, assurance of meter firmware integrity and managing authorization for demand-management commands to customer-owned devices. Standards development occurs differently for CIP and the non-BES areas of smart grid (see table, page 20). While NERC cyberstandards began as a voluntary industry initiative, the Energy Policy Act of 2005 chartered FERC to create more rigorously defined standards and to establish enforcement mechanisms complete with audit procedures and a significant fine structure for noncompliance. To date, smart grid initiatives outside the BES have escaped this heavier hand. Market pressures almost certainly will force utilities to implement effective cybersecurity protections for such services that potentially impact customer privacy and even control of customer-owned assets. Such market-driven incentives, however, will leave greater flexibility in establishing standards for threat-management solutions.
An example of a smart grid industry-driven security framework is the Advanced Metering Infrastructure Security (AMI-SEC) Task Force, operating as part of the Utility Communications Architecture International Users Group (USCIug). In a collaborative effort including the DOE, FERC, National Institute of Standards and Technology (NIST) and many utilities, AMI-SEC recently issued a requirements document and is working on common specifications for securing AMI system elements.
Commonalities and Potential Shared Opportunities
With the various contrasting factors, is there still a need for alignment or coordination among these initiatives? Why should utilities coordinate efforts, and how? There are several positive answers:
- Cybersecurity learning curves are similar;
- Many areas of threat overlap where process and technology best practices can commonly apply;
- Opportunity exists to share a common wide-area communication infrastructure, presuming that compliance issues do not interfere; and
- The potential for regulatory alignment, avoiding duplicative compliance structures and standards development activities exists.
In many utilities, the transmission, distribution and related automation groups often involved with CIP, AMI projects or both have had relatively limited exposure to cybersecurity technologies, likely more so than counterparts in utility enterprise IT organizations. NERC CIP Phase 1 compliance is the first major initiative that forces utility T&D organizations to advance rapidly along this cybersecurity learning curve. While minimizing the scope of substations involved in initial compliance may be rational in the short term, total avoidance of Phase 1 compliance would be a lost opportunity to advance the level of organizational expertise in this critical area. Many security technology concepts incorporated in the procedural aspects of NERC CIP could be applied to the impending smart grid.
One area where security best practices will align from the start is head-end operations. For example, AMI and SCADA central system operations will draw heavily on similar enterprise IT system security best practices. Typical elements include the physical and electronic security perimeters for central systems, use of firewalls, server virus protection, network and host intrusion-detection systems, software and patch management, and secure system access management.
Establishing a secure access-management system (AMS) infrastructure is a major investment area for NERC CIP. AMS deals with personnel profiling and authentication, authorization and accounting (AAA) of each access event. AMS challenges include integration with enterprise AAA-related systems such as RADIUS, Microsoft Active Directory and RSA SecurID, integration with legacy substation devices (often with custom vendor/client applications from Schweitzer Engineering Laboratories Inc., General Electric Co., ABB and others), and keeping the access process simple for end users (rather than becoming an encumbrance to remote access). Systems such as CrossBow secure access-management software developed by Bow Networks, which were originally designed as productivity tools for remote substation device access, meet these three challenges while providing NERC CIP compliance-management tools.
Some utilities already are leveraging a secure AMS for more general use beyond CIP compliance. With smart grid, the number and dispersion of intelligent electronic devices (IEDs) will increase significantly. More IEDs will be deployed at distribution substations, within the distribution plant and at industrial customer sites. A common, secure AMS would assist remote-device administration, increasing operations and engineering staff productivity. A common AMS between smart grid and CIP would also pre-position the utility for stricter security-compliance guidelines should they come into place beyond the BES domain in the future.
Another immediate opportunity is to share wide area network (WAN) infrastructure among substations and control centers across traditional substation automation and newer smart grid applications. While some AMI systems will use cellular carrier services or other third-party wireless services for WAN communications, many other utilities will implement private communications networks to backhaul communications from utility-owned neighborhood area networks, both private wireless networks and broadband power line systems. A private AMI backhaul infrastructure typically will use substations as concentration points. This provides an opportunity for using a shared, IP-based communications infrastructure among AMI, SCADA and other applications. Because the AMI applications will be IP-based, such shared substation networks will often become subject to CIP compliance. Substation-ready networking products exist and are capable of combining legacy and IP networking, quality-of-service provisions for sharing networks among operational and nonoperational applications, and essential perimeter and access security functions required for CIP.
A potential constraint on sharing a WAN would be a regressive CIP-avoidance strategy that intentionally limits IP connectivity to substations to meet the July 1 Phase 1 CIP deadlines. Phase 2 NERC CIP standards are already being drafted, which likely will drive NERC CIP applicability down further throughout the transmission hierarchy, creating more points of potential overlap among CIP critical substations and AMI backhaul points. In the near term, options for utilities to move forward with WAN deployments while still minimizing CIP scope exist. Utilities could deploy IP-based networks to substations for AMI backhaul and not link in CIP critical cyberassets. This approach prepares utilities for full CIP compliance when provisions are more flexible or when more time to address full-compliance requirements exists. Similarly, utilities could deploy WAN technologies that use nonroutable protocols techniques (e.g., SCADA frame forwarding) as an immediate network modernization step, but they should ensure that any such technologies are capable of simple upgrades to IP networking and CIP compliance as substation requirements evolve.
A final area for coordinated smart grid and CIP activity is ongoing standards setting. NERC CIP Phase 2 standards are now being drafted. They likely will be made more broadly applicable within transmission systems but may set different levels of threat for different kinds of assets and provide some greater flexibility for lower-risk situations. Important for smart grid integration, this might create more flexibility at lower levels of the transmission hierarchy where more overlap likely exists with backhaul applications for AMI, DR and OM. Phase 2 standards may also take a more systems-oriented approach, more closely examining how devices and systems are interconnected within an enterprise with associated, more indirect and complex paths for cyberattacks. This system’s orientation could expand CIP into areas of smart grid not usually thought of as impacting BES reliability.
As mentioned, cybersecurity standards activities for AMI and other areas typically outside BES operations are commonly set via open industry groups and voluntary adoption rather than a FERC/NERC mandate. Utilities can help align different standards and identify potential conflicts by becoming involved with industry initiatives where there are participants knowledgeable in NERC CIP developments. Also, these industry initiatives must be visible to policymakers and demonstrate that the DOE, NIST and other experts are helping shape smart grid policies. Confidence in these standards may preempt more heavy-handed NERC CIP-like compliance measures for non-BES applications.
NERC CIP and the smart grid have many common themes and objectives toward modernization of utility communications and automation systems. They also have many contrasting issues and often involve different individuals within utilities and, in some cases, different operating organizations altogether. The learning curve is too steep, the resources too precious and the time too short to not leverage common elements where practical.
How do smart grid and NERC CIP fit together? One must understand the differences and commonalities. Cybersecurity is an essential element of all smart grid initiatives. NERC CIP is a good start to defining cybersecurity strategies, and it is being refined constantly. But it applies to only part of smart grid operations. More attention is required in all areas. Utilities, technology suppliers and policymakers all have roles to accelerate the delivery of a secured, next-generation utility network.
John M. Shaw is executive vice president of GarrettCom Inc., a supplier of substation-hardened networking products. He has 30 years of experience in telecommunications including executive roles at network technology start-ups and large carrier-equipment suppliers. As director of data services at NYNEX (Verizon), he pioneered frame relay and fiber-based data services. He has extensive early-career experience with design and implementation of large-scale utility-grade data networks. Reach him at email@example.com.