By Terry Mohn, San Diego Gas & Electric and Southern California Gas Company
Demand response applications are coming under the same technical scrutiny as SCADA systems have over the past three years, primarily due to the fact that information wirelessly transfers between a business and electric system end-points. Over the years, demand response brokers counted upon either proprietary communication protocols, or counted on the fact it was such a small market that no one would notice that a communication system existed. With the renewed focus on customer privacy and confidentiality, this thinking will have to be revised. As with SCADA systems, the belief that “obscure communication techniques are sufficient protection” is no longer a persuasive argument.
The Energy Policy Act (EPAct) of 2005 was transformational for the utility industry in a number of ways. EPAct instructed FERC to approve and enforce rules to ensure the nation’s bulk power reliability. FERC developed an exhaustive description of Critical Infrastructure Protection (CIP) standards, even calling out certain security requirements for “systems and facilities critical to automatic load shedding under a common control system capable of shedding 300 MW or more.” It is easy to reason that both utilities and demand response brokers alike fall under this rule if the aggregated load exceeds 300 MW.
Utilities Interact with Home Area Networks
State regulators are asking investor-owned utilities to extend their advanced metering infrastructure (AMI) systems into the customer premises by including home area networks (HAN). A HAN will enable communication with digital devices that create or control energy use, like thermostats. Customers can then allow the utility to adjust their thermostat settings during peak times, helping to prevent rolling blackouts. This change in thermostat setting won’t dramatically affect comfort level for the short period of time it is in place. Assuredly, the utility control systems will comply with the CIP standards, too.
The utilities believe every demand response function from here on out will require securing the data stream. In addition, customer loads will need to authenticate the signal that tells them to curtail. This arrangement is becoming similar to other Internet applications, in that it uses encryption, authentication and authorization. This is full-blown cyber security for the next generation of AMI and demand response. Does anyone believe anything less than this rigor is needed for third-party demand response systems? Security through obscurity is a thing of the past.
Cyber Security Begins Inside the Business
The Internet is now a staple of every modern business. All new software product vendors expect corporate America, including utilities, to leverage Internet technologies. The ability to seamlessly integrate disparate applications is essential to quick introduction of new services to the consumer while keeping implementation costs down. The most common technique used for integration is called Service Oriented Architecture (SOA), which uses XML and web services. These technologies have been implemented routinely for the past two to three years within the protected areas of utility operations.
XML, as with HTML for the Internet, poses inherent security risks, in that XML is a human-readable text format. Unless encrypted, all data passing between applications will be viewable by a simple text viewer. Yet, to reduce implementation costs, utilities depend more and more on SOA “plug-and-play” applications and services. Security, and specifically cyber security, must be explicitly built into these systems. And, as utilities create their SOA, they must design security up-front. If a utility delegates demand response responsibility to a third-party broker, this same security rigor is required. Therefore, all parties in the demand response process must adhere to cyber security rules. More specifically and minimally, the CIP standards must apply across the board.
The Internet is a real enabler. The cell phone is the most popular communication device in history. And demand response has now evolved into the mobile space. One vendor recently announced that it supports customer load control over the customer’s cell phone. This vendor wants to help customers to reduce or shift energy consumption in real-time, leading to lower energy bills. Through this technology, the vendor will also enable the utility to deliver time-sensitive, actionable energy information directly to the customer’s cell phone and promote energy conservation. As innovation thrives, consumers are more empowered, while utilities become the trusted, cyber-secure, service provider.
Click here to enlarge image
Terry Mohn is a technology strategist for San Diego Gas & Electric and Southern California Gas Company. Sempra Energy-which includes San Diego Gas & Electric and Southern California Gas among its companies-is a member of the GridWise Alliance, a broad industry coalition committed to advocating changes discussed in this column. For more information, visit: www.gridwise.org