Smart Grid America: Securing your network and customer data. Michael Assante Vice President and Chief Security Officer March 9, 2010

Transcription

1 Smart Grid America: Securing your network and customer data Michael Assante Vice President and Chief Security Officer March 9, 2010

2 About NERC The electric industry s self-regulatory organization for reliability Balances the interests of all stakeholders Represents industry consensus Independently acts in the best interest of reliability The regulator s electric reliability organization International charter lending government support and oversight to NERC activities, ensuring that the best interests of society-at-large are represented

3 CIP Standards Development NERC & stakeholders discussed framework limitations of the current CIP-002 approach FERC Order 706 Cyber Security Order 706 Standard Drafting Team posted revised version 4 of CIP-002 for comment (December 29, 2009) Develop and post the entire family of standard revisions Version 4 is targeted for submission to the NERC BoT by end of the year 2010

4 CIP DRAFT for informal comment DRAFT Highlights: Comment period concludes February 12, 2010 Includes criteria for evaluating potential impact on functions critical to the reliable operation of the BPS, organized in high, medium, and low impact categories Bright Line categorization (attachment 1) serves as the basis for applying security requirements (CIP Version 4) Shift from a one-size fits all approach to cyber security application to one that is better aligned with a strategy of risk management

5 BPS CIP Policy Statement NERC in consultation with the ESSG drafted initial policy statement for discussion purposes Purpose is to provide guidance on critical infrastructure protection, as well as response and restoration, and will serve to set expectations within NERC and its technical committees Used in communicating expectations with government partners

6 BPS CIP Policy Statement (Cont.) Places sharp focus on the following: Define and properly scope CIP concerns Reinforce the need to think differently about intelligent threats Policy will not be enforceable, but serve as a guide for NERC activities including potential standards setting Intend to recommend for board approval after opportunity for broad stakeholder comment

7 CIP Policy Statement Significant electric reliability concern is the potential for simultaneous impact to large portions of the bulk power system, from which restoration and recovery may be challenging and prolonged. Scope of concern (not all attacks/incidents) NERC and its members are committed to aligning current and future CIP protection efforts to minimize the risk of various cyber, physical, and blended scenarios from achieving these unacceptable outcomes.

8 BPS CIP Policy Statement (Cont.) Expectation of policy: Recognition that not all assets have the same protection priorities Should help bulk power system entities set expectations Properly balance increased security investments and cost of service Establish reasonable security protection goals. DHS QHSR Review: Understand and prioritize risks to critical infrastructure: Identify, attribute, and evaluate the most dangerous threats to critical infrastructure and those categories of critical infrastructure most at risk. Further develop an industry strength by practicing system recover & restoration

9 Smart Grid System Benefits Enhanced flexibility and control Balancing variable demand & resources (storage, PHEV, etc.) Demand response integration Large deployment of sensor & automation technologies (wide-area situational awareness) Voltage stability (transient & post-transient stability) Frequency regulation, oscillation damping Disturbance data monitoring/recording Integrating increased amounts of distribution-level assets (residential solar panels, PHEV, etc.) 9

10 Smart Grid Reliability Considerations Coordination of controls and protection systems Cyber security in planning, design, and operations Ability to maintain voltage and frequency control Disturbance ride-through (& intelligent reconnection) System inertia maintaining system stability Modeling harmonics, frequency response, controls Device interconnection standards Increased reliance on distribution-level assets to meet bulk system reliability requirements 10

11 Common Challenges Plug-In Hybrid Electric Vehicles / Storage Demand Response reliability Wind & Variable Generation Demand smart grid Conventional & Hydro Generation Energy Efficiency Nuclear Rooftop Solar / Local Wind Development cyber security Cyber security is one of the most important concerns for the 21 st century grid and must be central to policy 11and strategy. The potential for an attacker to access the system extends from meter to generator.

12 The Smart Grid Landscape The aggregate impacts of Smart Grid on the distribution system may impact the reliability of the bulk power system. Pass-through attacks from the distribution system may also present a threat to bulk power system reliability. AGGREGATE IMPACTS increasing uncertainty end users increasing maturity CFL HAN PHEV Smart Appliances AMI DG/DER DSM distribution PASS-THROUGH ATTACKS DSCADA IFM DSTATCOM PLC approx. 100 kv SHN DTM SST RTR BPS Bulk Power System utility-scale generation 12

13 Smart Grid Task Force Scope Identify and explain any BPS reliability issues and/or concerns of the Smart Grid Assess Smart Grid reliability characteristics Determine the cyber security and critical infrastructure protection implications Identify how the integration of Smart Grid technologies affects BPS planning, design and operational processes and the tools needed to maintain reliability Determine which existing NERC Reliability Standards may apply Provide recommendations for areas where Reliability Standards development work may be needed 13

14 Summary Policy level goals and scope for physical and cybersecurity protection of the bulk power system Proactive mitigation of security risks by the industry Minimum bright line criteria for identifying critical bulk power system assets Work with government to ensure availability of actionable information on security threats Promote incident reporting and conducting analysis to understand risk and develop lessons learned Communicate collective industry efforts to the government and public

15 Questions? Michael Assante