San Antonio, TX, August 7, 2011 National Association of Regulatory Utility Commissioners Miles Keogh Christina Cody

Transcription

1 San Antonio, TX, August 7, 2011 National Association of Regulatory Utility Commissioners Miles Keogh Christina Cody

2 NARUC & Critical Infrastructure Committee Chair: Commissioner Elizabeth Fleming, South Carolina Public Service Commission Staff Subcommittee Chair: Thomas Pearce, Public Utilities Commission of Ohio Members from every region of the country Federal Funders: Department of Energy, Department of Homeland Security Today s funder: DHS Office of Infrastructure Protection Partnerships with FCC, EPA, NCS

3 Today s Agenda I. Threats i. Weather ii. Non-Weather iii. Human iv. Interdependencies II. Roles i. Emergency Response vs. Resilience ii. Federal iii. State iv. Information Protection, Information Management v. Cyber Security III. What you can do, as state legislators i. Action Items

4

5 Weather Spring Floods Almost all damage caused during Hurricane Katrina was due to flood; Entergy New Orleans infrastructure destroyed Wind Storm in Oregon and Washington, March 2011, bedeviled Seattle power supply for about a month Most damage caused by trees (need for vegetation management) REUTERS, Fort Calhoun flooded in Eastern Nebraska, June BELLINGHAM HERALD, Northwest Wind Storm Knocks Out Power, March, 2011.

6 Weather - Summer Fire Southern California wildfire, 2009 Enormous losses for PG&E, SDG&E Storms Every utility has a plan; Vegetation management is key

7 Weather - Fall Hurricanes Threat to Gulf region, source of oil and gas for entire country Damage mostly inflicted by flooding and debris / vegetation States may consider sufficient storm reserve fund Florida, 2008 Hurricane Katrina Picture Taken from Entergy New Orleans downtown offices

8 Weather - Winter Snow Snowmaggedon, Washington D.C. Ice SE Michigan/NW Ohio Ice Storm, February 2011 More than 84,600 customers lost power overnight Affected 40 of Consumer Power Co s 68 counties THE BLADE/JEREMY WADSWORTH, Toledo Edison works on a power line following an ice storm in Toledo, February, 2011

9 Weather Events How have your utilities respond to weather interruptions? Please share your experiences.

10 Non-Weather Events Earthquake Volcano Tsunami Geomagnetic Disturbance (GMD)

11 Human Impact Accidents/Negligence Workforce Pandemic Disruption to labor supply or key talent

12 Human - Intentional Physical Attacks Low tech. to high tech. Coordinated or wide-area attacks e.g. EMP Cyber Security

13 Cyber Security Threats are Increasing 13

14 Cyber Security Threats April / May 2007: Estonian economy largely shut down by cyberattacks originating in Russia over a statue of Stalin; 2009 cyber attacks of Georgia prompted NATO comments. In 2001, hackers penetrated the California Independent System Operator; attacks were routed through California, Oklahoma, and China. Ohio Davis-Besse nuclear power plant safety monitoring system was offline for 5 hours due to Slammer worm in January Aaron Caffrey, 19, brought down the Port of Houston in October, This is thought to be the first well-documented attack on critical U.S. infrastructure. In March 2005, security consultants within the electric industry reported that hackers were targeting the U.S. electric power grid and had gained access to U.S. utilities electronic control systems. In a few cases, these intrusions had caused an impact. In April 2009, the Wall Street Journal stated Chinese and other spies hacked into the U.S. electric grid and left behind computer programs that could allow them to disrupt service.

15 Aurora and STUXNET Aurora: an experiment to hack control systems and destroy a generator staged by the DOE and DHS STUXNET: a worm story with more intrigue and plot twists than a Tom Clancy novel The big question is whether/how to prioritize these concerns

16 We know security: what changed? Ubiquity of, and dependency on, networks A network is cheaper, faster, more effective, and ultimately more secure Ease of sophisticated attack Reliance on commercial software Evolution toward distributed networks Interdependencies between sectors

17 Cyber Security: Three Flavors Business Systems Control Systems Smart Grid 17 17

18 Interdependencies Interdependency The functional reliance of an essential service (e.g., networked utility service) on another network/system Disruption/outage in one area/sector has implications beyond that area/sector, and vice versa Maintaining Infrastructure integrity Requires systems-based thinking requires a focus on both security and reliability

19 Interdependencies Northeast Blackout, 2003 Hurricane Isabel, 2003 What are your experiences with interdependency issues?

20

21 Build Resilience

22 Reliability vs. Resilience We know how to plan for Utility System Reliability: Redundancy No choke points Diversity Critical Infrastructure Protection now also needs to include a focus on Security: Physical Insider Cyber Moreover, there is a shift in thinking from recovery (responding well) to resiliency (continuity of operations) as well 22

23 Local, State and Federal Jurisdiction Jurisdiction Over Energy Security Function Local State Federal Nuclear Power Plant Oversight X, for emergency response X, for emergency response X Ongoing Guarding of Energy Facilities X X, if National Guard X, in rare circumstances Freedom of Information Requests X X X Awareness of Energy System Vulnerabilities Pipeline Safety X X X X, Federal DOT Retail Electricity Products and Fuel Diversity X, for municipally owned utilities; for local government purchases X, through utility commissions, portfolio standards, incentives, funding and state purchase X, through tax incentives, federal government purchases Energy System Planning X, limited role X X Siting Certification X, in home rule states X X, for interstate pipelines only Emergency Management and Response First Response to Emergency X X X X Oversight of Energy Security Costs X, for municipal utilities X, through utility commissions under statutory authority X, for FERC-jurisdictional *Source: NCSL 2003 What has your experience been like compared with the above distribution of roles? How has it matched what is reflected above and how has it been different?

24 Department of Homeland Security Agency most directly concerned with direct threats to the nation s energy infrastructure, vulnerability assessments and responding to those threats Key Offices for Energy Security: FEMA Provides emergency support and coordination to local responders and citizens with a focus on essential human needs. Division of Information Analysis and Infrastructure Protection Determines security needs and priorities Supports state capacity building through training just like this Targets: vulnerabilities with catastrophic potential, e.g. nuclear power plants, chemical facilities, pipelines and ports Establish policy for standardized, tiered protective measures that address perceived threats DHS Office for State and Local Coordination Provides primary contact for training, equipment, planning and other critical response needs Coordinates communication systems from federal to state and local government levels Distributes research, technical support, warnings and other information to state governments

25 Other Roles DOE works to address strategic energy security issues through its efforts on electricity transmission, fuel diversity, energy supplies, research and development and other similar issues TSA lead federal agency for security of transportation, including pipelines Dept. of Commerce Office of Pipeline Safety regulates safetyrelated issues in pipelines FERC examines economic issues affecting security costs for utilities under its jurisdiction Non Feds: NERC, RTOs, Control Area Operators, Utilities

26 State Roles Governor s Office conducts overall emergency planning Emergency Management Agency provides primary emergency response Federal Lead Agencies (DOE, EPA, DHS) State Energy Offices State Legislatures Homeland Security, State Military or State Police prevents criminal and terrorist-caused disasters State Energy Office assures supplies of petroleum, heating oil, propane Other State Agencies Departments of health, environment, social or human services department, transportation departments At the local level Counties and Municipal Organizations Public Utility Commissions Utilities and Interdependent Systems Emergency Managers Other States Local Government Contracts Governors Offices State and Local Police; National Guard

27 Roles of Legislatures Establish Agency Regulatory Oversight: Reliability Planning Resource Diversity Manage information and authorize information protection Set liability Set rules for emergency situations Pricing, quarantine, evacuation, coordination What else?

28 Roles of PUC s Develop guidelines for cost recovery & evaluate utility investment prudence Manage sensitive information & disclosure concerns in accordance with FOIA procedures Establish methods for rapid information sharing & communication Review utility emergency response plans Provide regulatory oversight of reliability Participate in State emergency planning Understand utility interdependencies Engage in regional coordination and response Question: What s been your experience working with PUC s?

29 Roles of SEO, EMA and Governor Emergency Management coordinates functions of State agencies: emergency responders, law enforcement, public health, etc. Incident Response is dictated by Incident Command Structure. Online training for ICS is available and worthwhile Governor is ultimately politically responsible for State agencies, can declare states of emergency, deploy National Guard, is point of contact for other states & feds. State Energy Office helps avoid energy emergencies and builds and implements energy assurance plans. Tabletop exercises: get involved!

30 Information protection/ Information Management Connecting information with those who need it breeds success; Connecting information with those who want it for the wrong reasons is a recipe for disaster. What goes in the public record? What legal protections exist? What capacity exists to protect it from illegal or extra-legal exploitation?

31 Approaches to Information Protection 1. We can t protect it so don t share it. 2. We can t protect it onsite but can see it at your site 3. We can protect it in a special case 4. We can protect it within a standard case with a secure hearing 5. We can protect it as a matter of course Some of these approaches require people with specialized skills, clearances, or professional relationships 31

32

33 State Actions Seek Information and Education Review Utility Commission Enabling Statutes Recognize Importance of and Encourage Energy Efficiency and Demand Response Programs Review Utility Oversight Laws for Security Implications Review Statutes Governing Energy Office and Duties

34 State Actions Review Statutes Influencing Energy System Diversity and Redundancy Review Statutes Governing Freedom of Information Laws Reassess Laws and Procedures Governing Open Meetings Evaluate State Liability Statutes Ensure that Industry and/or State Agencies Have Conducted Appropriate Vulnerability Studies

35 State Actions Update Statutes Governing Emergency Response for Coordination, Delegation, Flexibility and Communication Examine Possible Unfair Pricing Legislation in Emergencies Cyber Security

36 Miles Keogh Christina Cody Director of Grants and Research Program Officer, Grants and Research

37 Four Steps To Building a Cyber Security Capability Additional Slides

38 Building a Cyber Security Capability Cyber security is not a one-time activity, like building a fence for protection. Because smart grid will be built over time, cyber security must also grow and evolve over time to address threats and vulnerabilities. For additional background information on cyber security see the NASEO Energy Assurance Guidelines (pages 23 to 29). A critical prerequisite to this is for State energy offices and public utility commissions to assign staff resources to cyber security on an ongoing basis. This might also be done using a team or taskforce approach. The National Association of Regulatory Commissioners also adopted a Resolution Regarding Cyber Security in February 2010 that states in part: That NARUC supports member commissions in becoming and remaining knowledgeable about these threats, and ensuring that their own staffs have the capability, training, and access to resources to adequately review and understand cyber security issues that enhances expertise in the review of cyber security aspects of filings by their jurisdictional utilities

39 Distinguish Between Utility Operations And National Defense / Law Enforcement Cyber secure utility operations is the domain of utilities. Defending against nation-state cyber attacks and cyber terrorism are national defense and law enforcement matters. Effective cyber security takes utility / regulator / federal agency (DHS, etc.) partnership.

40 A Five Step Process to Building Capability Step One Understand the State s internal cyber security profile. 1. Understand cyber security risks at work and at home. Many States and organizations have guidance available. For an example see: 2. Identify the individuals in the State who have the primary roles for addressing cyber security, and identify their roles and responsibilities. 3. Determine which State agency, if any, has lead and/or supporting roles and responsibilities in cyber security as it directly relates to smart grid implementation. 4. Know what the State s Continuity of Operations Plans (COOP) and disaster recovery strategies are that pertain to the essential cyber security systems. 5. Determine if it may be helpful to become a member of the FBI s InfraGard Program: 6. Become familiar with the U. S. Computer Emergency Readiness Team (US- CERT), which provides response support and defense against cyber attacks for the Federal Civil Executive Branch, as well as information sharing and collaboration 7. The SANS (SysAdmin, Audit, Network, Security) Institute is a good resource see:

41 Step Two Understand current cyber security for the energy sector. 1. Electricity and smart grid: NERC -- Standards CIP-002 through CIP-009 (the Critical Cyber Asset Identification portion of the Critical Infrastructure Protection Standards Section 1305 of Energy Independence and Security Act (EISA) 2007 defines the roles of both Federal Energy Regulatory Commission and NIST as they relate to the development and adoption of smart grid standards. The Act defines the Commission s role as: At any time after the Institute s work has led to sufficient consensus in the Commission s judgment, the Commission shall institute a rulemaking proceeding to adopt such standards and protocols as may be necessary to insure smart-grid functionality and interoperability in interstate transmission of electric power, and regional and wholesale electricity markets. 2. Understand the cyber security requirement for other parts of the energy sector including natural gas (pipeline safety standards) and the petroleum sector, because of the interdependency effects that need to be considered. 3. Under EISA 2007, NIST has "primary responsibility to coordinate development of a framework that includes protocols and model standards for information management to achieve interoperability of smart grid devices and systems " One of the primary documents was issued in January 2010 and titled Framework and Roadmap for Smart Grid Interoperability Standards, Release 1.0 (Framework). The Framework identified 75 interoperability standards that are applicable, or are likely applicable, to the ongoing development of smart grid technologies and applications. NIST developed Guidelines for Smart Grid Cyber Security.

42 Step Three Understand future standards and guidelines currently under discussion and development, and how they may affect utilities plans for smart grid deployment 1. The Advanced Security Acceleration Project for the Smart Grid (ASAP-SG) is a utilitydriven, public-private collaborative among DOE, EPRI, and a large group of leading North American utilities. ASAP-SG is developing system-level security requirements for smart grid applications, such as advanced metering, third party access for customer usage data, distribution automation, home area networks, and synchrophasors. 2. Over the next three years, the National Electric Sector Cyber Security Organization (NESCO) will be working with the National Electric Sector Cyber Security Organization Resources (NESCOR) to lead a broad-based, public-private partnership to improve electric sector energy systems cyber security

43 Step Four Determine whether there are cyber security plans in place, and are they driven by State regulatory or Federal grants compliance or other policies and programs. 1. What requirement are not Standards driven? 2. Are there regulatory efforts underway at a State public utility commission to create audit, reporting and compliance obligations on cyber security for the utilities 3. Are there State policy and program that address cyber security? 4. How is your State approaching the public private partnerships as provided for in the National Infrastructure Protection framework and the Energy Sector Specific Plan 5. The ARRA Smart Grid Investment Grants program required utilities proposing projects to develop cyber security plans. These Grants require: A description of the cyber security risks at each stage of the system deployment lifecycle. Cyber security criteria used for vendor and device selection. Cyber security control strategies. Descriptions of residual cyber security risks. Relevant cyber security standards and best practices. Descriptions of how the projects will support/adopt/implement emerging smart grid security standards. 6. Public utility commissions need to address how regulated utilities will pay for the necessary infrastructure upgrades to meet the cyber security requirements