BEFORE THE PUBLIC UTILITIES COMMISSION OF THE STATE OF CALIFORNIA ) ) ) ) ) )



Similar documents
PREPARED DIRECT TESTIMONY OF SCOTT KING ON BEHALF OF SOUTHERN CALIFORNIA GAS COMPANY

Securing Distribution Automation

Cyber Security and Privacy - Program 183

ADVANCED DISTRIBUTION MANAGEMENT SYSTEMS OFFICE OF ELECTRICITY DELIVERY & ENERGY RELIABILITY SMART GRID R&D

Consulting International

Challenges and Opportunities for Aligning the Power System Cybersecurity and Reliability Objectives

San Diego Gas & Electric Company FERC Order 717 Transmission Function Employee Job Descriptions June 4, Electric Grid Operations

Utility-Scale Applications of Microgrids: Moving Beyond Pilots Cyber Security

Information Bulletin

What is a PKI and Why Do We Need One?

FILED :59 PM

Direct Secure Messaging: Improving the Secure and Interoperable Exchange of Health Information

San Diego Gas & Electric Company FERC Order 717 Transmission Function Employee Job Descriptions August 10, Electric Grid Operations

Introduction. Along with consulting, I previously. developing regulatory policy initiatives

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

This chapter provides an overview of cyber security issues and activities by state and federal organizations Cyber security is an ongoing, high

Panel Session: Lessons Learned in Smart Grid Cybersecurity

April 8, Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

SDG&E TA P TA Mee t Mee ing September 21, 2011

FILED :59 PM

Cybersecurity & Public Utility Commissions

Tehachapi Wind Energy Storage Project (TSP)

Sempra Energy Utilities response Department of Commerce Inquiry on Cyber Security Incentives APR

EFFECTIVE APPROACHES TO CYBERSECURITY FOR UTILITIES TERRY M. JARRETT HEALY & HEALY ATTORNEYS AT LAW, LLC OCTOBER 24, 2013

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Securing the Electric Grid with Common Cyber Security Services Jeff Gooding

NIST Coordination and Acceleration of Smart Grid Standards. Tom Nelson National Institute of Standards and Technology 8 December, 2010

Cyber Infrastructure for the Smart Grid

Microgrid Technology: Enabling Energy Reliability and Security Opportunities in Campus, Commercial & Industrial Communities

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

National Cybersecurity Challenges and NIST. Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity

San Diego Gas & Electric Company FERC Order 717 Transmission Function Employee Job Descriptions. Electric Grid Operations

OEB Smart Grid Advisory Committee

future data and infrastructure

Facilitated Self-Evaluation v1.0

Summary of CIP Version 5 Standards

Notable Changes to NERC Reliability Standard CIP-010-3

ISACA rudens konference

NERC CIP VERSION 5 COMPLIANCE

April 28, Dear Mr. Chairman:

ISO/RTO Council Comments on National Institute of Standards and Technology Proposed Smart Grid Interoperability Standards

Deterrent and detection of smart grid meter tampering and theft of electricity, water, or gas

Voluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, 2014 Utilities Telecom Council

1. Cyber Security. White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network

Security Threats in Demo Steinkjer

Critical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order Improving Critical Infrastructure Cybersecurity

RE: Experience with the Framework for Improving Critical Infrastructure Cybersecurity

Testimony of Patrick D. Gallagher, Ph.D. Deputy Director

Protect Your Assets. Cyber Security Engineering. Control Systems. Power Plants. Hurst Technologies

William Hery Research Professor, Computer Science and Engineering NYU-Poly

Risk Management in Practice A Guide for the Electric Sector

Symphony Plus Cyber security for the power and water industries

Advanced Inverter Overview

BEFORE THE PUBLIC UTILITIES COMMISSION OF THE STATE OF CALIFORNIA

Utility Telecom Forum. Robert Sill, CEO & President Aegis Technologies February 4, 2008

Introduction to the Cyber Security Working Group

Secure Machine to Machine Communication on the example of Smart Grids

Document ID. Cyber security for substation automation products and systems

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Human Resource (HR) and Security Awareness v1.0 September 25, 2013

DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE

National Institute of Standards and Technology Smart Grid Cybersecurity

NERC Cyber Security Standards

Microgrids. EEI TDM Meeting Charleston, South Carolina October 7, Neal Bartek Smart Grid Projects Manager

Cybersecurity Framework: Current Status and Next Steps

Big Data, Big Risk, Big Rewards. Hussein Syed

POLICIES TO MITIGATE CYBER RISK

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

Secure Remote Substation Access Interest Group Part 3: Review of Top Challenges, CIPv5 mapping, and looking forward to 2014!

Cyber Security. Doug Houseman Engineering Consulting Research. Modeling Simulation Security. The Practical Grid Visionaries TM

IEEE-Northwest Energy Systems Symposium (NWESS)

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

DEMAND RESPONSE EMERGING TECHNOLOGIES PROGRAM SEMI-ANNUAL REPORT 2013

CAISO Information Security Requirements for the Energy Communication Network (ECN)

Future-proofing Your Utility: Interoperability In-house and Out An Intelligent Utility Reality Webcast

Fundamental Issues: Nuclear Generators Lead Cyber Security

/ gridsecurity Cyber Security Global solutions for energy automation Answers for infrastructure and cities.

ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE

Cyber Security focus in ABB: a Key issue. 03 Luglio 2014, Roma 1 Conferenza Nazionale Cyber Security Marco Biancardi, ABB SpA, Power System Division

Navigate Your Way to NERC Compliance

The silver lining: Getting value and mitigating risk in cloud computing

CIP Supply Chain Risk Management (RM ) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016

Secure Remote Substation Access Solutions

Cybersecurity Risk Assessment in Smart Grids

Information for Agents and Brokers Regarding the HIPAA Business Associate Agreement

Ofcom guidance on security requirements in sections 105A to D of the Communications Act 2003

Energy Systems Integration

AD FERC Technical Conference February 8, 2011 Statement of Ron Litzinger. President, Southern California Edison Company

Building Insecurity Lisa Kaiser

CSMS. Cyber Security Management System. Conformity Assessment Scheme

Moving Towards the Smart Grid. Southern California Edison s Advanced Metering Infrastructure (AMI) Program

Appropriate security measures for smart grids

Chair Mays, Co-Vice Chair Fox, Co-Vice Chair Whitfield and Members of the Committee:

Framework for Improving Critical Infrastructure Cybersecurity

SYMANTEC NON-FEDERAL SHARED SERVICE PROVIDER PKI SERVICE DESCRIPTION

TRANSMISSION MAINTENANCE COORDINATION COMMITTEE (TMCC) MINUTES January 16, 2014 Meeting from ISO Headquarters Folsom, California

Next Generation Grid Data Architecture & Analytics Required for the Future Grid

Preparing for Distributed Energy Resources

Docket No. DHS , Notice of Request for Public Comment Regarding Information Sharing and Analysis Organizations

Concept for a cryptographic infrastructure for measurement components in smart grids

How To Write A Cybersecurity Framework

Transcription:

BEFORE THE PUBLIC UTILITIES COMMISSION OF THE STATE OF CALIFORNIA Order Instituting Rulemaking on the Commission s Own Motion to Improve Distribution Level Interconnection Rules and Regulations for Certain Classes of Electric Generators and Electric Storage Resources. Rulemaking 11-09-011 (Filed September 22, 2011 COMMENTS OF SAN DIEGO GAS & ELECTRIC COMPANY (U 902-E ON SMART INVERTER WORKING GROUP PHASE 2 COMMUNICATIONS PROTOCOLS November 10, 2014 Jonathan J. Newlander Attorney for SAN DIEGO GAS & ELECTRIC COMPANY 101 Ash Street, HQ12 San Diego, CA 92101 Phone: 619-699-5047 Fax: 619-699-5027 E-mail: jnewlander@semprautilities.com

BEFORE THE PUBLIC UTILITIES COMMISSION OF THE STATE OF CALIFORNIA Order Instituting Rulemaking on the Commission s Own Motion to Improve Distribution Level Interconnection Rules and Regulations for Certain Classes of Electric Generators and Electric Storage Resources. Rulemaking 11-09-011 (Filed September 22, 2011 COMMENTS OF SAN DIEGO GAS & ELECTRIC COMPANY (U 902-E ON SMART INVERTER WORKING GROUP PHASE 2 COMMUNICATIONS PROTOCOLS San Diego Gas & Electric Company ( SDG&E submits comments, herein, pursuant to a request for comments on the Smart Inverter Working Group Phase 2 Communications Protocols agenda for a workshop which occurred on October 27, 2014. The smart inverter effort is contained within the California Public Utility Commission s ( CPUC s Rulemaking ( R. 11-09-011. Pursuant to an email from Energy Division Staff dated November 6, 2014, these comments will be served to the service list for the applicable rulemaking but will not be filed. SDG&Es comments focus on the document entitled Recommendations for Utility Communications with Distributed Energy Resources (DER Systems with Smart Inverters Smart Inverter Working Group Phase 2 Recommendations Draft Version 2, updated October 22, 2014 ( Phase 2 Draft. I. COMMUNICATION PROTOCOL COMMENTS SDG&E appreciates the opportunity to provide comments on the Phase 2 Draft created as part of the Smart Inverter Working Group ( SIWG. SDG&E looks forward to continued involvement in the SIWG and expects the document to evolve as parties continue to participate in the reoccurring calls between stakeholders. At this time SDG&E would like to make preliminary recommendations on how the document could be improved. 1

As a general rule, SDG&E suggests additional clarity such as defining the terms used. For example, data profiles should be specific in defining what qualifies as a profile. This might be the complete specification at all levels of the stack. Similarly, there should not be ambiguity in the specification of data models or service definitions. Below SDG&E comments on certain specific recommendations set forth in the identified sections of the Phase 2 Draft and which should be discussed by the SIWG: II. Section 3: In addition to Transport level protocols, the on-the wire formatting and encoding scheme should be specified. Section 4 Real Power DER Functions: The scheduling of energy storage devices is of high importance to maintain reliability of the distribution system. Section 4 - DER Response to Emergencies: Utility receives notification that a microgrid disconnected or reconnected from the utility grid. (L This should be of High importance. Knowledge that a microgrid is connected to the utility grid during an outage is imperative in maintaining worker safety. Section 5.1.2 - Notification of Alarms: Stakeholders should reexamine in order to determine what requirements are required for utility notification of alarms. Utility needs are likely less than that of the plant operator or maintainer. Utility needs are best expressed in terms of a de-rating of plant capabilities. Section 5.2.1 - Administrative Information for Aggregators: Utilities need administrative processes and messages determined for all resource types and not just aggregators. Section 5.3: States, Performance: Real time capabilities, e.g. 1 10 second interactions, high availability. This should be modified to state that this is near real-time. Additionally, there are also other timing issues in this section that may merit further examination by the SIWG to ensure that they can be met. CYBERSECURITY AND PRIVACY COMMENTS SDG&E provides the following responses to the questions posed in Section 6 of the SIWG document. A. What are the utility security policies for interacting with non utility sites and equipment where the data to be exchange has operational impacts? SDG&E does not have a security policy or standard specific to interactions with non-utility sites and equipment, but SDG&E has cybersecurity policies and requirements that are based upon industry best practices, frameworks, and regulatory requirements, 2

such as NIST 800-53, NERC CIP, and NISTIR 7628. The goal for future interactions is to meet or exceed those established baseline level of security controls centered around ensuring integrity, AAA, availability, confidentiality and privacy of our customers. B. What utility security procedures must be followed by such non utility sites in order for operational data to be exchanged? In particular, how can new DER sites be "registered" and tested for security compliance? SDG&E s practice when commissioning a new SDG&E owned/operated DER site is to assign a cross functional team to address the various areas of expertise required. This includes both IT and OT personnel. The IT team includes a cybersecurity subject matter expert ( SME whose function is to ensure the DER site meets applicable cybersecurity requirements. The cybersecurity SME also tests the various DER components and their associated cybersecurity controls to ensure risks have not been introduced and all cybersecurity requirements have been met. In response to how DER sites can be registered and tested for security compliance, the closest example of this happening today is how customers register Home Area Network devices to be associated with their Smart Meters. The existing HAN device testing process might be able to serve as a starting point for establishing a future streamlined DER registration process. A key aspect of that process which currently helps ensure cybersecurity requirements are met for HAN devices is the 3rd party accreditation/conformance testing which includes cybersecurity test cases. This may be one starting point but further analysis is required to determine if this the best approach. C. Are there different security requirements for different types of sites, e.g. small < 10 MW DER sites versus > 10 MW sites? All sites, regardless of MW size, should be held to a baseline level of security requirements. The safety of SDG&E s customers and employees, the reliability of the grid, and privacy of customers data are top priorities. Additional security requirements may be appropriate for larger sites. D. Have these security policies and procedures been clearly established or are they still being worked on? 3

Cybersecurity requirements have been established based upon industry best practices, frameworks, and regulatory requirements. No specific DER site policies and procedures have been established as such. The SIWG should investigate already established cybersecurity industry best practices and set a baseline level of cybersecurity requirements for smart inverters. E. Are there specific security technologies that must be used? Are there specific technologies that must not be used? SDG&E s cybersecurity approach to technology selections is to be vendor agnostic as much as possible while adopting open standards to ensure interoperability. The goal is to meet requirements. The specific vendor or technology acting as the control to meet the requirement should not matter as long as interoperability is maintained. F. Some security technologies are specific to different communication protocols are there preferred protocols from a security perspective? SDG&E does not have a preferred protocol from a security perspective as long as cybersecurity requirements are met and interoperability is maintained. Introducing automation and improving efficiencies where possible is preferable but not at the expense of security or interoperability. SEP 2.0 may provide a good starting point for the discussion. G. Is there agreement that at least authentication and data integrity must be ensured? Yes, data integrity needs to be ensured as operational decisions are being made based upon this data. Authentication is a key consideration when control capabilities are involved as this could potentially impact customer/employee safety and grid reliability. H. When should non repudiation / accountability be ensured? Authentication, authorization, and accounting (aka accountability should always be ensured. Non-repudiation would be a good control to include, although it can be difficult to implement, manage, and maintain, especially in consumer/customer devices. I. When should confidentiality be ensured? Ensuring the privacy and confidentiality of customers data is a top priority of SDG&E, and should be maintained always. Encryption should be used based upon the situation and scenario (such as RF communications and public internet communications. 4

J. How is key management expected to be handled? PKI? What Certificate Authorities can/must be used? Key management is not an easy task. However, it is an important process in PKI to maintain the chain of trust. SDG&E suggests looking at how key management is outlined in other established industry best practices (such as SEP 2.0 and using those as a starting point. K. Will Role based Access Control (RBAC be used to constrain the permitted actions? RBAC is a type of an authorization control normally associated with human owned accounts (or end users; e.g. read only, operator, engineer, etc.. Non interactive accounts (sometimes called functional, service, or application accounts can use RBAC authorization; however function Access Control Lists (ACLs could potentially be leveraged. SDG&E would like high level authorization controls to be included in the specification. Investigating the use of digital certificates over the use of stored user names and passwords for authentication and authorization controls should be pursued. L. Are these cyber security requirements accepted by all California utilities or are there major differences? SDG&E cannot speak on behalf of the other utilities. SDG&E believes, however, that the California IOUs leverage already established standards, frameworks, and regulatory requirements and would use those as a starting point for the discussion (such as SEP 2.0, IEC 62443, NERC CIP, NISTIR 7628, NIST 800-53. M. What other cyber security issues need to be resolved? The SIWG should examine the storage of secrets (password, keys, digital certificates, etc. on any consumer or customer device because safeguarding such information is essential to maintaining system security. Disabling developer or manufacturer ports/inputs such as JTAGs, serial ports can lead to easy extraction of firmware, secrets, and memory. Since physical security of consumer and/or customers premise devices cannot be guaranteed, security of ports and inputs becomes critical. It may be worthwhile to investigate a third party conformance process (similar to the testing HAN devices to ensure Smart Inverter devices are free from major 5

III. cybersecurity vulnerabilities and conform to the other specifications (protocols, functional use cases, etc.. CONCLUSION SDG&E appreciates the opportunity to provide the foregoing comments. November 10, 2014 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information