Your SlideShare is downloading. ×
0
Alan Rivaldo
Public Utility Commission of Texas
Regulators’ Role in Smart Grid Security
What They Want to Know
BACKGROUND
• Utilities are typically monopolies and therefore
are highly regulated.
• Unlike with most other stock investm...
CUSTOMERS AND REGULATORS
• Therefore, customers need to know what they are
getting and how much they’re paying for it.
• C...
RATE CASES
• Utilities recapture capital investments through
rate cases
• Rate cases are conducted in open hearings
• This...
WHAT IS NEW?
• In past few years, commissions became aware of
cybersecurity as a pressing issue.
• Unfortunately, some awa...
WHAT’S NOT SO NEW?
• Risk that legislatures may overreact
• Try to pass “comprehensive bills” that may:
• Cause unintended...
THE CHALLENGE
• Utilities have difficulties finding qualified,
knowledgeable staff for energy operations.
• Commissions ar...
THE CHALLENGE (CONT.)
• States’ budgets are being cut
• Recruiting from industry and the private sector
is a challenge
• P...
WHAT TO DO?
• Commissions train existing staff
• Hire new people to ask intelligent questions of:
• Utilities
• Vendors
• ...
ASK UTILITIES QUESTIONS: STRATEGY
• What is your security strategy?
• Update your security plans? How often?
• Test your p...
ASK UTILITIES QUESTIONS: RISK
• How do you manage risk?
• Use a Risk Management process?
• How was it derived?
• From DOE/...
QUESTIONS: UTILITY ENGAGEMENT
• Have you worked with Department of Homeland Security
regarding cybersecurity?
• Aware of… ...
NERC CIP
• We may ask about NERC CIP…
• Not necessarily the utility’s status
• NERC CIP is outside of a state’s jurisdicti...
NERC CIP (CONT.)
• NERC CIP is compliance-based. Commissions are
compliance-focused out of tradition, but…
• Compliance do...
LESSONS FROM NERC CIP
• PUCs are more interested in knowing how many
resources a utility has tied up in doing NERC CIP
com...
LESSONS FROM NERC CIP
• Utilities have to graduate beyond compliance
• Utilities should have compliance mastered by
now, r...
PERSONNEL
• What kind of people do you have?
• Individuals specifically assigned cybersecurity
responsibility?
• IT staff ...
PERSONNEL / VENDORS
• What background checking is performed for
those with access to key cyber components?
• Vendors and o...
CAPITAL EXPENDITURES
• Review: Commissions are tasked with approving
surcharges in rate cases so that utilities can
recoup...
CAPITAL EXPENDITURES
• Moving toward new paradigm
• May call for more regular replacements of
infrastructure components
• ...
CAPITAL EXPENDITURES
• Prefer not to have to replace devices at all
• Hope/wish replacement won’t be
for reasons of securi...
CAPITAL EXPENDITURES/VENDORS
• Regulators want assurance that:
• Proposed investments are prudent
• Solutions are cost eff...
CAPITAL EXPENDITURES/VENDORS
• Regulators want utilities to:
• Do their due diligence when securing their
infrastructure
•...
VENDORS
• Regulators… and therefore the utilities… want:
• To know that products and processes are
secure
• From concept t...
VENDORS AND UTILITIES
Concept/
Specification
Design/
Development
Integration Deployment Operation
Product Suppliers
System...
VENDORS’ ROLE
• Third-party assessment of products - proof
• Installation of products - field testing of
configured, deplo...
UTILITY’S RESPONSIBILITIES
• Ensure the safe and secure delivery of energy and
energy-related data
• Maintain the accuracy...
REVIEW
• Commissions take a look at the numbers – we
want to see what the public is… or will be…
paying for.
• If incorpor...
REVIEW AND CONCLUSION
• We must accept that risk is inevitable and cannot
be completely eliminated – only mitigated to an
...
Upcoming SlideShare
Loading in...5
×

Regulators’ Role in Smart Grid Security: What They Want to Know by Alan Rivaldo Public Utility Commission of Texas

172

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
172
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Disclaimer – the views expressed are not those of the commission or any commissioner – they are solely mine.
  • Conflicts at the federal level can trickle down to the states.
  • SAIDI = System Average Interruption Duration IndexSAIFI - System Average Interruption Frequency Index
  • If hackers DO have checklists, it’s “launch Metasploit – CHECK!”, “launch exploit – CHECK!” “Turn off the lights - CHECK!” “Brag about what I did on Facebook - CHECK!”
  • SGIP = Smart Grid Interoperability PanelUCAIug = Utility Communications Architecture International User’s Group
  • SGIP = Smart Grid Interoperability PanelUCAIug = Utility Communications Architecture International User’s Group
  • Transcript of "Regulators’ Role in Smart Grid Security: What They Want to Know by Alan Rivaldo Public Utility Commission of Texas"

    1. 1. Alan Rivaldo Public Utility Commission of Texas Regulators’ Role in Smart Grid Security What They Want to Know
    2. 2. BACKGROUND • Utilities are typically monopolies and therefore are highly regulated. • Unlike with most other stock investments, for the most part utility investors are guaranteed a certain rate of return on their investment. • Any capital investments made by utilities are ultimately paid by ratepayers… their customers. 2
    3. 3. CUSTOMERS AND REGULATORS • Therefore, customers need to know what they are getting and how much they’re paying for it. • Customers are typically disengaged from the process (at least beyond the bottom line on their utility bill). • Regulators are the ones who are charged with knowing about the capital expenditures made by utilities. 3
    4. 4. RATE CASES • Utilities recapture capital investments through rate cases • Rate cases are conducted in open hearings • This process is nothing new: ~100 years • Any infrastructure: • Water and Wastewater • Electric service 4
    5. 5. WHAT IS NEW? • In past few years, commissions became aware of cybersecurity as a pressing issue. • Unfortunately, some awareness has come in the form of alarmist reports in the media: • Mass outages • Chaos • Imminent take-overs by foreign governments 5
    6. 6. WHAT’S NOT SO NEW? • Risk that legislatures may overreact • Try to pass “comprehensive bills” that may: • Cause unintended consequences • Impede meaningful progress • Interfere with commission direction • Classic conflict: legislative vs. executive 6
    7. 7. THE CHALLENGE • Utilities have difficulties finding qualified, knowledgeable staff for energy operations. • Commissions are in the same position; engineers have to be recruited from an industry in which there traditionally hasn’t been much turnover. 7
    8. 8. THE CHALLENGE (CONT.) • States’ budgets are being cut • Recruiting from industry and the private sector is a challenge • PUC staff knowledge limited to conventional energy operations technologies • Electromechanical devices • Not advanced, data-intensive technologies 8
    9. 9. WHAT TO DO? • Commissions train existing staff • Hire new people to ask intelligent questions of: • Utilities • Vendors • Staff within the agency • Ponder implications of technology on policy • Ponder implications of policy on technology 9
    10. 10. ASK UTILITIES QUESTIONS: STRATEGY • What is your security strategy? • Update your security plans? How often? • Test your plans? • Have you conducted vulnerability assessment of: • Back Office information systems? • Control Systems? 10
    11. 11. ASK UTILITIES QUESTIONS: RISK • How do you manage risk? • Use a Risk Management process? • How was it derived? • From DOE/NIST/NERC or some other authority? 11
    12. 12. QUESTIONS: UTILITY ENGAGEMENT • Have you worked with Department of Homeland Security regarding cybersecurity? • Aware of… work with… • DHS National Cyber Security Division (NCSD)? • US-CERT? ICS-CERT? etc. • NESCO (National Electric Sector Cybersecurity Organization) • Law Enforcement, i.e. Fusion centers • Local chapter of InfraGard (FBI public private partnership)? • DOE, SANS, others? 12
    13. 13. NERC CIP • We may ask about NERC CIP… • Not necessarily the utility’s status • NERC CIP is outside of a state’s jurisdiction • No double reporting or “double jeopardy” • NERC CIP compliance is only marginally interesting to state regulators. We care more about distribution: SAIDI and SAIFI • Upstream cybersecurity issues may have an impact upon SAIDI and SAIFI 13
    14. 14. NERC CIP (CONT.) • NERC CIP is compliance-based. Commissions are compliance-focused out of tradition, but… • Compliance doesn’t ensure security. • Cybersecurity isn’t about checking boxes on a form. • “Hackers don’t have checklists” • Folks at utilities: Trying to get their CIP compliance paperwork in order to satisfy some NERC auditor • Hackers: Working diligently to upset the apple cart 14
    15. 15. LESSONS FROM NERC CIP • PUCs are more interested in knowing how many resources a utility has tied up in doing NERC CIP compliance paperwork • Is NERC CIP compliance a value-added activity? • Compliance puts a utility only on the ground floor of security • Compliance doesn’t set a ceiling • Compliance makes security people contemplate the roof 15
    16. 16. LESSONS FROM NERC CIP • Utilities have to graduate beyond compliance • Utilities should have compliance mastered by now, right? • Utilities must find their way up the stairs to a higher floor in the building • Compliance mindset vs. Security 16
    17. 17. PERSONNEL • What kind of people do you have? • Individuals specifically assigned cybersecurity responsibility? • IT staff responsible for cybersecurity in energy operations? • Does energy operations have its own security staff? • What kind of training and experience does cybersecurity staff have? • Engaged in cybersecurity standards activities of: • NIST SGIP Cybersecurity Working Group? • NESCOR, UCAIug, NERC, etc.? 17
    18. 18. PERSONNEL / VENDORS • What background checking is performed for those with access to key cyber components? • Vendors and other third-parties that have access to key cyber systems • How are they vetted? How do you screen who has access to your systems? A lot of support comes from vendors and integrators. 18
    19. 19. CAPITAL EXPENDITURES • Review: Commissions are tasked with approving surcharges in rate cases so that utilities can recoup the costs they have incurred by making capital expenditures on the infrastructure. • Is the equipment a utility buys robust when it comes to security? Will it continue to be robust in the future? • Traditional equipment lifetime is as long as 40 years. 19
    20. 20. CAPITAL EXPENDITURES • Moving toward new paradigm • May call for more regular replacements of infrastructure components • Precedents: IT and mobile phone infrastructures • Will no longer be in terms of multiple decades • But anticipated replacement cycle won’t be as brisk as mobile phone infrastructure 20
    21. 21. CAPITAL EXPENDITURES • Prefer not to have to replace devices at all • Hope/wish replacement won’t be for reasons of security • Smart Grid continues to evolve • More palatable reasons for replacement: • Expanded functionality • Larger quantity of data • Higher data rates 21
    22. 22. CAPITAL EXPENDITURES/VENDORS • Regulators want assurance that: • Proposed investments are prudent • Solutions are cost effective • Firms hired by utilities are: • Capable • Reliable • Understand their ultimate responsibilities 22
    23. 23. CAPITAL EXPENDITURES/VENDORS • Regulators want utilities to: • Do their due diligence when securing their infrastructure • Prove it • Hold their vendors accountable for doing their part • Everyone plays a role in security, and everyone should be accountable for holding up their end of the bargain. 23
    24. 24. VENDORS • Regulators… and therefore the utilities… want: • To know that products and processes are secure • From concept to design to manufacture to deployment to support in the form of issuing of firmware updates, to the eventual decommissioning of these devices and systems. 24
    25. 25. VENDORS AND UTILITIES Concept/ Specification Design/ Development Integration Deployment Operation Product Suppliers System Integrators Realms of Security Assurance Utilities Maintenance S.I. V 25
    26. 26. VENDORS’ ROLE • Third-party assessment of products - proof • Installation of products - field testing of configured, deployed infrastructure • Deliver what was promised • Anything that touches or comes near a device is doing what it’s supposed to do • Maintain integrity of the data • Without latency 26
    27. 27. UTILITY’S RESPONSIBILITIES • Ensure the safe and secure delivery of energy and energy-related data • Maintain the accuracy of the data being transmitted • Ensure data is handled with care • Secure • Policies in place and followed • Ensure customer privacy 27
    28. 28. REVIEW • Commissions take a look at the numbers – we want to see what the public is… or will be… paying for. • If incorporating security costs a little bit more upfront, then that should be reflected in the numbers and filed in the rate case – preferably itemized, if possible. • At the same time, costs must be reasonable and reflect whatever level of risk is acceptable. 28
    29. 29. REVIEW AND CONCLUSION • We must accept that risk is inevitable and cannot be completely eliminated – only mitigated to an acceptable level. • Risk is difficult to calculate, but commissions want to know how you made your determinations; make us a part of the process. • We all play a role in security. 29
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×