Regulators are tasked with approving utility capital expenditures and rate increases to recoup costs. With the smart grid, regulators want to understand utility security strategies, risks, personnel, and vendor relationships. Regulators ask utilities questions about security plans, vulnerability assessments, risk management processes, and staff training. They want to ensure expenditures are prudent and solutions are cost-effective while maintaining security accountability across utilities and vendors.

1. Alan Rivaldo
Public Utility Commission of Texas
Regulators’ Role in Smart Grid Security
What They Want to Know

2. BACKGROUND
• Utilities are typically monopolies and therefore
are highly regulated.
• Unlike with most other stock investments, for
the most part utility investors are guaranteed a
certain rate of return on their investment.
• Any capital investments made by utilities are
ultimately paid by ratepayers… their customers.
2

3. CUSTOMERS AND REGULATORS
• Therefore, customers need to know what they are
getting and how much they’re paying for it.
• Customers are typically disengaged from the
process (at least beyond the bottom line on
their utility bill).
• Regulators are the ones who are charged with
knowing about the capital expenditures made
by utilities.
3

4. RATE CASES
• Utilities recapture capital investments through
rate cases
• Rate cases are conducted in open hearings
• This process is nothing new: ~100 years
• Any infrastructure:
• Water and Wastewater
• Electric service
4

5. WHAT IS NEW?
• In past few years, commissions became aware of
cybersecurity as a pressing issue.
• Unfortunately, some awareness has come in the
form of alarmist reports in the media:
• Mass outages
• Chaos
• Imminent take-overs by foreign governments
5

6. WHAT’S NOT SO NEW?
• Risk that legislatures may overreact
• Try to pass “comprehensive bills” that may:
• Cause unintended consequences
• Impede meaningful progress
• Interfere with commission direction
• Classic conflict: legislative vs. executive
6

7. THE CHALLENGE
• Utilities have difficulties finding qualified,
knowledgeable staff for energy operations.
• Commissions are in the same position; engineers
have to be recruited from an industry in which
there traditionally hasn’t been much turnover.
7

8. THE CHALLENGE (CONT.)
• States’ budgets are being cut
• Recruiting from industry and the private sector
is a challenge
• PUC staff knowledge limited to conventional
energy operations technologies
• Electromechanical devices
• Not advanced, data-intensive technologies
8

9. WHAT TO DO?
• Commissions train existing staff
• Hire new people to ask intelligent questions of:
• Utilities
• Vendors
• Staff within the agency
• Ponder implications of technology on policy
• Ponder implications of policy on technology
9

10. ASK UTILITIES QUESTIONS: STRATEGY
• What is your security strategy?
• Update your security plans? How often?
• Test your plans?
• Have you conducted vulnerability assessment of:
• Back Office information systems?
• Control Systems?
10

11. ASK UTILITIES QUESTIONS: RISK
• How do you manage risk?
• Use a Risk Management process?
• How was it derived?
• From DOE/NIST/NERC or some other
authority?
11

12. QUESTIONS: UTILITY ENGAGEMENT
• Have you worked with Department of Homeland Security
regarding cybersecurity?
• Aware of… work with…
• DHS National Cyber Security Division (NCSD)?
• US-CERT? ICS-CERT? etc.
• NESCO (National Electric Sector Cybersecurity
Organization)
• Law Enforcement, i.e. Fusion centers
• Local chapter of InfraGard (FBI public private
partnership)?
• DOE, SANS, others?
12

13. NERC CIP
• We may ask about NERC CIP…
• Not necessarily the utility’s status
• NERC CIP is outside of a state’s jurisdiction
• No double reporting or “double jeopardy”
• NERC CIP compliance is only marginally
interesting to state regulators. We care more
about distribution: SAIDI and SAIFI
• Upstream cybersecurity issues may have an
impact upon SAIDI and SAIFI
13

14. NERC CIP (CONT.)
• NERC CIP is compliance-based. Commissions are
compliance-focused out of tradition, but…
• Compliance doesn’t ensure security.
• Cybersecurity isn’t about checking boxes on a form.
• “Hackers don’t have checklists”
• Folks at utilities: Trying to get their CIP compliance
paperwork in order to satisfy some NERC auditor
• Hackers: Working diligently to upset the apple cart
14

15. LESSONS FROM NERC CIP
• PUCs are more interested in knowing how many
resources a utility has tied up in doing NERC CIP
compliance paperwork
• Is NERC CIP compliance a value-added activity?
• Compliance puts a utility only on the ground floor
of security
• Compliance doesn’t set a ceiling
• Compliance makes security people contemplate
the roof
15

16. LESSONS FROM NERC CIP
• Utilities have to graduate beyond compliance
• Utilities should have compliance mastered by
now, right?
• Utilities must find their way up the stairs to a
higher floor in the building
• Compliance mindset vs. Security
16

17. PERSONNEL
• What kind of people do you have?
• Individuals specifically assigned cybersecurity
responsibility?
• IT staff responsible for cybersecurity in energy
operations?
• Does energy operations have its own security staff?
• What kind of training and experience does cybersecurity
staff have?
• Engaged in cybersecurity standards activities of:
• NIST SGIP Cybersecurity Working Group?
• NESCOR, UCAIug, NERC, etc.?
17

18. PERSONNEL / VENDORS
• What background checking is performed for
those with access to key cyber components?
• Vendors and other third-parties that have
access to key cyber systems
• How are they vetted? How do you screen who
has access to your systems? A lot of support
comes from vendors and integrators.
18

19. CAPITAL EXPENDITURES
• Review: Commissions are tasked with approving
surcharges in rate cases so that utilities can
recoup the costs they have incurred by making
capital expenditures on the infrastructure.
• Is the equipment a utility buys robust when it
comes to security? Will it continue to be robust
in the future?
• Traditional equipment lifetime is
as long as 40 years.
19

20. CAPITAL EXPENDITURES
• Moving toward new paradigm
• May call for more regular replacements of
infrastructure components
• Precedents: IT and mobile phone
infrastructures
• Will no longer be in terms of multiple
decades
• But anticipated replacement cycle won’t be
as brisk as mobile phone infrastructure
20

21. CAPITAL EXPENDITURES
• Prefer not to have to replace devices at all
• Hope/wish replacement won’t be
for reasons of security
• Smart Grid continues to evolve
• More palatable reasons for replacement:
• Expanded functionality
• Larger quantity of data
• Higher data rates
21

22. CAPITAL EXPENDITURES/VENDORS
• Regulators want assurance that:
• Proposed investments are prudent
• Solutions are cost effective
• Firms hired by utilities are:
• Capable
• Reliable
• Understand their ultimate responsibilities
22

23. CAPITAL EXPENDITURES/VENDORS
• Regulators want utilities to:
• Do their due diligence when securing their
infrastructure
• Prove it
• Hold their vendors accountable for doing their
part
• Everyone plays a role in security, and everyone
should be accountable for holding up their end of
the bargain.
23

24. VENDORS
• Regulators… and therefore the utilities… want:
• To know that products and processes are
secure
• From concept to design to manufacture to
deployment to support in the form of
issuing of firmware updates, to the eventual
decommissioning of these devices and
systems.
24

25. VENDORS AND UTILITIES
Concept/
Specification
Design/
Development
Integration Deployment Operation
Product Suppliers
System Integrators
Realms of Security Assurance
Utilities
Maintenance
S.I.
V
25

26. VENDORS’ ROLE
• Third-party assessment of products - proof
• Installation of products - field testing of
configured, deployed infrastructure
• Deliver what was promised
• Anything that touches or comes near a
device is doing what it’s supposed to do
• Maintain integrity of the data
• Without latency
26

27. UTILITY’S RESPONSIBILITIES
• Ensure the safe and secure delivery of energy and
energy-related data
• Maintain the accuracy of the data being
transmitted
• Ensure data is handled with care
• Secure
• Policies in place and followed
• Ensure customer privacy
27

28. REVIEW
• Commissions take a look at the numbers – we
want to see what the public is… or will be…
paying for.
• If incorporating security costs a little bit more
upfront, then that should be reflected in the
numbers and filed in the rate case – preferably
itemized, if possible.
• At the same time, costs must be reasonable and
reflect whatever level of risk is acceptable.
28

29. REVIEW AND CONCLUSION
• We must accept that risk is inevitable and cannot
be completely eliminated – only mitigated to an
acceptable level.
• Risk is difficult to calculate, but commissions
want to know how you made your
determinations; make us a part of the process.
• We all play a role in security.
29