Senate Hearings on Smart Grid

I had an opportunity to listen to the Smart Grid Hearings held March 3 with the Senate Energy and Natural Resources Committee. NIST Director, Pat Gallagher, DOE’s Pat Hoffman, FERC Commissioner Kelly, Commissioner Butler of NARUC, Katherine Hamilton of the GridWise Alliance, Edward Lu of Google, and Evan Gaddis of NEMA testified. The link is at: http://energy.senate.gov/public/index.cfm?FuseAction=Hearings.Hearing&Hearing_ID=aa1ce631-aae4-f0e3-0756-d667268c8551. I was obviously interested in what was being said about cyber security and will focus on that.  It was gratifying to see that many presenters and Senators recognized the importance of cyber security. My observations were: -  FERC Commissioner Suedeen Kelly stated that NIST Standards were “good enough” for the Smart Grid. If they are good enough for the Smart Grid and for all federal agencies including federal utilities such as TVA, BPA, and WAPA, they should certainly be good enough for the NERC CIPs. She also made the connection between security and reliability which I thought was right on. She went on to state the need to coordinate across “people” boundaries – FERC (transmission) and NARUC (distribution). Hopefully, that same approach will be applied to the security of the equipment where the CIPs currently exclude distribution. - Senator Dorgan from North Dakota mentioned there should be demonstration projects for cyber – again, right on! - Senators Murkowsky and Cantwell discussed the need for Internet Protocols (IP) for the Smart Grid which is specifically included in the Stimulus Bill. That leads to the question of why, if IP is good for Smart Grid applications, have many utilities been removing IP connections from “non-Smart Grid” transmission applications? Unfortunately, the answer is obvious - to avoid having to comply with the NERC CIPs by using the loophole of having to only address routable protocols. - Based on the discussions and written testimony (as well as experience with the NERC CIPs), there is a substantial need for developing good, useable metrics for really measuring security (see previous blog on compliance vs security).  This is even more important for the Smart Grid which transcends Transmission and Distribution (T&D) where the CIPS only partially apply. Other non-security observations: - The focus of the Smart Grid was on T&D and customers and not on power generation. Consequently, there was no mention of ISA or process controls in the prepared testimony, presentations, or question/answer sessions. - NEMA mentioned that consensus standards can be developed in 9-12 months. That is VERY optimistic. Generally, consensus standards take several years to develop and get approved. Consensus standards organizations are also voluntary. Attempting to speed up the development process may take outside funding to “modify” the voluntary process. Joe Weiss