Security

Pilot projects are bringing the future vision of the grid to life. Whether leveraging existing systems or rebuilding entire networks in a Big Bang rollout, new technology applications suggest an intuitive electrical network may not be far off.

State and federal incentives provide the carrot for utilities to invest in grid intelligence. But regulatory and technological incentives are not enough without customer participation. Smart-grid policies will succeed only by focusing on customer needs and benefits.

Regulation of greenhouse-gas (GHG) emissions and other efforts to control these growing environmental concerns increasingly are impacting businesses, and investors are seeking more and better information on climate-change risks to make informed investment decisions.

In light of your prescient Frontlines column, “PURPA Redirected” (February 2008), I am curious of your insight. Is there a nexus between §571 of EISA and the demand response (DR) text in the pending FERC NOPR, RM07-19-000, “Wholesale Competition in Regions with Organized Electric Markets,” issued Feb. 22, 2008?

Back in 1978, Congress passed an energy bill, the National Energy Act, including an obscure provision that seemed like an incremental tweak to U.S. energy policy. But eventually, that incremental tweak—the Public Utility Regulatory Policies Act (PURPA)—smashed through the gates of the vertically integrated utility construct. PURPA introduced competition into wholesale power markets in a way that fundamentally changed the U.S. utility industry.

In a world where streetlights can be used as a weapon, controlling local utility networks becomes more than just a matter of public convenience and necessity. It becomes a matter of public safety and even national security. And in that world, the idea of an inter-networked, automated distribution grid poses troubling questions about cybersecurity vulnerabilities.

A simulated attack, named the Aurora Generator Test, took place in March 2007 by researchers investigating supervisory control and data acquisition (SCADA) system vulnerabilities at utility companies. The experiment involved hackers invading the plant’s control system to change the operating cycle of the generator.

As proposed by the North American Electric Reliability Corp., the new critical infrastructure protection (CIP) standards charge utilities with identifying their own critical assets and related cyber systems. This approach allows great flexibility for utilities to apply the CIP standards to their particular situations. This will help ensure that their efforts focus on securing critical assets, rather than on complying with an overly prescriptive set of mandates that might or might not yield a secure grid.

The NERC CIP standards represent an historic achievement. They include the first mandatory cyber security requirements of their kind to be imposed on a U.S. private-sector industry. Considering the scope and sensitivity of the grid-security issue, developing a set of enforceable standards inevitably would entail a complex and contentious process. From that perspective, NERC, FERC and the industry have made remarkable progress, and their efforts deserve accolades.

Utilities are gearing up for compliance with the new CIP standards. NERC, however, has taken a flexible approach to implementation that leaves some companies confused. Can utilities comply by 2009, and will their measures be effective in securing the grid?