by Jennifer Van Burkleo, associate editor
Since the Stuxnet attack on Iranian nuclear facilities was discovered in 2010, technology-based terror threats have exposed vulnerabilities in power grids around the world. U.S. utilities are on guard and addressing concerns, expectations and challenges to secure the nation’s grid.
In January, online hacker group Anonymous intercepted a phone conversation between the FBI and U.K. authorities. According to The Hacker News, a blog dedicated to information technology security and hacking, Anonymous posted the recorded conversation to video-sharing website YouTube. Later that month, Anonymous published Israeli supervisory control and data acquisition (SCADA) details onto Pastebin.com, a website used to share programming codes and configuration information. The hacker group also posted a link to Twitter that detailed 10 Internet Protocol addresses and login information.
In a Congressional Research Service report on data security breach notification laws, Iberdrola USA subsidiaries NYSEG and RG&E revealed a security breach in January that affected more than 1.5 million customers. An NYSEG statement said the breach released customers’ information including social security and bank account numbers.
In March, hackers created a false Facebook account to spy on details related to NATO’s chief, according to IntelNews, a website that covers intelligence, spying and espionage. The plan was similar to attacks on oil and gas companies: Infiltrate companies’ computer systems and see how firms operate.
The Hacker News also reported that in April, Anonymous took defense contractor Boeing Co. offline because of its continued support for the Cyber Intelligence Sharing and Protection Act.
In September, Schneider Electric subsidiary Telvent experienced a security breach. The company released a statement that said the network had been compromised by malicious software. The breach compromised information such as customer and project files for the OASyS SCADA product.
Regulators and Cybersecurity
“The White House is considering an executive order that would direct federal agencies to develop voluntary cybersecurity guidelines for owners of power plants and other critical infrastructure facilities,” said Paul Donsky of Fleishman-Hillard Inc.
The news comes after the Cybersecurity Act of 2012 failed in the Senate.
According to the act, cybersecurity standards would be set voluntarily for operators of the infrastructure and would allow the government and companies to share information regarding cybersecurity and cyberthreats.
Electric Light & Power magazine invited utility executives and cybersecurity experts to discuss regulatory and defensive strategies.
At the Table
Joseph M. Rigby is chairman, president and CEO of Pepco Holdings Inc (PHI). He joined Atlantic City Electric in 1979 and advanced through management. After the merger that formed Conectiv, he was vice president and general manager of gas delivery, which later switched to electric delivery. He was elected president of Conectiv Power Delivery in 2002. From May 2004 to September 2007, he served as senior vice president and chief financial officer of PHI. From September 2007 to March 2008, Rigby served as executive vice president and chief operating officer (COO). In March 2008, he was elected president and COO, and in 2009 he was elected president and CEO. Rigby was elected chairman in May 2009. He has a Bachelor of Science in Accounting from Rutgers University and an MBA from Monmouth University. Rigby is chairman of the United Way of the National Capital Area and chairman of the Greater Washington Board of Trade. He serves on the boards of the U.S. Chamber of Commerce, the Edison Electric Institute, the Federal City Council, the Greater Washington Initiative, and the Economic Club of Washington. He is a member of the Rutgers-Camden School of Business executive advisory board.
Andy Bochman is the energy security lead for IBM's Security Systems Division. Bochman is a frequent speaker, writer and adviser on topics at the intersection of grid modernization, privacy and cybersecurity. He has contributed to industry and national security working groups on energy security and cybersecurity, including the Department of Energy’s (DOE’s) Electric Sector Cybersecurity Capabilities Maturity Model, DOE Risk Management Process, DHS/DoD Software Assurance Forum and working group, National Institute of Standards and Technology (NIST) Smart Grid Cyber Security Work Group (CSWG), and GridWise Interoperability and Cyber Security Working Group. Prior to joining IBM, Bochman was an Air Force communications and computer officer, technology analyst and veteran of several cybersecurity startups. His technology background includes 10 years of experience in application and software security policy development, best practices and tools applied in particular to Department of Defense and energy sector threats and use cases. Bochman is a graduate of the U.S. Air Force Academy and the Harvard Extension School.
Dave Aitel is the CEO of Immunity Inc. Aitel is an information security expert who served as a computer scientist for the National Security Agency (NSA). His company works with Fortune 500s, financial institutions, governments and industrial sites to improve their cybersecurity postures. He is co-author of “The Hacker’s Handbook” and the developer of several ethical hacking tools such as Canvas, Silica and Stalker. He has appeared on CNN, CNBC and Fox Business Network.
Lila Kee is chief product and marketing officer for GlobalSign and drives product vision and product marketing efforts for the global organization. Kee came to GlobalSign with more than 20 years of experience, most recently from GeoTrust, where in 2003 she joined as senior product manager. While at GeoTrust, Kee worked closely with Adobe Systems to launch the first-to-market identity and data integrity solution for securing Adobe PDF documents, branded Certified Document Services (CDS). Prior to GeoTrust, Kee was strategic account manager for RSA, now a security division of EMC, where she was responsible for managing critical technology partners and key strategic customers. Kee also spent more than 14 years' providing product management to GTE Government System’s spin-off, CyberTrust, later acquired by Baltimore Technologies. Kee has a Bachelor of Science in Business Administration concentrated in finance with a minor in political science from Northeastern University and an MBA from Bentley College.
ELP: Rumors are circulating that the Cybersecurity Act might be rewritten into an executive order. What would you like to see happen?
Rigby: Getting something done on cybersecurity is extremely important. Pepco Holdings feels a particular sense of urgency due to the high value its service territory poses as a target and the particularly important public service and national security functions of many of the locations it serves.
According to the experts who monitor threats to the grid and other critical infrastructure, the question is not “if” but “when.” Ironically, critical infrastructure owners and operators don’t have access to that threat information. At a minimum, we need to resolve that lapse quickly. If it must be done by an executive order, so be it. With that said, there are three long-term concerns regarding solution through an executive order vs. a legislative fix.
First, the institution of an executive order on cybersecurity could eliminate whatever wind there may be in the sails for enacting a comprehensive cyber law, which is what we ultimately need to do.
Second, there are limits to what can be done via executive order. Namely, an executive order could contain all the sticks—mandates—and none of the carrots—like liability protection.
Third, an executive order is easy to overturn when a new president is elected. That could result in enormous waste of both work and money if industry builds cybersecurity systems to comply with an executive order issued in 2012 or 2013 only to have that order rescinded in 2017.
Aitel: The security community would like to see the information security bar being raised off the floor and transparency provided to the public as to where critical infrastructure needs to be improved in order to provide resilience against nation-state-level attacks.
Ideally, the major components of our nation's critical power, water and transportation infrastructure can be improved to provide a hope of attribution in the case of an attack.
How we get there is the hard part. Regulation is a heavy weapon when applied to the many different kinds of businesses in the critical infrastructure area, and it remains to be seen that the government can apply regulation intelligently without creating a new government agency to do so, which is not something that can be done in the executive act.
Kee: Although it is crucial that our government do more to respond to very real and potentially devastating cyberthreats, especially in an area such as electricity generation and transmission that is vital to sustaining Americans’ normal way of life, an executive order would be the wrong approach.
The executive office should focus on rewriting a Cybersecurity Act that is embraced by the majority of the Senate and, as a result, is adopted as legislation.
Only a constitutional-based law will provide a sustainable and enforceable policy that will transcend current and future administrations. Since much of the critical infrastructure is part of the private sector, it is important that a mutually beneficial arrangement for public-private collaboration be developed. A collective effort will give the best and most sustainable results in addressing threats and emerging vulnerabilities in order to best safeguard the essential services to support the well-being of Americans.
ELP: Should utilities adopt a common cybersecurity language?
Rigby: Pepco Holdings has sought out opportunities to interface with the government at all levels, with others in the utility sector, and with our vendors to establish cybersecurity standards to mitigate cyberthreats and vulnerabilities and to prepare for executing a coordinated and effective response to any event. One of the challenges has indeed been learning the language.
Much of the work to date on the cyber front has been undertaken by the homeland security and national defense communities. Learning their language has been an interesting challenge. Similarly, many of the applicable solutions require us to work closely with the high-tech sector—another foreign language speaker—and, of course, cybersecurity is a multi-industry issue that touches the communications sector, the transportation sector, and a number of sourcing industries, which, like the utility sector, may have their own jargon. This is why the work of standard-setting organizations like NIST’s Smart Grid Interoperability Panel, where utilities, tech and government sit at one table, is very important.
It is also important that the cybersecurity language and ultimately cybersecurity standards represent a high-level of ongoing coordination between the federal government and the states. This is too pressing and too complicated an issue to have states use disparate language or set different standards.
Aitel: Should they adapt the same regulatory language on cybersecurity? I don’t think it’s realistic to expect that. There’s a vast difference between utilities in terms of size, systems operations and budget. What works for a utility in New York City might not work for one in Miami Beach; however, I do think there are certain commonalities that all utilities share and could be used to create a general framework that would be shared industrywide. For example, all utilities should strive to separate industrial control systems from the Internet as much as possible. Network segmentation should also become an industry mandate. Networks should be regularly pen tested by qualified outside firms, and post-hack recovery plans should be well-developed for a wide range of contingencies, from your basic network breach to a remote takeover of the ICS or a total data loss event on the internal network.
Kee: Adopting a common cybersecurity language that includes minimum-security standards would benefit electric utilities in that it would provide for a flexible and fluid framework for utilities to react quickly to ever-evolving, modern-day threats. One example of standards development that focuses on security as opposed to checklist compliance is North American Energy Standards Board’s (NAESB) approach to Public Key Infrastructure (PKI). The Wholesale Electric Quadrant (WEQ) of NAESB recently approved a standard to guide how WEQ participants implement PKI. This standard is referred to as WEQ-012 and includes an accreditation specification for authorized certificate authorities (CAs) that is nimble enough to withstand frequent updates as technology advances. The standard, if adopted by FERC (Federal Energy Regulatory Commission), will require regulated participants to implement PKI using some of the strongest technologies to address modern-day threats. With WEQ board of directors membership and as an active member of NAESB subcommittee on PKI, GlobalSign is in a position to observe and advise on how applications adopt WEQ-012 into their security models.
Additionally, a common cybersecurity language provides for an easier foundation for utilities to share best practices in terms of how standards are implemented and equally important lessons learned from breaches happening between utilities and regulators. If this standard is approved by FERC, we would hope that it would become the standard for other utilities.
ELP: How effective has the Obama administration been on cybersecurity concerns?
Rigby: Clearly, this is an issue that both the Obama administration and the U.S. Congress take very seriously. Regardless of who you speak to in Department of Defense, Department of Energy, Department of Homeland Security, the U.S. House or the U.S. Senate—Democrat or Republican—there seems to be an appreciation for the urgency of the issue.
We saw this in the initial bipartisan support for the Rogers-Ruppersberger information-sharing bill that ultimately passed in the House. We saw this in the bipartisan work of the Senate Homeland Security Committee in its preparation of the Lieberman-Collins bill. I’ve personally seen this in the commitment illustrated by Secretary Chu and Secretary Napolitano and their teams in the various grid security initiatives the Department of Energy and Department of Homeland Security have under way. I’ve seen it in the efforts Senators Kyl (R-AZ) and Whitehouse (D-RI) have made to try to broker and bipartisan Senate compromise that could be acted upon in the lame-duck session.
I believe it is the impetus behind the Obama administration’s efforts to craft an executive order. Everyone, with the exception of a few outliers, seems truly interested in getting this done. I’m hoping we can all focus on policy, not politics, so that’s exactly what happens: We get this done.
Aitel: The mark of the Obama administration in the cybersecurity field is that it has been very involved. Between massive changes in DARPA (Defense Advanced Research Projects Agency), additional investments in the military industrial complex that drives the industry, and forceful lobbying for change on the congressional front, this is an area that the Obama administration has clearly given a lot of thought. That said, not all their efforts have been fruitful—for example, the Cybersecurity Act failed to pass—and cybersecurity is not an issue during the 2012 campaign by either party.
Kee: Although the Obama administration provided vibrant support of the Cybersecurity Act of 2012, including some bipartisan support, they were unable to adequately address the privacy and liability concerns associated with the act. The administration needs to work with both parties to craft legislation that increases security instead of layering more costly checklist compliance. Senator Rockefeller addressed a letter to Fortune 500 organizations to solicit their views on cybersecurity and legislation aimed at protecting the nation’s critical infrastructure from computer attacks. This is just one example of the administration making direct pleas to CEOs on how best to address the growing cyberthreats outlined by our top military leaders and NSA. Although admirable, the letter put many highly regulated public companies in awkward positions in terms of how their responses may complicate SEC (Securities and Exchange Commission) filing and confidentiality provisions.
ELP: How crucial is cybersecurity protection for the infrastructure, and what is the potential effect from lack of a plan?
Rigby: The security of the electric system infrastructure is and remains of great significance to the industry. As advanced technology capabilities grow, potential threats grow, as well. Pepco Holdings takes an all-hazards approach to emergency preparedness and planning. We routinely review the risks to our infrastructure and our ability to continue business operations in the event of emergencies.
Cybersecurity is crucial to the continued operation of many of our systems, including the infrastructure used to delivery energy to our customers. As with any hazard, Pepco Holdings needs to plan for and prepare to respond to a cybersecurity event. The planning process is designed to first mitigate the risk where possible, then, through situational awareness, detect a potential event as soon as possible and respond in a manner that prevents further damage and reduces the impact of the event.
Planning will also ensure the timely and accurate communication within Pepco Holdings to ensure a coordinated response and externally to keep our customers, the public, the media and government agencies informed. Without a plan, Pepco Holdings may not be able to respond in a timely manner, which could result in more damage to our infrastructure or disruption to our business operations than would otherwise have occurred with a plan. Additionally, the lack of a plan would hamper our ability to provide timely and accurate information internally and externally, which would impact our response and company reputation.
Aitel: The problem with the infrastructure community is that we've moved beyond the point where we believe our infrastructure is managed in a secure way but without providing the public with a plan that allows them to believe we are going to move forward to protect it properly. The risks, in this case, have been demonstrated. Flame, Stuxnet, Duqu and the defense department's constant lobbying have shown people how vulnerable our infrastructure is. But we have no plan to fix it.
A key problem is that infrastructure relies on industrial control systems (ICS) that are harder—it may be fair to say impossible—to secure, as they were originally developed before Internet connectivity was considered.
As more research and development is made in industrial control system and SCADA hacking, the risks from all of these potential hacker threats—nation-states, hacktivists, organized crime, rogue insiders—becomes more elevated and costly. Particularly of concern are rogue states like Iran, which pose a new and more dangerous threat beyond the cyberespionage risks previously demonstrated by China and others. This is obviously not the position the infrastructure community wants to be in.
Kee: The public depends on critical infrastructure for nearly every aspect of life. Lack of a plan to mitigate any kind of attack on the infrastructure is irresponsible. While losing complete control of the infrastructure is highly unlikely, even a slight hit to it could cause public disruption. On an economic note, energy participants should view strengthened security as a method to protect their investment in terms of infrastructure and ongoing operations. Attacks on computer systems or physical assets can translate into costly outages and worse, yet, destruction of valuable assets.
ELP: After the Stuxnet worm was discovered, what has changed and what still needs to be done?
Rigby: Stuxnet represented a step change in the malware threat. Prior to Stuxnet, many companies considered malware to be primarily a user productivity issue—its consequences managed by the desktop services team—as opposed to a highly targeted, operational technology threat. Since Stuxnet, the malware threat is seen as more significant. Stuxnet also raised awareness of alternate attack paths. Stuxnet was not delivered via the Internet, but rather through portable storage: flash drives. As a result of this threat and its attack path, most companies, Pepco Holdings included, have taken a fresh look at the layers of cybersecurity protection that are in place and are determining where additional or different protections make sense. A lot of work goes into that. Here are two examples:
- Security is often about constraining functionality. One such technological advance is the massive amount of storage now available in an inexpensive, highly compact form factor that can plug directly into any workstation with a USB port. Unfortunately, this advance is recognized as a delivery channel for sophisticated malware—one that can easily route around firewalls and Web filters. Companies are implementing device control mechanisms that limit the ability of uncontrolled devices such as flash drives from auto-running hidden malware.
- Security is also about an arms race. Countermeasures are countered and so on. For example, in guarding against highly targeted malware, signature-based defense has become necessary but not sufficient. Signature-based defense is the familiar process where a company partners with one of the larger security vendors and uses their database of known malware—signatures—to spot and quarantine threats. Companies are also looking at anomaly-based defense, where in addition to looking for known bads, you also look on the network for things that don't seem right. This is a particularly useful approach to finding and addressing advanced persistent threats (APTs), which won't be detected through standard anti-virus mechanisms.
Bochman: Stuxnet was the first time that utility executives came to realize that cyberattackers were capable of reaching not only into their organizations but also into their IT and business systems. Stuxnet demonstrated that attackers could leap across DMZs and other network and procedural protections to manipulate operational systems. As a result of Stuxnet, the industry has come to understand the risk cyberattackers pose to utilities' two most highly valued objectives: reliability and safety.
In response, utilities are working with technology vendors and security service providers to knock out or otherwise mitigate the types of vulnerabilities in systems and processes targeted by the creators of Stuxnet and reduce their exposure to risks from other advanced persistent threats.
A couple of the security governance topics such as leadership, centralization, business-oriented security metrics, culture and awareness, point the way to improved security operations. In particular, centralization of control via executive-level security leadership, elimination of IT, OT and other line of business security policy stovepipes, and the use of metrics that can provide senior leadership with heightened visibility into their current security posture, including strengths and gaps, are all doable, but it won't be easy because the obstacles include organizational inertia and sometimes office politics. Cultural challenges often take much longer to overcome than technological ones. Nevertheless, this is work worth doing.
Aitel: What has changed is awareness—awareness about the insecurity of industrial control systems and the relative low cost of developing effective exploits against infrastructure targets. If a covert nuclear program can be targeted, then a city utility is clearly an easy target, and a scary one. But there has not been the massive investment in energy and dollars that would be required to fix even a small segment of our infrastructure. There are two paths to take when talking solutions to these problems: The first is to take a national approach at modernizing and toughening industrial control systems and the software that interconnects ICS with internal networks and the Internet. The second path is the more feasible one, which is widespread changes in how electric facilities protect themselves, by air-gapping ICS, segmenting networks, stronger peripheral defense and monitoring.
Kee: Stuxnet was not the first attack on an industrial system, but it was the first discovered malware capable of spying and undermining industrial security systems, as well as the first to include a programmable logic controller rootkit. Because Stuxnet was a certificate-based, insider attack, it opened the door to a whole new layer of concerns when it comes to retaining control of your own digital environment. Post Stuxnet, the industry understands that more needs to be done in the area of taking a risk-based approach to security, meaning that a spectrum of security should be applied based on the vulnerability and threat of compromise. By providing rudimentary, basic, medium and high assurance levels, a standard can be sensibly applied to a range of threat models and exposure, keeping security at an appropriate intensity and not over spending in areas that don’t result in high-risk or high-exposure threats.
ELP: What are the most progressive cybersecurity technologies out there for the grid’s infrastructure?
Rigby: Cybersecurity should not be considered as a single technology or solution to protect the grid’s infrastructure but a number of technologies that are deployed throughout the grid’s infrastructure. This methodology is referred to a defense-in-depth strategy. A good cybersecurity strategy should include a framework that takes a holistic approach to security, providing protection at all levels with the intent of minimizing the impact and exposure to systems and data. The strategy should also include a secure by design architecture that includes the following elements:
- Use of open standards. Where possible, use open standards opposed to proprietary standards. This reduces the risk of being dependent on one technology provider.
- Defense in depth. Cyberthreat defenses are found in multiple layers throughout the systems and technology. Therefore, if one barrier is breached, there are further barriers.
- Role-based access. Only those who require access to a system or area for their specific role are granted access.
- Compartmentalization. Systems and networks are compartmentalized where possible to prevent access in the event one system is breached.
- Traceable and audited. Capability to trace back an event to the source and the individual who initiated it, whether knowingly or unknowingly.
- Centralized risk mitigation. Coordinated cyberdefenses in a centralized manner in order to ensure consistency across the organization.
An organization should have a cybersecurity plan that addresses prevention, detection, response and recovery. A good cybersecurity plan also includes education and awareness, policies and procedures that address security and protection of systems and data, and development of solutions with security in mind. Cybersecurity is not just deployment of technology but a strategy that addresses people, process and technology.
As communications systems are extended into the grid infrastructure, security technologies that have been developed for other sectors should be deployed within the electric grid.
Techniques that should be considered are data encryption, data integrity verification, device authentication, password management, tamper alerts and firmware verification.
The Department of Energy has sponsored projects within national labs to further develop products and solutions to advance cybersecurity for the electric grid.
Bochman: The technology category, security incident and event management (SIEM) is maturing and now offers utilities a practical way to understand their current security baseline. That is, they can see near real time if they are under attack and can more quickly martial appropriate defensive responses. However, while there are plenty of potentially helpful technologies available to utilities and other grid operators seeking to better secure the electric grid, most of the low-hanging fruit opportunities to improve cybersecurity are related to people and process.
More specifically for many utilities, reconsideration of approaches to security governance, including leadership, centralization, business-oriented security metrics, culture and awareness are all areas where improvement is not only possible, it's necessary if the sector is to become more secure.
And it's the development and deployment of metrics that will enable utilities to not only better prioritize their security investments but demonstrate improvements over time to oversight and other stakeholders.
Aitel: At this point it’s not about applying progressive cybersecurity technologies; it's about applying the basics. Finding ways to upgrade infrastructure networks to modern standards and monitor and manage them properly is an essential first step. These almost boring parts of improving IT will save money in the long run but require a heavy capital investment up front.
Kee: Protection of grid infrastructure requires unique security architecture designed to combat unique vulnerabilities. Some of those tools include digital certificates that utilize strong encryption algorithms, large keys and fast and reliable revocation checking; however, security also needs to go well beyond preventive perimeter security and extend to systems within the protective network.
For example, in the case of Stuxnet, advanced attacks can either bypass traditional perimeter security or infiltrate within the protected facility through insider support. Additionally, the grid’s infrastructure must be designed to quickly quarantine infected areas so Stuxnet-like worms can be quickly contained to avoid massive infection.
ELP: What is your company doing to ensure customers’ personal information remains secure?
Rigby: As with system security, Pepco Holdings takes a multilayered approach to ensure data security. For example, PHI has two billing systems, one which is supported internally and one which is supported by IBM. Pepco Holdings and IBM take similar steps to mitigate the risk of data breach. These plans include training and awareness, sensitive data security requirements for the physical workplace, access controls, separation of duties, encryption and secure electronic data transfer requirements.
In addition, Pepco Holdings has security and authentication provisions in place to prevent attacks on My Account, our customer Web portal. These provisions include best practices such as SQL injection detection, security images and customer-specific authentication.
We commit resources to the vulnerability testing of our customer-facing systems just as we do to our operations-enabling systems.
Kee: GlobalSign is innovative in the certificate industry by forming technology partnerships that enhance security and performance. These partnerships will allow GlobalSign customers to ensure the security of their consumers. GlobalSign provides always-on-SSL and, through its partnership with Netcraft, live alerts when a client’s site has been compromised and hosts phishing attacks affecting end users. Our partnership with Armorize enhances malware protection, and our partnership with CloudFlare increases SSL page-load speeds and strengthens security against DDoS (distributed denial of service) attacks.
ELP: How do you stay one step ahead of the potential hackers?
Rigby: It is important that your company see security as a journey rather than a destination. Hacker tools and techniques are constantly evolving; so must the defenses that companies put in place. PHI, like most companies, relies on multiple layers of defense. There is no silver bullet. We think about cybersecurity in terms of preparedness, prevention and response and recovery.
Job one for preparedness is user awareness. We conduct recurring user awareness and training efforts to help ensure that our employees understand what they can do and not do to help the cause. As part of our preparedness efforts, we also do extensive incident response planning, we test and refine our control environment, we work with informed third parties and industry peers to identify and establish leading practices, and we contract with firms who specialize in threat and vulnerability assessments.
Our prevention efforts include a host of tools and processes to protect the perimeter, as well as the internals of the network: patch management, anti-virus software, laptop encryption, role-based access control, strong passwords, port and service lockdown, internal and external firewalls and Web filtering, to name a few. PHI implemented a leading-edge network operations center in 2012, which monitors our data networks, both OT and IT, much in the same way that we monitor our electric network.
Our response and recovery efforts include intrusion-detection systems and system alarms, as one would expect. We design our systems with security and redundancy in mind, so there is a degree of resilience that has been achieved.
Finally, we routinely test our business continuity and disaster recovery plans in the event that we need to recover from a successful attack.
ELP: What are the factors that drive your company’s investments for cybersecurity?
Rigby: As technology capabilities grow, potential threats grow as well, therefore Pepco Holdings—and the industry as a whole—is placing increased emphasis on cybersecurity. The security of the electric system infrastructure is and remains of great significance to the industry. Pepco Holdings, as with all utilities, is facing a threat level that has increased markedly over the past decade. Pepco Holdings’ unique service territory that includes the White House and Capitol Hill makes it a high target and necessitates effective incident planning, prevention and recovery effort. Cybersecurity protections, system resiliency and event response planning involve significant investment. Appropriate reimbursement mechanisms must be established to reduce utilities’ financial risk while guarding utility customers from disproportionate cost burdens.
Kee: Organizations, especially those involved in the energy sector, must view security investments as a viable risk mitigation tool that not only protects the nation’s way of life but protects their enormous investment in infrastructure. Reliability is key to providing the constant supply of energy needed to meet the demands of our nation, so investing in methods to prevent or at the very least contain the damage from cyberattacks, allows energy suppliers to reduce loss associated with business disruption.
ELP: Does your company have a cybersecurity policy or strategy? How is it reviewed? What does the policy include?
Rigby: Do we have a cybersecurity strategy? Yes, our strategy is first and foremost to be in compliance with all existing security regulations and standards. Second, to the degree possible and practical, we strive to minimize all three aspects of the risk: threat, vulnerability and consequences. We believe this requires instilling security awareness in every PHI employee, as well as in our contractors and vendors.
This also requires a commitment to remaining informed and fluid to adapt to the ever-changing nature of the threat. We strive to reduce vulnerabilities through continuous testing and assessment, stringent enforcement of processes and controls, and state-of-the-art physical and cyber perimeter defenses and incident prevention and detection tools.
Even when all this is done, we recognize that an event may still occur. As a result, our strategy on cyber is closely tied to our efforts to streamline our event response and our system restoration capabilities. Finally, our strategy dictates that we must proactively seek opportunities to partner with government. We do this by both supporting sensible legislation and through participating in joint public-private programs to increase our access to information, improve our ability to minimize of vulnerabilities and advance the efficacy of our response to disruptions to our service.
As with most companies, Pepco Holdings has documented IT policies that focus on acceptable use, technology standards and data privacy. All users have to complete an annual cybersecurity awareness test and also must pass an annual business policy test. Many employees also have to pass a series of NERC (North American Electric Reliability Corp.) compliance tests annually, based on the role they perform. Finally, any system that has to be attached to the PHI network has to pass a rigorous architecture review process that is heavily focused on security matters.
Kee: GlobalSign does have a cybersecurity strategy because as certificate authority, we are often targets for cyberattacks. Our strategy consists of several preventive measures, and we are prepared to quickly resume operations through a variety of disaster recovery capabilities in place. Although we implement rigorous policies around auditing, monitoring, multifactor access to critical systems and process, we are required to adhere to strict certificate authority industry guidelines specified in the WebTrust principals.
interval data, which travels from meter to the head-end system to a meter data management system (MDMS) for storage and analysis. The AMI is not designed for voltage data or the meters’ last gasps, which need to be routed around the AMI’s path and directed into a distribution management system (DMS) or an OMS. The DMS will use voltage data to populate a network model, and an OMS is the proper destination for last-gasp signals.
These separate paths reflect the distinction between operational data and nonoperational data, and proper data routing around the AMI system is a nascent functionality that utilities must demand from vendors.
Utilities should focus on operational data in this context, but vendors must enable utilities to extract more value from the nonoperational data coming out of IEDs, which will provide value to asset management, maintenance and power-quality efforts.
DMS in Outage Management
Consider the DMS’s role in an integrated system. DMS relies on a network model generated from geographic information system (GIS) data and is populated by substation and feeder intelligent electronic devices and voltage data from end-of-line sensors. A network model manager interfaces with a GIS so it knows what data to pull from the GIS to build a three-phase, unbalanced DMS network model.
A utility needs four applications on a DMS: the aforementioned FDIR and IVVR, optimal feeder reconfiguration (OFR) and distribution power flow (DPF). Protective relays detect a fault, its location and type. Then the FDIR isolates the faulted segment of the feeder and restores power to customers on healthy segments of the feeder using the OFR. An OFR can look ahead to account for switching schedules for routine maintenance to optimize its role. All this should happen in less than five minutes, keeping an event within the MAIFI index for most customers and not impacting SAIDI, SAIFI and CAIDI. Although IVVC is only incidental to outage management, it plays a big role in DMS, optimizing voltage and reactive power for energy efficiency. The DPF is an online tool that allows the operator to simulate the results of switching strategies and thus contributes to energy efficiency by controlling losses and loading on feeder lines. These two related functionalities make an outsized contribution to the business case for integrated distribution system automation. The suite of functionalities available through FDIR and IVVR comprise the best business cases for adding intelligence to the distribution system in the United States.
Advancements in data visualization tools such as dashboards make all the interactions described here graphically clear to the grid operator in the control center and in circumstances that require operator action give data in the form of actionable intelligence.
With all the aforementioned elements in place plus that crucial two-way communication with customers, utilities can improve their reliability indices and begin to engage customers in a virtuous cycle that further contributes to speedier outage detection, power restoration and customer satisfaction.
Utilities must weigh the larger value of increased reliability and its impact on customers, regulators and other stakeholders.