Mark Weatherford, Under Secretary for Cybersecurity at the Department of Homeland Security, offered comments as the morning keynote speaker on the second day of the Industrial Control System Joint Working Group (ICSJWG). Weatherford is the former Chief Security Officer at the North American Electric Reliability Corporation (NERC) and therefore has some knowledge of control system and their security vulnerabilities. Mr. Weatherford stressed a theme of partnerships and information sharing between industry and government, noting that nearly 85% of the critical infrastructures in the US are owned by the private sector. He stated the we need to raise the nation’s cybersecurity IQ, not only with the general public but also with regulators and Congress. He also acknowledged that cybercrime nets more money for criminals than the cocaine, heroin and marijuana industries combined, worldwide. Mr. Weatherford also pointed to the inter-dependencies with the critical infrastructures in the US. Security in the electric sector cannot be accomplished without considering the communications that link electric system devices.

Regarding legislation currently before Congress on this issue, Mr. Weatherford stated that there is a place for government enforcing cybersecurity standards, but the government should not presume that they can write these standards for control systems. Government must still rely on industry for standards and best practices. When asked if vendors should be held accountable for insecure products, Mr. Weatherford responded that industry is making great strides in delivering secure systems, but industry is still accountable for deploying and correctly configuring these systems. If security settings are turned off because they are inconvenient, then the user is to blame, not the vendor.

David Furth, acting Bureau Chief of the Federal Communication Commission’s Public Safety and Homeland Security Bureau announced today that the FCC will immediately freeze applications for new stations and major modification in the 470-512 MHz private land mobile band, also known as the “T-Band”. The announcement was made at the annual meeting of the Land Mobile Communications Council (LMCC) annual meeting in Washington DC. LMCC is the association of FCC certification frequency advisory committees, or frequency coordinators. Mr. Furth said the FCC would issue a public notice detailing the parameters of the freeze within a week. He said applications for minor changes to existing systems would be accepted, but applications for major changes to existing operations, and new systems, would be dismissed and not processed. Mr. Furth did not comment on what the FCC would do with applications currently pending at the Commission, but UTC believes it is likely these applications will not be processed.

The basis for the action results from the Middle Class Tax Relief and Job Creation Act of 2012, recently signed into law by President Obama. The act allocates the 700 MHz “D” block to the public safety community and sets the stage for the construction and operation of a nationwide Public Safety Broadband Network. In exchange for the D block allocation, the public safety community agreed to begin vacating this spectrum nine years after the signing of the legislation. Mr. Furth indicated that applications for new systems and major modifications could still be filed, but must be accompanied by a waiver request indicating the unusual or emergency nature of the proposed operations.
The FCC authorized land mobile operations in the T-band in thirteen cities in the US for private land mobile use. The band is not used exclusively by public safety. Several utilities and other critical infrastructure entities have large systems in the band. Once the existing systems have been cleared, the FCC intends to auction the spectrum and the proceeds would be used to help fund the national broadband network. Therefore, all licensees, including utilities must vacate the band.
Mr. Furth also advised the LMCC audience that existing operations in the T-band would be exempt for the January 1, 2013 deadline to narrow single voice channel operations from 25 kHz to 12.5 kHz. He said licensees that operate in both the T-Band and other UHF spectrum are still required to narrow non-T Band channels.
Questions on this action, and other decisions at the LMCC meeting should be directed to UTC’s Spectrum Services Director, Don Vasek, or Klaus Bender, Senior Director of Engineering and Standards.

 The IEEE standards association (IEEE-SA) has voted to approve the publication of the “4g” amendment to the 802.15 standard. The amended standard is commonly referred to as Smart Utility Networks (SUN) and is a physical layer (PHY) amendment to the existing low power, personal area network (LoPAN) 802.15 standard. The amendment is intended to provide a global standard that facilitates very large scale process control applications such as the utility smart-grid network capable of supporting large, geographically diverse networks with minimal infrastructure, with potentially millions of fixed endpoints, according to the IEEE web site. Read more »

The National Institute of Standards and Technology’s (NIST) Smart Grid Interoperability Panel (SGIP) opened its Spring Face-to-Face Meeting in Charlotte on March 20, 2012. The opening plenary session featured Dr. George Arnold, the overseer of the NIST Smart Grid effort. Dr. Arnold told the audience that NIST will continue to participate in the SGIP, regardless of the ultimate structure of the organization, citing mandates in the EISA 2007 legislation. Dr. Arnold was referring to the requirement that the SGIP transition to a sustainable, self-sufficient organization by 2013. The SGIP had created a working group to address this issue and has received a report on a variety of options from EnerNex, the SGIP administrator. Concerns from the audience included one from a utility that suggested that if the SGIP was going to charge dues for membership, it should make the fact known as soon as possible. The utility representation stated that utilities are beginning to create budgets for 2013 in the summer and SGIP membership fees may not make the budget, unless identified early. Dr. Arnold said he understood the concern and would make plans known as soon as possible.
A report from Don Sheflin, chair of the Smart Grid Federal Advisory Committee summarized the group’s report to NIST on the workings of the SGIP. Top recommendations included consolidate the disjointed treatment of cybersecurity issues related to the smart grid. Also cited was the need to strengthen state regulatory support for smart grid initiatives, implying that when states treat smart grid efforts in a wide variety of ways, it creates regulatory uncertainty that delays smart grid implementation. Other recommendations included the need for a consolidated communications plan for smart grid education and outreach. UTC will be blogging additional topics from this meeting over the next few days.

The Institute of Electrical and Electronics Engineers (IEEE) has added five new standards to the IEEE portfolio of more than 100 active standards or standards in development relevant to the smart grid.

The IEEE Standards Association (IEEE-SA) Standards Board approved IEEE C37.118.1-Standard for Synchrophasor Measurements for Power Systems, IEEE C37.118.2-Standard for Synchrophasor Data Transfer for Power Systems, IEEE C37.238-Standard Profile for Use of IEEE Std. 1588 Precision Time Protocol in Power System Applications, IEEE C37.232-Standard for Common Format for Naming Time Sequence Data Files (COMNAME) and IEEE 1020-Guide for Control of Small (100 kVA to 5 MVA) Hydroelectric Power Plants.

The standards were developed outside the NIST Smart Grid Interoperability effort and must be approved through the NISR process before being added to the NIST Catalog of Smart Grid Interoperability Standard. Additionally, IEEE-SA recently modified the scope and purpose of an existing smart grid related standards- development project --IEEE P1409 -- Draft Guide for the Application of Power Electronics for Power Quality Improvement on Distribution Systems Rated 1 kV Through 38 kV. For more information, see related IEEE press release.

The Smart Grid Interoperability Panel (SGIP) has ended its work in Priority Action Plan 18 (PAP18) with the addition of a best practices document to the SGIP catalog of standards. PAP18 deals with the Smart Energy Profile (SEP) used by a number of utility meters and home energy devices to communicate with one another. Read more »

A little discussed provision of the legislation is Section 6412, which instructs the Federal Communications Commission (FCC) to provide a report, within 9 months, on the status of the 11 GHz, 18 GHz and 23 GHz bands. According to a story in 'Comm Law Blog', Congress is specifically interested in the “rejection” rate of FCC applications for commercial services in these bands. The bands are used for broadband backhaul services over relatively short path lengths. However, the bands are not only used by commercial wireless providers, they are used for critical infrastructure as well. The wording describes the term `rejection rate' to mean the number and percent of applications (whether made to the Commission or to a third-party coordinator) for common carrier use of spectrum that were not granted because of lack of availability of such spectrum or interference concerns of existing licensees.

The fear is that the FCC will allocate this band for auction as a more efficient means of spectrum licensing, forgetting the utility and critical infrastructure systems that also use the channels. UTC will be watching this issue as it progresses through the FCC. For more details, see the blog post at http://www.commlawblog.com/2012/02/articles/unlicensed-operations-and-emer/congress-seeks-info-on-11-18-and-23-ghz-fixed-microwave/

The Department of Energy (DOE) has released a second draft of the Electricity Subsector Cybersecurity Risk Management Process (RMP) guideline for public comment. According to the document introduction, “it is intended to be used by the electricity subsector, to include organizations responsible for the generation, transmission, distribution, and marketing of electric power, as well as supporting organizations such as vendors.” The document was prepared in conjunction with the National Institute of Standards and Technology (NIST) and is based on several federal standards related to cybersecurity and risk management. Risk management processes are emerging as a best practice for utilities because of the pressures in the cybersecurity space.

The document is of value to utilities for several reasons. For a newcomer to the topic cybersecurity and the electric sector, the document offers a background that can be built upon to create plans specific to the organization implementing cybersecurity policies. For those familiar with the topic, the comment period offers the chance to review and comment, perhaps providing insight not previously considered. The document is available for download at the link below. Comments are due April 5, 2012.

http://energy.gov/oe/downloads/draft-cybersecurity-risk-management-process-rmp-guideline

The Industrial Control System Cyber Emergency Response Team (ICS-CERT) has issued an alert on February 3, 2012, concerning SSH scanning activity that is targeting control systems. The agency states that this Alert is being issued  to inform critical infrastructure and key resource (CIKR) asset owners and operators of recent and ongoing activity involving secure shell(SSH), a scanning of Internet facing control systems.

As recently as this week, ICS-CERT received a report from an electric utility experiencing unsuccessful brute force activity against their networks. The full alert is available for review here.

Version 5 of the NERC Critical Infrastructure Protection (CIP) was released for comment and vote in December. The results of the voting have been released and the standard updates failed to receive the necessary votes to pass. The voting results can be viewed and downloaded here.

Honeywell's Tom Alrich, who has been working closely with this process, commented, "The only positive vote of greater than 40% was for the implementation plan. CIP-003 and CIP-008 got between 30 and 40% positive votes. Everything else got under 30% positive. In addition, participation was quite high - over 90% for each ballot." Mr. Alrich notes that the Standard Development Team is working on changes that will increase the likelihood of ratification in the next vote. 

Version 3 of the NERC CIP standards are in place now, with version 4 approved and waiting implementation. Some industry professionals hoped that version 5 would be approved quickly so that implementation of procedures to comply with version 4 would not be necessary. The failed vote brings this possibility in question.