The NIST Smart Grid Interoperability Panel (SGIP)has released version two of its Interoperability Process Reference Manual, with a guide to the process by which test laboratories and certifying organizations are accredited for evaluation of Smart Grid products. Utilities that are interested in smart grid interoperability testing, and the procedures recommended by NIST, should download the document as a reference.

Read more »

In an email to the National Institute of Standards and Technology's (NIST) Smart Grid Cybersecurity Working Group (CSWG), it was announced that the CSWG Testing and Certification subgroup has completed the draft SGIP document, “Guide for Assessing the High-Level Security Requirements in NISTIR 7628, Guidelines for Smart Grid Cyber Security.” The document provides a foundation to facilitate a security assessment based on the NISTIR 7628 high-level security requirements. The agency released the smart grid security guidelines in the NISTIR 7628 document in 2010, but some utilities have struggled with using the document in order to create real world security policies. This guide is written to provide a foundation to facilitate a security assessment based on the NISTIR 7628 high-level security requirements implemented within an effective risk management program. Read more »

The request for public comments on the draft NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 2.0 was published in the Federal Register on October 25, 2011. The Federal Register version of the document is available for download here. A draft is also available at the NIST WIKI site here.

The deadline for public comments is November 25, 2011 at 5:00 PM Eastern Time.

You may send written comments to the Office of the National Coordinator for Smart Grid Interoperability, National Institute of Standards and Technology, 100 Bureau Drive, Mail Stop 8100, Gaithersburg, MD 20899-8100, or by email at nistsgfwcmts@nist.gov.

Comments may also be posted on the wiki Website above, which contains earlier versions of the document as well. In particular, it is requested that comments be categorized as 1) technical; 2) editorial; or 3) general. If a comment is not a general comment, please identify the relevant page, line number, and section the comment addresses. NIST is also requesting that commenters include a proposal on how to address the comment. This continues the process of evolution of the framework for interoperability standards for the Smart Grid, and further input from the SGIP will be sought to help resolve the comments as they are received.

The Smart Grid Interoperability Panel (SGIP) Plenary Committee voted to add three new standards to the SGIP Catalog of Standards. According to the NIST website, “the Catalog is a compendium of standards and practices considered to be relevant for the development and deployment of a robust and interoperable Smart Grid.” NIST and the SGIP no longer recommend standards for adoption by regulators like Federal Energy Regulatory Commission (FERC).  Instead, the agency has created the Catalog of Standards that allows regulators to review common standards when creating regulations and best practices.  Standards added to the catalog recently are IEEE C37.238, WS-Calendar Common Schedule Communication Mechanism and SAE 2847-1 Communication between Plug-in Vehicles and the Utility Grid. Read more »

The Securities and Exchange Commission (SEC) has issued guidelines to publicly traded companies about what they’re obligated to disclose when hit by a cybersecurity breach. Particularly, the SEC expects companies to disclose “ the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky. ” Disclosure would be required of substantial costs for remediation, increased cybersecurity protections, lost revenues, litigation or reputational damage associated with cyber incidents involving theft of intellectual property, other proprietary or financial information or disruption of operations. Additionally, disclosure may be required of material information related to cybersecurity risks, severity and frequency of prior cyber incidents, probability of cyber incidents and adequacy of preventative actions against threatened attacks.

The guidelines clarify that, “While registrants should provide disclosure tailored to their particular circumstances and avoid generic “boilerplate” disclosure, we reiterate that the federal securities laws do not require disclosure that itself would compromise a registrant’s cybersecurity. Instead, registrants should provide sufficient disclosure to allow investors to appreciate the nature of the risks faced by the particular registrant in a manner that would not have that consequence.” This reporting requirement will shed more light on how publicly traded companies’ are dealing with cybersecurity, and will add more pressure to investor-owned utilities already grappling with cybersecurity threats to the smart grid. Pike Research estimated that utility companies worldwide are likely to spend $21 billion by 2015 to improve cybersecurity for smart grid. Meanwhile, the U.S. energy sector awaits national, interoperable security standards to support the modernization of the grid, leading to heightened concerns about grid security and its impacts.

Earlier this year, Sen. Rockefeller, Chair of the Senate Commerce Committee, sent a letter to SEC Chairwoman Mary Schapiro calling on the Commission to clarify corporate disclosure requirements for cybersecurity breaches so that the American public can learn more about when hackers make efforts to penetrate companies’ computer systems. Sen. Rockefeller applauded the SEC action in press release saying, “Intellectual property worth billions of dollars has been stolen by cyber criminals, and investors have been kept completely in the dark. This guidance changes everything. It will allow the market to evaluate companies in part based on their ability to keep their networks secure. We want an informed market and informed consumers, and this is how we do it. I asked the SEC about this because these companies are required under law to report these incidents.”
  Read more »

The Department of Energy, in collaboration with the National Institute of Standards and Technology and the North American Electric Reliability Corporation, has released a draft of the Electricity Sector Cybersecurity Risk Management Process (RMP) Guideline for public comment. The RMP Guideline was drafted by a joint public-private sector team that also included representatives from the Federal Energy Regulatory Commission, the Department of Homeland Security, and utilities. The initiative to develop the RMP Guideline is led by the Department’s Office of Electricity Delivery and Energy Reliability. Comments are by October 28, 2011 and can be made at: https://public.commentworks.com/CW_DOE_AWF/ Read more »

The Federal Energy Regulatory Commission (FERC) issued its Order on Smart Grid Interoperability Standards,and it has concluded that there is "insufficient consensus" on the initial five families of standards that were sent by NIST for FERC adoption in accordance with the Energy Independence and Security Act of 2007.  Furthermore, the FERC encouraged stakeholders to actively participate in the NIST interoperability framework process to develop standards for interoperability and to refer to that process for guidance on smart grid standards.  Finally, FERC terminated its proceeding in docket RM11-2-000.

In reaching its conclusion not to institute a rulemaking proceeding to adopt the standards, the Commission agreed with comments that registered concerns about cyber security deficiencies and potential unintended consequences from premature adoption of individual standards.  The Commission did express its support for the NIST process and did encourage active participation by stakeholders, citing planned improvements to the NIST process including "an enhanced SGIP role in reviewing existing as well as new smart grid interoperability standards, the establishment of a preliminary testing process, the establishment of a process to identify cyber security design principles, and efforts to better address reliability and implementation concerns within the SGIP process."

For more information, contact the UTC Legal/Regulatory Department. 

A new document intended to help pipeline operators, power producers, manufacturers and other managers of critical infrastructures to secure their systems while addressing their unique performance, reliability and safety requirements has been issued by National Institute of Standards and Technology (NIST). The document provides an overview of industrial control system (ICS) and typical system topologies, identifies typical threats and vulnerabilities to these systems and provides recommended security countermeasures to mitigate the associated risks. Because there are many different types of ICS with varying levels of potential risk and impact, the document provides a list of many different methods and techniques for securing ICS.

This new guide is recommended to be used along with the NIST Guidelines for Smart Grid Cyber Security (NISTIR 7628), which was issued last September, to tackle security issues arising from the convergence of the electric power Smart Grid and ICS.

A major step toward a standardized format for communicating actionable information on energy consumption to U.S. households has been achieved as the SGIP Governing Board voted to accept the third set of standards to emerge from the Priority Action Plan (PAP) teams.  The NAESB Energy Usage Information seed information model is the completed output for PAP 10.  The Board’s positive vote on January 28 signifies that these standards are now recommended for inclusion on the SGIP Catalog of Standards, where they will guide the development of an interoperable Smart Grid. Read more »

The Department of Energy (DOE) has announced a collaborative grid cyber security initiative with the National Institute of Standards and Technology (NIST) and the North American Electric Reliability Corporation (NERC). Led by the DOE’s Office of Electric Delivery and Energy Reliability, the effort will also collaborate with public and private sector representatives including the NIST Smart Grid Interoperability Panel’s Cyber Security Working Group (CSWG) and the Federal Energy Regulatory Commission (FERC). Read more »