standards

SGIP Closes PAP18 and Resolves SEP Issues with Best Practices Document

Version 1.0 of SEP used the low power ZigBee wireless protocol. The PAP18 web site tells us “SEP 1.0 provides a set of functionality for HANs designed to meet the requirements established in the OpenHAN System Requirements Specification v1.0 (produced by the Utility Communications Architecture International Users Group (UCAIug)). SEP 1.0 provides pricing support and consumption for multiple commodities (electric, gas, water), text messaging, direct load control, and demand response capability.”

SEP 2.0 is IP based and offers a variety of physical layer connectivity options, including WiFi and power line carrier communications. SEP 2.0 is not backward compatible with version 1.x implementations and the SGIP felt this is an issue that warranted creation of a PAP.

The best practices document discusses two best practices in SEP migration; application layer gateways (AGLs) and dual mode home area networks. An ALG enabling translation between SEP 1.x and SEP 2.0 must be able to maintain the security of HAN devices communicating with the ALG. It is expected that each application (e.g., SEP 1.x) is secure and that the ALG is reasonably fortified against attack. In the case of dual mode operations, the concept of a class of HAN devices that contains both SEP 1.x and SEP 2.0 security suites as well as both SEP applications was developed in the use cases as a way to dramatically simplify the migration process for the customer.

The document acknowledges that the use of HAN is a customer-centric offering that must be handled with the customer in mind. Each utility's solution to transitioning from SEP 1.0 to 2.0 must balance the customer experience with the need for network security. A copy of the best practice can be downloaded at:https://collaborate.nist.gov/twiki-sggrid/bin/view/SmartGrid/SGIPCosSIFSGIP20110008_1

SGIP Release Revised Testing Procedures

The NIST Smart Grid Interoperability Panel (SGIP)has released version two of its Interoperability Process Reference Manual, with a guide to the process by which test laboratories and certifying organizations are accredited for evaluation of Smart Grid products. Utilities that are interested in smart grid interoperability testing, and the procedures recommended by NIST, should download the document as a reference.

Read more »

Industry Association Considers Creation of a Green Button Support Group

The UCA International Users Group is considering the creation of a community to support the "green button" initiative that is supported by the White House (see related Insight article). According to Erich Gunther, UCA International chairman, the White House Office of Science and Technology Policy Green Button initiative is moving forward very quickly.

Gunther stated that the Green Button is at once a concept, a policy, a brand and a collection of technologies and creates both opportunities and challenges for utilities and their customers. UCA will likely vote next week to move forward with the creation of a Green Button support mechanism. Those utilities interested in participating should contact UCA International or Klaus Bender at UTC. You will be provided relevant information when it is available.

Draft SGIP Document on Security Assessment is Released

In an email to the National Institute of Standards and Technology's (NIST) Smart Grid Cybersecurity Working Group (CSWG), it was announced that the CSWG Testing and Certification subgroup has completed the draft SGIP document, “Guide for Assessing the High-Level Security Requirements in NISTIR 7628, Guidelines for Smart Grid Cyber Security.” The document provides a foundation to facilitate a security assessment based on the NISTIR 7628 high-level security requirements. The agency released the smart grid security guidelines in the NISTIR 7628 document in 2010, but some utilities have struggled with using the document in order to create real world security policies. This guide is written to provide a foundation to facilitate a security assessment based on the NISTIR 7628 high-level security requirements implemented within an effective risk management program. Read more »

NERC Issues New CIP 5 Standards and Implementation Plan For Comment

In a recent announcement, the North American Electric Reliability Corporation (NERC) has published ten CIP standards (CIP-002-5 through CIP-009-5, CIP-010-1, and CIP-011-1), a set of new and revised NERC Glossary definitions, and a proposed implementation plan. The documents have been posted on the NERC website for a formal 60-day comment period through Friday, January 6, 2012, which will be accepted via an electronic form. The implementation plan, also called the mapping document, identifies each requirement in the already-approved Version 4 CIP standards and identifies how the requirement has been treated in the Version 5 CIP standards. For more information, click here.

 

NIST Releases Version 2 of Interoperability Roadmap for Comment

The request for public comments on the draft NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 2.0 was published in the Federal Register on October 25, 2011. The Federal Register version of the document is available for download here. A draft is also available at the NIST WIKI site here.

The deadline for public comments is November 25, 2011 at 5:00 PM Eastern Time.

You may send written comments to the Office of the National Coordinator for Smart Grid Interoperability, National Institute of Standards and Technology, 100 Bureau Drive, Mail Stop 8100, Gaithersburg, MD 20899-8100, or by email at nistsgfwcmts@nist.gov.

Comments may also be posted on the wiki Website above, which contains earlier versions of the document as well. In particular, it is requested that comments be categorized as 1) technical; 2) editorial; or 3) general. If a comment is not a general comment, please identify the relevant page, line number, and section the comment addresses. NIST is also requesting that commenters include a proposal on how to address the comment. This continues the process of evolution of the framework for interoperability standards for the Smart Grid, and further input from the SGIP will be sought to help resolve the comments as they are received.

More Standards Added to the SGIP Catalog

The Smart Grid Interoperability Panel (SGIP) Plenary Committee voted to add three new standards to the SGIP Catalog of Standards. According to the NIST website, “the Catalog is a compendium of standards and practices considered to be relevant for the development and deployment of a robust and interoperable Smart Grid.” NIST and the SGIP no longer recommend standards for adoption by regulators like Federal Energy Regulatory Commission (FERC).  Instead, the agency has created the Catalog of Standards that allows regulators to review common standards when creating regulations and best practices.  Standards added to the catalog recently are IEEE C37.238, WS-Calendar Common Schedule Communication Mechanism and SAE 2847-1 Communication between Plug-in Vehicles and the Utility Grid. Read more »

SEC Issues Guidelines On Reporting Cybersecurity Breaches and Risks

The Securities and Exchange Commission (SEC) has issued guidelines to publicly traded companies about what they’re obligated to disclose when hit by a cybersecurity breach. Particularly, the SEC expects companies to disclose “ the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky. ” Disclosure would be required of substantial costs for remediation, increased cybersecurity protections, lost revenues, litigation or reputational damage associated with cyber incidents involving theft of intellectual property, other proprietary or financial information or disruption of operations. Additionally, disclosure may be required of material information related to cybersecurity risks, severity and frequency of prior cyber incidents, probability of cyber incidents and adequacy of preventative actions against threatened attacks.

The guidelines clarify that, “While registrants should provide disclosure tailored to their particular circumstances and avoid generic “boilerplate” disclosure, we reiterate that the federal securities laws do not require disclosure that itself would compromise a registrant’s cybersecurity. Instead, registrants should provide sufficient disclosure to allow investors to appreciate the nature of the risks faced by the particular registrant in a manner that would not have that consequence.” This reporting requirement will shed more light on how publicly traded companies’ are dealing with cybersecurity, and will add more pressure to investor-owned utilities already grappling with cybersecurity threats to the smart grid. Pike Research estimated that utility companies worldwide are likely to spend $21 billion by 2015 to improve cybersecurity for smart grid. Meanwhile, the U.S. energy sector awaits national, interoperable security standards to support the modernization of the grid, leading to heightened concerns about grid security and its impacts.

Earlier this year, Sen. Rockefeller, Chair of the Senate Commerce Committee, sent a letter to SEC Chairwoman Mary Schapiro calling on the Commission to clarify corporate disclosure requirements for cybersecurity breaches so that the American public can learn more about when hackers make efforts to penetrate companies’ computer systems. Sen. Rockefeller applauded the SEC action in press release saying, “Intellectual property worth billions of dollars has been stolen by cyber criminals, and investors have been kept completely in the dark. This guidance changes everything. It will allow the market to evaluate companies in part based on their ability to keep their networks secure. We want an informed market and informed consumers, and this is how we do it. I asked the SEC about this because these companies are required under law to report these incidents.”
  Read more »

Input Needed on Standards Meeting

UTC will again be attending a face-to-face meeting of the Industrial Control System Joint Working Group (ICSJWG) in early October in Long Beach. The group falls under the Department of Homeland Security and is working on sector specific security issues, while merging security roadmaps into a single control system security document.

 

The draft meeting agenda can be found at the following web site; board members with specific interests, questions or concerns on these topics should contact Klaus Bender prior to October 1 and we will raise those issues at the meeting: http://www.us-cert.gov/control_systems/icsjwg/ICSJWG-2011-Fall-Conference_Agenda_7Sept2011_DRAFT.pdf

FERC Initiates Rule Making on NERC CIP 4 Security Standards

Source: FERC Press Release dated September 15, 2011

"In a long awaited regulatory action, the Federal Energy Regulatory Commission (FERC) took steps to support continued transmission system reliability by proposing revisions to eight critical infrastructure protection (CIP)reliability standards that include a new method of identifying cyber assets that are critical to the nation’s bulk power grid.

The North American Electric Reliability Corp. (NERC) voted to approve the newest version of the CIP standards some time ago, and the industry has been waiting for FERC's decision on whether the standards should be enacted.

If enacted, NERC CIP 4 would present significant changes in the way utilities identify critical assets and the means used to protect them. Utility security professionals should review the draft standards and begin considering changes needed to their procedures to comply with the new methodologies.

The notice of proposed rulemaking (NOPR) stressed that NERC has not addressed all the modifications directed by the Commission’s Order No. 706, which approved the original CIP standards in January 2008. The NOPR would require NERC to make a filing to fully comply with Order No. 706 by the end of the third quarter of 2012. Comments on the proposed rule (RM11-11) are due 60 days after publication in the Federal Register.

The proposed “Version 4” CIP standards are an interim step, FERC said in directing the electric industry and the North American Electric reliability Corp. (NERC) to continue developing a comprehensive approach to assure the grid can withstand a cyber security incident. NERC is the Commission-certified electric reliability organization responsible for developing and enforcing mandatory reliability standards."

Syndicate content
     
   

 
     

 

UTC Member Tweets