On February 1, the House Homeland Security Subcommittee on Cybersecurity approved by voice vote an amended version of HR 3674, the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness (PRECISE) Act of 2011. In keeping with the House Cybersecurity Task Force Report released last year, the bill focuses on improving and incentivizing information sharing between the government and the critical infrastructure on cyber threats and incidents. PRECISE would establish DHS as lead federal agency for the coordination of federal and critical infrastructure cybersecurity efforts, the development of a national cybersecurity strategy, and the formulation of voluntary cybersecurity guidelines. Read more »

Version 5 of the NERC Critical Infrastructure Protection (CIP) was released for comment and vote in December. The results of the voting have been released and the standard updates failed to receive the necessary votes to pass. The voting results can be viewed and downloaded here.

Honeywell's Tom Alrich, who has been working closely with this process, commented, "The only positive vote of greater than 40% was for the implementation plan. CIP-003 and CIP-008 got between 30 and 40% positive votes. Everything else got under 30% positive. In addition, participation was quite high - over 90% for each ballot." Mr. Alrich notes that the Standard Development Team is working on changes that will increase the likelihood of ratification in the next vote. 

Version 3 of the NERC CIP standards are in place now, with version 4 approved and waiting implementation. Some industry professionals hoped that version 5 would be approved quickly so that implementation of procedures to comply with version 4 would not be necessary. The failed vote brings this possibility in question. 

The NIST Smart Grid Interoperability Panel (SGIP)has released version two of its Interoperability Process Reference Manual, with a guide to the process by which test laboratories and certifying organizations are accredited for evaluation of Smart Grid products. Utilities that are interested in smart grid interoperability testing, and the procedures recommended by NIST, should download the document as a reference.

Read more »

The Michigan Public Service Commission has launched an investigation into Michigan utility companies that install smart meters after concerns were raised by electric customers and municipalities over the practice. The Commission noted that "at least nine local communities across Michigan" have called for such an action by the state agency.
  Read more »

The UCA International Users Group is considering the creation of a community to support the "green button" initiative that is supported by the White House (see related Insight article). According to Erich Gunther, UCA International chairman, the White House Office of Science and Technology Policy Green Button initiative is moving forward very quickly.

Gunther stated that the Green Button is at once a concept, a policy, a brand and a collection of technologies and creates both opportunities and challenges for utilities and their customers. UCA will likely vote next week to move forward with the creation of a Green Button support mechanism. Those utilities interested in participating should contact UCA International or Klaus Bender at UTC. You will be provided relevant information when it is available.

The Department of Transportation (DOT) has updated its list of Frequently Asked Questions (FAQ) to clarify its new rules restricting the use of push-to-talk mobile telephones while driving a commercial motor vehicle (CMV). In particular, it gives clarification that CMV drivers are allowed to use push-to-talk mobile communications equipment while driving, "provided the driver does not reach for, dial, or hold the actual mobile telephone in his/her hand while driving and the driver is able to touch the button needed to operate the push-to-talk feature from the normal seated position with the safety belt fastened." As an example, "if the mobile phone is mounted in a cradle or similar device near the driver, or there is a remote push-to-talk button near the vehicle controls to allow the driver to communicate without reaching for, dialing, or holding the actual mobile telephone in his/her hands while driving, the equipment may be used."

California utilities Pacific Gas & Electric, San Diego Gas & Electric and Southern California Edison are collaborating to deliver "Green Button" customer energy data to about six million California customers. By clicking on the Green Button, up to 13 months of past energy consumption data is instantly exported into customer- and computer-friendly standard formats. The data will be delivered in standardized file formats for easy export to other applications. According to a White House blog post, the expectation is that access to this information will inspire innovative consumer applications and devices from entrepreneurs, businesses and students.

The Green Button system is based on a developing standard Open Automated Data Exchange (Open ADE). The particular standard for that common format, known as Energy Services Provider Interface (ESPI), was finalized in a 1.0 version in October 2011; the federal government wants to make it a national smart grid standard.

According to reports on blogs such as Earth2Tech and GreenTechGrid other utilities including Southern California Edison, Glendale Power & Light, Oncor and Pepco Holdings will announce that they will also offer the feature later this year.

A new report by the Government Accountability Office (GAO) recommended that the Department of Homeland Security (DHS) should work with public and private sector partners to determine whether cybersecurity guidance should be added to sector-specific critical infrastructure plans. The GAO was asked to: 1) identify cybersecurity guidance within the seven critical infrastructure sectors; 2) determine the extent to which this cybersecurity guidance was enforced and promoted; and 3) find commonalities and differences between cybersecurity guidance for private sector entities versus federal government entities.
  Read more »

In collaboration with the White House, the Department of Homeland Security (DHS) and electric company senior executives, the Department of Energy (DOE) formally launched a new initiative to develop a more comprehensive and consistent approach to protecting the nation's electric grid. Called the Electric Sector Cybersecurity Risk Management Maturity Project, DOE is seeking to leverage private industry and public sector expertise to develop an adaptable and scaleable model for measuring current capabilities and analyzing gaps in cyber defenses. The model will be based on a cybersecurity risk management process guideline developed with public and industry input and finalized in October 2011.

In a statement accompanying the project launch, White House Cyber Security Coordinator Howard Schmidt commented, "This effort will be focused on performance-based strategies and concrete steps to measure progress of cyber security in the electric sector. It is important to understand the sector's strengths and remaining gaps across the grid to inform investment planning and research and development, and enhance our public-private partnership efforts."

A series of workshops with industry representatives is planned for the next several months to draft the maturity model. A pilot program to test the model's effectiveness and validate results is planned for late spring/early summer with about a dozen electric utilities and grid operators participating. Based on the results of the pilot program, a final risk management maturity model is expected to be made available to the entire electric sector late summer. Read more »

The Department of Homeland Security (DHS) Control Systems Security Program (CSSP) has released an interim Version 4.0.1 of the Cyber Security Evaluation Tool (CSET). This new version of the tool can be downloaded from the CSSP website:

http://us-cert.gov/control_systems/satool.html 

This interim Version 4.0.1 release addresses some minor issues identified in report formatting and corrects a problem with Zone Security Assurance Level (SAL) calculations. In addition, this release incorporates a new sub-report to isolate and show user comments in a single location, includes modifications to clarify how firewall analysis is performed, and improves the gap analysis for pass/fail standards.