The Administration announced today that nine major utilities and electricity suppliers will commit to providing more than 15 million households access to data about their own energy use with a simple click of an online “Green Button.” These utilities have agreed to base their Green Buttons on a common technical standard developed in collaboration with a public-private partnership supported by the Commerce Department’s National Institute of Standards and Technology (NIST).
"The Green Button Initiative will help consumers monitor and manage their energy consumption. We believe that engaging consumers as a crucial stakeholder in the process will help us achieve national energy policy goals, deliver important societal benefits and realize important advancements in the utility value chain," said Connie Durcsak, UTC President and CEO, in a press release supporting this project. Read more »

The National Institute of Standards and Technology’s (NIST) Smart Grid Interoperability Panel (SGIP) opened its Spring Face-to-Face Meeting in Charlotte on March 20, 2012. The opening plenary session featured Dr. George Arnold, the overseer of the NIST Smart Grid effort. Dr. Arnold told the audience that NIST will continue to participate in the SGIP, regardless of the ultimate structure of the organization, citing mandates in the EISA 2007 legislation. Dr. Arnold was referring to the requirement that the SGIP transition to a sustainable, self-sufficient organization by 2013. The SGIP had created a working group to address this issue and has received a report on a variety of options from EnerNex, the SGIP administrator. Concerns from the audience included one from a utility that suggested that if the SGIP was going to charge dues for membership, it should make the fact known as soon as possible. The utility representation stated that utilities are beginning to create budgets for 2013 in the summer and SGIP membership fees may not make the budget, unless identified early. Dr. Arnold said he understood the concern and would make plans known as soon as possible.
A report from Don Sheflin, chair of the Smart Grid Federal Advisory Committee summarized the group’s report to NIST on the workings of the SGIP. Top recommendations included consolidate the disjointed treatment of cybersecurity issues related to the smart grid. Also cited was the need to strengthen state regulatory support for smart grid initiatives, implying that when states treat smart grid efforts in a wide variety of ways, it creates regulatory uncertainty that delays smart grid implementation. Other recommendations included the need for a consolidated communications plan for smart grid education and outreach. UTC will be blogging additional topics from this meeting over the next few days.

The Department of Energy (DOE) has released a second draft of the Electricity Subsector Cybersecurity Risk Management Process (RMP) guideline for public comment. According to the document introduction, “it is intended to be used by the electricity subsector, to include organizations responsible for the generation, transmission, distribution, and marketing of electric power, as well as supporting organizations such as vendors.” The document was prepared in conjunction with the National Institute of Standards and Technology (NIST) and is based on several federal standards related to cybersecurity and risk management. Risk management processes are emerging as a best practice for utilities because of the pressures in the cybersecurity space.

The document is of value to utilities for several reasons. For a newcomer to the topic cybersecurity and the electric sector, the document offers a background that can be built upon to create plans specific to the organization implementing cybersecurity policies. For those familiar with the topic, the comment period offers the chance to review and comment, perhaps providing insight not previously considered. The document is available for download at the link below. Comments are due April 5, 2012.

http://energy.gov/oe/downloads/draft-cybersecurity-risk-management-process-rmp-guideline

The National Institute of Standards and Technology released the first draft of special publication 800-53 revision 4 yesterday, providing revisions to the Federal Information Security Management Act (FISMA). The update represents a year-long effort by NIST’s Joint Task Force Transformation Initiative that included collaboration with the Department of Defense, the Intelligence Community, the Committee on National Security Systems, and the Department of Homeland Security to revise cybersecurity standards. The document provides guidance on how to address and protect against new information security threats and incorporates new privacy controls to the framework that federal agencies use to protect their information and information systems. For more information, see this NIST Press Release. The current proposals in the document are considered a draft, and NIST invites public comment by April 6 (that should be sent to sec-cert@nist.gov.) The final document is expected to be released in July 2012.

The NIST Smart Grid Interoperability Panel (SGIP)has released version two of its Interoperability Process Reference Manual, with a guide to the process by which test laboratories and certifying organizations are accredited for evaluation of Smart Grid products. Utilities that are interested in smart grid interoperability testing, and the procedures recommended by NIST, should download the document as a reference.

Read more »

In an email to the National Institute of Standards and Technology's (NIST) Smart Grid Cybersecurity Working Group (CSWG), it was announced that the CSWG Testing and Certification subgroup has completed the draft SGIP document, “Guide for Assessing the High-Level Security Requirements in NISTIR 7628, Guidelines for Smart Grid Cyber Security.” The document provides a foundation to facilitate a security assessment based on the NISTIR 7628 high-level security requirements. The agency released the smart grid security guidelines in the NISTIR 7628 document in 2010, but some utilities have struggled with using the document in order to create real world security policies. This guide is written to provide a foundation to facilitate a security assessment based on the NISTIR 7628 high-level security requirements implemented within an effective risk management program. Read more »

The request for public comments on the draft NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 2.0 was published in the Federal Register on October 25, 2011. The Federal Register version of the document is available for download here. A draft is also available at the NIST WIKI site here.

The deadline for public comments is November 25, 2011 at 5:00 PM Eastern Time.

You may send written comments to the Office of the National Coordinator for Smart Grid Interoperability, National Institute of Standards and Technology, 100 Bureau Drive, Mail Stop 8100, Gaithersburg, MD 20899-8100, or by email at nistsgfwcmts@nist.gov.

Comments may also be posted on the wiki Website above, which contains earlier versions of the document as well. In particular, it is requested that comments be categorized as 1) technical; 2) editorial; or 3) general. If a comment is not a general comment, please identify the relevant page, line number, and section the comment addresses. NIST is also requesting that commenters include a proposal on how to address the comment. This continues the process of evolution of the framework for interoperability standards for the Smart Grid, and further input from the SGIP will be sought to help resolve the comments as they are received.

The Smart Grid Interoperability Panel (SGIP) Plenary Committee voted to add three new standards to the SGIP Catalog of Standards. According to the NIST website, “the Catalog is a compendium of standards and practices considered to be relevant for the development and deployment of a robust and interoperable Smart Grid.” NIST and the SGIP no longer recommend standards for adoption by regulators like Federal Energy Regulatory Commission (FERC).  Instead, the agency has created the Catalog of Standards that allows regulators to review common standards when creating regulations and best practices.  Standards added to the catalog recently are IEEE C37.238, WS-Calendar Common Schedule Communication Mechanism and SAE 2847-1 Communication between Plug-in Vehicles and the Utility Grid. Read more »

The Securities and Exchange Commission (SEC) has issued guidelines to publicly traded companies about what they’re obligated to disclose when hit by a cybersecurity breach. Particularly, the SEC expects companies to disclose “ the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky. ” Disclosure would be required of substantial costs for remediation, increased cybersecurity protections, lost revenues, litigation or reputational damage associated with cyber incidents involving theft of intellectual property, other proprietary or financial information or disruption of operations. Additionally, disclosure may be required of material information related to cybersecurity risks, severity and frequency of prior cyber incidents, probability of cyber incidents and adequacy of preventative actions against threatened attacks.

The guidelines clarify that, “While registrants should provide disclosure tailored to their particular circumstances and avoid generic “boilerplate” disclosure, we reiterate that the federal securities laws do not require disclosure that itself would compromise a registrant’s cybersecurity. Instead, registrants should provide sufficient disclosure to allow investors to appreciate the nature of the risks faced by the particular registrant in a manner that would not have that consequence.” This reporting requirement will shed more light on how publicly traded companies’ are dealing with cybersecurity, and will add more pressure to investor-owned utilities already grappling with cybersecurity threats to the smart grid. Pike Research estimated that utility companies worldwide are likely to spend $21 billion by 2015 to improve cybersecurity for smart grid. Meanwhile, the U.S. energy sector awaits national, interoperable security standards to support the modernization of the grid, leading to heightened concerns about grid security and its impacts.

Earlier this year, Sen. Rockefeller, Chair of the Senate Commerce Committee, sent a letter to SEC Chairwoman Mary Schapiro calling on the Commission to clarify corporate disclosure requirements for cybersecurity breaches so that the American public can learn more about when hackers make efforts to penetrate companies’ computer systems. Sen. Rockefeller applauded the SEC action in press release saying, “Intellectual property worth billions of dollars has been stolen by cyber criminals, and investors have been kept completely in the dark. This guidance changes everything. It will allow the market to evaluate companies in part based on their ability to keep their networks secure. We want an informed market and informed consumers, and this is how we do it. I asked the SEC about this because these companies are required under law to report these incidents.”
  Read more »

The Department of Energy, in collaboration with the National Institute of Standards and Technology and the North American Electric Reliability Corporation, has released a draft of the Electricity Sector Cybersecurity Risk Management Process (RMP) Guideline for public comment. The RMP Guideline was drafted by a joint public-private sector team that also included representatives from the Federal Energy Regulatory Commission, the Department of Homeland Security, and utilities. The initiative to develop the RMP Guideline is led by the Department’s Office of Electricity Delivery and Energy Reliability. Comments are by October 28, 2011 and can be made at: https://public.commentworks.com/CW_DOE_AWF/ Read more »