Power Delivery & Markets Distribution Advisory Council February 13, 2007 Storm Modeling
Storm Recovery Webinar 6.12 - Council of State...
Transcript of Storm Recovery Webinar 6.12 - Council of State...
Presentation to Council of State Governments, June 14 2013
Miles Keogh, Director of ResearchNational Association of Regulatory Utility
Commissioners
Today’s AgendaI. What is resilience?II. ThreatsIII. Roles
i. Federal ii. Stateiii. Information Protection, Information Managementiv. Cyber Security
IV. What you can do
Infrastructure Protection is a risk management problem Enterprise risk management applies to any decision‐making being made under conditions of uncertainty. Financial risk Regulatory risk Critical Infrastructure protection risks:
An interruption to service, no matter what the origin, interrupts service.
An “all hazards” approach to preparedness helps deal with interruptions no matter the origin?
3
Risk management means considering a continuum:
Vulnerability: how prepared are we? Threat: what could exploit the vulnerability?Likelihood: how often does the event occur?Consequence: how bad would it be?
5
We know how to plan for Utility System Reliability:
Minimizing:• Frequency of Outage• Duration of Outage• Scale of Outage
Critical Infrastructure Protection now also needs to include a focus on Resilience:
• Flexibility (before)• Robustness (before & during) • Resourcefulness (during)• Rapid recovery (after)• Adaptability (after)
The metrics for reliability may leave important resilience investments off the table.
To approve and motivate resilience, it must be defined and be measurable for policy‐makers.
Reliability vs. Resilience
Weather
REUTERS, Fort Calhoun flooded in Eastern Nebraska, June 2011.
N2
Slide 8
N2 Ask: what vulnerability? Threat / likelihood? consequence?NARUC, 9/11/2012
Recent Weather Events 2007 Hurricane Katrina 2008 – 2009 Wildfires Summer 2011 Joplin MO tornado June 2012 North American Derecho Fall 2012 Superstorm Sandy Summer 2013 tornadoes
8
Non‐Weather Events Earthquake Volcano Tsunami Geomagnetic Disturbance (GMD)
Human Impact Accidents/Negligence Workforce
Pandemic Disruption to labor supply or key talent
Human ‐ Intentional Physical Attacks
Low tech. to high tech. Coordinated or wide‐area attacks
e.g. EMP
Cyber Security
Smarter Infrastructure is intended to improve reliability If you can see what you’re doing, you can respond quicker and better
System visualization addresses some vulnerabilities… … but intelligent infrastructure introduces new vulnerabilities which need to be managed if we want to be, on balance, more secure.
12
Smart Grid Security: Three FlavorsConventional IT Systems Control Systems “Smart Grid”
ElectricalInfrastructure
+ + =
13
Why Cyber? (cont’d.) Ubiquity of networks and dependency on them ‐networks are cheaper, faster, more effective
Ease of launching a sophisticated attack New activity by nation‐states and advanced persistent threat
Tools are freely available on the Internet (e.g. GLEG Agora SCADA+)
Interdependencies between sectors
14
Interdependencies A pretty bad hypothetical scenario…
15
Build Resilience
17
Companies and vendors Cyber‐secure operations is the domain of companies. Law enforcement and National Security aren’t their –or our – jobs (generally)
This is going to require new kinds of partnerships.
18
Department of Homeland Security Agency most directly concerned with direct threats to the nation’s energy
infrastructure, vulnerability assessments and responding to those threats
Key Offices for Energy Security: FEMA Provides emergency support and coordination to local responders and
citizens with a focus on essential human needs. Division of Information Analysis and Infrastructure Protection
Determines security needs and priorities Supports state capacity building through training just like this Targets: vulnerabilities with catastrophic potential, e.g. nuclear power plants,
chemical facilities, pipelines and ports DHS Office for State and Local Coordination
Provides primary contact for training, equipment, planning and other critical response needs
Coordinates communication systems from federal to state and local government Distributes research, technical support, warnings and other information
19
Other Roles Law enforcement does law enforcement Intelligence community generates threat info DOE – works to address strategic energy security issues through its efforts on electricity transmission, fuel diversity, energy supplies, research and development and other similar issues
TSA – lead federal agency for security of transportation, including pipelines
Dept. of Commerce Office of Pipeline Safety – regulates safety‐related issues in pipelines
FERC – examines economic issues affecting security costs for utilities under its jurisdiction
Non Feds: NERC, RTOs, Control Area Operators, Utilities
20
State Roles
Emergency Managers
State Energy Offices
State Legislatures
Governors’ Offices
State and Local Police; National Guard
Local Government Contracts
Other States
Utilities and Interdependent Systems
Public Utility Commissions
Federal Lead Agencies
(DOE, EPA, DHS)
Governor’s Office conducts overall emergency planning
Emergency Management Agency provides primary emergency response
Homeland Security, State Military or State Policeprevents criminal and terrorist‐caused disasters
State Energy Office assures supplies of petroleum, heating oil, propane
Other State Agencies Departments of health, environment, social or human services department, transportation departments
At the local levelCounties and Municipal Organizations
21
Roles of Legislatures Establish Agency Regulatory Oversight:
Reliability Planning Resource Diversity
Manage information and authorize information protection
Set liability Set rules for emergency situations
Pricing, quarantine, evacuation, coordination What else?
22
Information protection/ Information Management Connecting information with those who need it breeds success;
Connecting information with those who want it for the wrong reasons is a recipe for disaster. What goes in the public record? What legal protections exist? What capacity exists to protect it from illegal or extra‐legal exploitation?
23
Ask questions… CAREFULLY1. “We can’t protect it so don’t share it.”2. “We can’t protect it onsite but can see it at your site”3. “We can protect it in a special case”4. “We can protect it within a standard case with a
secure hearing”5. “We can protect it as a matter of course”
Some of these approaches require people with specialized skills, clearances, or professional relationships
24
State Actions Seek Information and Education Review Utility Commission Enabling Statutes Recognize Importance of and Encourage Energy Efficiency and Demand Response Programs
Review Utility Oversight Laws for Security Implications
Review Statutes Governing Energy Office and Duties
26
State Actions Review Statutes Influencing Energy System Diversity and Redundancy
Review Statutes Governing Freedom of Information Laws
Reassess Laws and Procedures Governing Open Meetings
Evaluate State Liability Statutes Ensure that Industry and/or State Agencies Have Conducted Appropriate Vulnerability Studies
27
State Actions Update Statutes Governing Emergency Response for Coordination, Delegation, Flexibility and Communication
Examine Possible Unfair Pricing Legislation in Emergencies
Cyber Security
28
Miles KeoghDirector, Grants & [email protected]‐898‐2217
Available Resources Standards and Guidelines:
Bulk Power System: NERC CIP Standards Smart Grid: NIST Interagency Report 7628 (NISTIR 7628)
http://csrc.nist.gov/publications/PubsNISTIRs.html NARUC has developed:
Cybersecurity for State Regulators with Sample Questions for Regulators to Ask Utilities: http://www.naruc.org/Grants/Documents/NARUC%20Cybersecurity%20Primer%20June%202012.pdf
NARUC Critical Infrastructure Committee http://www.naruc.org/committees.cfm?c=46
Monthly Cybersecurity Threat Briefings National Electric Sector Cyber Security Organization (NESCO): EnergySec
formed the NESCO organization as a Public‐private partnership including Utilities, federal agencies, regulators, researches, and academics
National Electric Sector Cyber Security Organization Resource (NESCOR): EPRI was selected to serve as a research and analysis resource to the NESCO program and develop mitigation strategies, best practices and metrics
DOE Smart Grid Investment Grant (SGIG) Program: Required grant recipients to gather info and implement cyber security plans http://energy.gov/oe/technology‐development/smart‐grid/recovery‐act‐smart‐grid‐investment‐grants
30
Available Resources (cont’d.) NASEO Smart Grid Report NARUC Primer AMI‐SEC Task Force Advanced Metering Infrastructure (AMI) System Security
Requirements, December 2008. See http://csrc.nist.gov/publications/fips/fips199/FIPS‐PUB‐199‐final.pdf.
ANSI/ISA‐99, Manufacturing and Control Systems Security, Part 1: Concepts, Models and Terminology, 2007. See http://csrc.nist.gov/publications/fips/fips199/FIPSPUB‐199‐final.pdf.
ANSI/ISA‐99, Manufacturing and Control Systems Security, Part 2: Establishing a Manufacturing and Control Systems Security Program, 2009. See http://csrc.nist.gov/publications/fips/fips199/FIPS‐PUB‐199‐final.pdf.
Federal Bureau of Investigation, InfraGard program, InfraGard FBI Cyber Security Collaboration. See http://www.infragard.net/.
Federal Information Processing Standard (FIPS) 200, Minimum SecurityRequirements for Federal Information and Information Systems, March 2006. See http://csrc.nist.gov/publications/fips/fips200/FIPS‐200‐final‐march.pdf.
FIPS 199, Standards for Security Categorization of Federal Information andInformation Systems, February 2004. See http://csrc.nist.gov/publications/fips/fips199/FIPS‐PUB‐199‐final.pdf.
31
Available Resources (cont’d.) Idaho National Laboratory, Cyber Assessment Methods for SCADA
Security, 2005. See http://www.naseo.org/eaguidelines/documents/cybersecurity/SCADA_Security.pdf.
National Institute of Standards and Technology (NIST) Special Publication (SP), 800‐39, DRAFT Managing Risk from Information Systems: An Organizational Perspective, April 2008. See http://csrc.nist.gov/publications/drafts/800‐39/SP800‐39‐spdsz.pdf.
North American Electric Reliability Corporation (NERC), Security Guidelines for the Electricity Sector: Vulnerability and Risk Assessment, June 2002. See http://csrc.nist.gov/publications/fips/fips199/FIPS‐PUB‐199‐final.pdf.
Smart Grid Cyber Security Blog Spot. See http://smartgridsecurity.blogspot.com/.
U.S. Department of Homeland Security National Infrastructure Protection Plan, 2009. See http://www.dhs.gov/nipp.
32
Available Resources (cont’d.) U.S. Department of Homeland Security IT, telecommunications, and
energy sectors sector specific plans (SSPs), and updated tri‐annually. See http://www.dhs.gov/files/programs/gc_1179866197607.shtm
U.S. Department of Energy (DOE) Office of Electricity Delivery and Energy Reliability (OE) and the Energy Sector Control Systems Working Group, Roadmap to Achieve Energy Delivery Systems Cybersecurity, September 2011. See http://www.cyber.st.dhs.gov/wp‐content/uploads/2011/09/Energy_Roadmap.pdf
U. S. Computer Emergency Readiness Team (US‐CERT), U.S. Department of Homeland Security. See http://www.us‐cert.gov/.
American Petroleum Institute Security Guidelines for the Petroleum Industry, April 2005. See http://new.api.org/policy/otherissues/upload/Security.pdf
Idaho National Engineering and Environmental Laboratory A Comparison of Oil and Gas Segment Cyber Security Standards, November 2004. See http://www.naseo.org/eaguidelines/documents/cybersecurity/Comparison of Oil and Gas Security.pdf
33
Thank you!Questions?
Christina Cody Program Officer, Grants and Research
(202) 898‐9374
U. S. Department of Homeland Security Office of Infrastructure Protection
The Association of Electrical Equipment and Medical Imaging Manufacturers
Storm Recovery—Building Stronger, Smarter Electrical Grids
CSG Policy Webinar SeriesJune 12, 2013
The Association of Electrical Equipment andMedical Imaging Manufacturers
NEMA Leads in Standards Development 400-plus member companies
54 Industry Segments Support over 1 million U.S. jobs Operate more than 7,300 facilities Products in the NEMA Scope
• $100 billion U.S. domestic revenue• $30 billion exports
Promotes development and maintenance of product standards—domestic, regional, international NEMA publishes over 500 standards including the following
• 236 NEMA Standards Publications• 46 ANSI/NEMA Standards• 266 American National Standards
81 CANENA Harmonized Product Safety Standards, 6 of which are IEC based • Supported by 24 NEMA Product Sections• 44 active work programs, 21 are IEC based
56 IEC and 6 ISO Technical Advisory Groups (TAGs) 5 international Secretariats
300+ NEMA representatives on committees of other organizations
2
The Association of Electrical Equipment andMedical Imaging Manufacturers
Electrical Perspectives on Storm Recovery
Objectives
Save Lives Protect Property Mitigate Impacts From Future
Outages Reliability Resilience Recovery
Technologies
Smart Grid Solutions Microgrids, Energy Storage,
Distr. Generation Backup Power Wiring, Cabling and
Components Replacing and Relocating
Electrical Equipment Disaster Recovery Planning
3
The Association of Electrical Equipment andMedical Imaging Manufacturers
Google Crisis Map: Long Island, NY
4
The Association of Electrical Equipment andMedical Imaging Manufacturers
Smart Grid Solutions
Key Components Smart Meters Sensors Distribution Automation Global Information Systems Outage Management Systems Cybersecurity
Benefits Fault identification Automated re-routing of
electric power around damaged areas
Verification of power restoration
Volt/Var control Multi-path communications 5
The Association of Electrical Equipment andMedical Imaging Manufacturers
Microgrids, Storage & Distributed Generation
Components Generation Source Distribution System Monitoring & Control Grid Sensing Islanding Capability
Benefits Extreme Reliability Fukushima vs. NYC
• Hundreds evacuated from Bellevue and NYU hospital during Sandy
• Zero evacuations from Tohoku Fukushi University following Fukushima earthquake and tsunami
6
Photo: UC-San Diego Microgrid Projectwww.ucsd.edu
The Association of Electrical Equipment andMedical Imaging Manufacturers
Backup Power Generation
Components Generation Source Fuel Source LOCATION MAINTENANCE & TESTING
Benefits Readily available on the
commercial market Variable sizes for every load
requirement and budget Allows local load shaping
(demand response)
7
Diagram: How it Workswww.amazon.com
The Association of Electrical Equipment andMedical Imaging Manufacturers
Wiring, Cabling & Components
8
Components High-voltage underground
transmission Medium-voltage distribution Cable-in-conduit Self-healing 600V
Underground Distribution (UD) Cables
Arc- and Ground-Fault Circuit Interrupters (AFCI/GFCI)
Benefits Resiliency Submersible Technologies
Photo: Superconducting Transmission Cablewww.greenresearch.com
The Association of Electrical Equipment andMedical Imaging Manufacturers
Replacing and Relocating Equipment
Components Risk Assessment Storm Threat Criticality of the device Site Accessibility Environmental Assessment Facility Hardening
Benefits Increased Resilience Increased Reliability Faster Recovery
Photo: South Street Seaport Museumwww.nycreconnects.com
9
The Association of Electrical Equipment andMedical Imaging Manufacturers
Disaster Recovery Planning
10
Components Assessment Planning Implementation Information Resources
• Sources During the Storm• Responders/Collaborators
Benefits Protect lives Save property Faster Recovery
Diagram: DR Mind Mapwww.workingworld.ca
The Association of Electrical Equipment andMedical Imaging Manufacturers
What can states do?
Start dialog with utility commissions and other utility stakeholders to develop a state-wide implementation plan for smart grid
Ensure your state has an updated disaster recovery plan
Evaluate statutes and regulatory policies that might be prohibitive to microgrids
Adopt and enforce the most current building codes to promote safety and protect property
11
The Association of Electrical Equipment andMedical Imaging Manufacturers
References National Electrical Manufacturers
Association (NEMA) www.nema.org/smartgrid Electrical Standards Product
Guide (ESPG)• http://www.nema.org/Communicat
ions/Pages/ESPG.aspx• Wire & Cable standards
Evaluating Water-Damaged Electrical Equipment
National Institute of Standards and Technology (NIST) www.nist.gov/smartgrid NISTIR 1108R2 – Framework &
Roadmap for Smart Grid NISIR 7628 - Cybersecurity
National Fire Protection Association (NFPA) www.nfpa.org NFPA 70 – National Electrical
Code
US Dept. of Energy Office of Electricity (OE) PNNL Report13277
Underwriters Laboratories UL Standard 2200
North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection
Standards (NERC-CIP)
Smart Grid Interoperability Panel www.sgip.org
12
The Association of Electrical Equipment andMedical Imaging Manufacturers
Questions and Discussion
Paul A. MolitorNational Electrical Manufacturers Association (NEMA)
[email protected] (703) 841-3262
13
“Governors in the Northeast have access to more than $50 billion in reconstruction funds recently allocated by Congress. They can use it to put in ‘traditional’ gear and thereby
return their regions to where they were in 1975. Or they can use that same money to put in "smart" gear and leapfrog their regions into this century. May I suggest that you
download the NEMA paper and forward it to your state lawmakers?”
‐‐ Jesse Berst, SmartGridNews.com, February 27, 2013
The Association of Electrical Equipment andMedical Imaging Manufacturers