Storm Recovery Webinar 6.12 - Council of State...

Presentation to Council of State Governments, June 14 2013

Miles Keogh, Director of ResearchNational Association of Regulatory Utility

Commissioners

Today’s AgendaI. What is resilience?II. ThreatsIII. Roles

i. Federal ii. Stateiii. Information Protection, Information Managementiv. Cyber Security

IV. What you can do

Infrastructure Protection is a risk management problem Enterprise risk management applies to any decision‐making being made under conditions of uncertainty. Financial risk Regulatory risk Critical Infrastructure protection risks:

An interruption to service, no matter what the origin, interrupts service.

An “all hazards” approach to preparedness helps deal with interruptions no matter the origin?

3

Risk management means considering a continuum:

Vulnerability: how prepared are we? Threat: what could exploit the vulnerability?Likelihood: how often does the event occur?Consequence: how bad would it be?

5

We know how to plan for Utility System Reliability:

Minimizing:• Frequency of Outage• Duration of Outage• Scale of Outage

Critical Infrastructure Protection now also needs to include a focus on Resilience:

• Flexibility (before)• Robustness (before & during) • Resourcefulness (during)• Rapid recovery (after)• Adaptability (after)

The metrics for reliability may leave important resilience investments off the table.

To approve and motivate resilience, it must be defined and be measurable for policy‐makers.

Reliability vs. Resilience

Weather

REUTERS, Fort Calhoun flooded in Eastern Nebraska, June 2011.

N2

N2 Ask: what vulnerability? Threat / likelihood? consequence?NARUC, 9/11/2012

Recent Weather Events 2007 Hurricane Katrina 2008 – 2009 Wildfires Summer 2011 Joplin MO tornado June 2012 North American Derecho Fall 2012 Superstorm Sandy Summer 2013 tornadoes

8

Non‐Weather Events Earthquake Volcano Tsunami Geomagnetic Disturbance (GMD)

Human Impact Accidents/Negligence Workforce

Pandemic Disruption to labor supply or key talent

Human ‐ Intentional Physical Attacks

Low tech. to high tech. Coordinated or wide‐area attacks

e.g. EMP

Cyber Security

Smarter Infrastructure is intended to improve reliability If you can see what you’re doing, you can respond quicker and better

System visualization addresses some vulnerabilities… … but intelligent infrastructure introduces new vulnerabilities which need to be managed if we want to be, on balance, more secure.

12

Smart Grid Security: Three FlavorsConventional IT Systems Control Systems “Smart Grid”

ElectricalInfrastructure

+ + =

13

Why Cyber? (cont’d.) Ubiquity of networks and dependency on them ‐networks are cheaper, faster, more effective

Ease of launching a sophisticated attack New activity by nation‐states and advanced persistent threat

Tools are freely available on the Internet (e.g. GLEG Agora SCADA+)

Interdependencies between sectors

14

Interdependencies A pretty bad hypothetical scenario…

15

Build Resilience

17

Companies and vendors Cyber‐secure operations is the domain of companies. Law enforcement and National Security aren’t their –or our – jobs (generally)

This is going to require new kinds of partnerships.

18

Department of Homeland Security Agency most directly concerned with direct threats to the nation’s energy

infrastructure, vulnerability assessments and responding to those threats

Key Offices for Energy Security: FEMA Provides emergency support and coordination to local responders and

citizens with a focus on essential human needs. Division of Information Analysis and Infrastructure Protection

Determines security needs and priorities Supports state capacity building through training just like this Targets: vulnerabilities with catastrophic potential, e.g. nuclear power plants,

chemical facilities, pipelines and ports DHS Office for State and Local Coordination

Provides primary contact for training, equipment, planning and other critical response needs

Coordinates communication systems from federal to state and local government Distributes research, technical support, warnings and other information

19

Other Roles Law enforcement does law enforcement Intelligence community generates threat info DOE – works to address strategic energy security issues through its efforts on electricity transmission, fuel diversity, energy supplies, research and development and other similar issues

TSA – lead federal agency for security of transportation, including pipelines

Dept. of Commerce Office of Pipeline Safety – regulates safety‐related issues in pipelines

FERC – examines economic issues affecting security costs for utilities under its jurisdiction

Non Feds: NERC, RTOs, Control Area Operators, Utilities

20

State Roles

Emergency Managers

State Energy Offices

State Legislatures

Governors’ Offices

State and Local Police; National Guard

Local Government Contracts

Other States

Utilities and Interdependent Systems

Public Utility Commissions

Federal Lead Agencies

(DOE, EPA, DHS)

Governor’s Office conducts overall emergency planning

Emergency Management Agency provides primary emergency response

Homeland Security, State Military or State Policeprevents criminal and terrorist‐caused disasters

State Energy Office assures supplies of petroleum, heating oil, propane

Other State Agencies Departments of health, environment, social or human services department, transportation departments

At the local levelCounties and Municipal Organizations

21

Roles of Legislatures Establish Agency Regulatory Oversight:

Reliability Planning Resource Diversity

Manage information and authorize information protection

Set liability Set rules for emergency situations

Pricing, quarantine, evacuation, coordination What else?

22

Information protection/ Information Management Connecting information with those who need it breeds success;

Connecting information with those who want it for the wrong reasons is a recipe for disaster. What goes in the public record? What legal protections exist? What capacity exists to protect it from illegal or extra‐legal exploitation?

23

Ask questions… CAREFULLY1. “We can’t protect it so don’t share it.”2. “We can’t protect it onsite but can see it at your site”3. “We can protect it in a special case”4. “We can protect it within a standard case with a

secure hearing”5. “We can protect it as a matter of course”

Some of these approaches require people with specialized skills, clearances, or professional relationships

24

State Actions Seek Information and Education Review Utility Commission Enabling Statutes Recognize Importance of and Encourage Energy Efficiency and Demand Response Programs

Review Utility Oversight Laws for Security Implications

Review Statutes Governing Energy Office and Duties

26

State Actions Review Statutes Influencing Energy System Diversity and Redundancy

Review Statutes Governing Freedom of Information Laws

Reassess Laws and Procedures Governing Open Meetings

Evaluate State Liability Statutes Ensure that Industry and/or State Agencies Have Conducted Appropriate Vulnerability Studies

27

State Actions Update Statutes Governing Emergency Response for Coordination, Delegation, Flexibility and Communication

Examine Possible Unfair Pricing Legislation in Emergencies

Cyber Security

28

Miles KeoghDirector, Grants & [email protected]‐898‐2217

Available Resources Standards and Guidelines:

Bulk Power System: NERC CIP Standards Smart Grid: NIST Interagency Report 7628 (NISTIR 7628)

http://csrc.nist.gov/publications/PubsNISTIRs.html NARUC has developed:

Cybersecurity for State Regulators with Sample Questions for Regulators to Ask Utilities: http://www.naruc.org/Grants/Documents/NARUC%20Cybersecurity%20Primer%20June%202012.pdf

NARUC Critical Infrastructure Committee http://www.naruc.org/committees.cfm?c=46

Monthly Cybersecurity Threat Briefings National Electric Sector Cyber Security Organization (NESCO): EnergySec

formed the NESCO organization as a Public‐private partnership including Utilities, federal agencies, regulators, researches, and academics

National Electric Sector Cyber Security Organization Resource (NESCOR): EPRI was selected to serve as a research and analysis resource to the NESCO program and develop mitigation strategies, best practices and metrics

DOE Smart Grid Investment Grant (SGIG) Program: Required grant recipients to gather info and implement cyber security plans http://energy.gov/oe/technology‐development/smart‐grid/recovery‐act‐smart‐grid‐investment‐grants

30

Available Resources (cont’d.) NASEO Smart Grid Report NARUC Primer AMI‐SEC Task Force Advanced Metering Infrastructure (AMI) System Security

Requirements, December 2008. See http://csrc.nist.gov/publications/fips/fips199/FIPS‐PUB‐199‐final.pdf.

ANSI/ISA‐99, Manufacturing and Control Systems Security, Part 1: Concepts, Models and Terminology, 2007. See http://csrc.nist.gov/publications/fips/fips199/FIPSPUB‐199‐final.pdf.

ANSI/ISA‐99, Manufacturing and Control Systems Security, Part 2: Establishing a Manufacturing and Control Systems Security Program, 2009. See http://csrc.nist.gov/publications/fips/fips199/FIPS‐PUB‐199‐final.pdf.

Federal Bureau of Investigation, InfraGard program, InfraGard FBI Cyber Security Collaboration. See http://www.infragard.net/.

Federal Information Processing Standard (FIPS) 200, Minimum SecurityRequirements for Federal Information and Information Systems, March 2006. See http://csrc.nist.gov/publications/fips/fips200/FIPS‐200‐final‐march.pdf.

FIPS 199, Standards for Security Categorization of Federal Information andInformation Systems, February 2004. See http://csrc.nist.gov/publications/fips/fips199/FIPS‐PUB‐199‐final.pdf.

31

Available Resources (cont’d.) Idaho National Laboratory, Cyber Assessment Methods for SCADA

Security, 2005. See http://www.naseo.org/eaguidelines/documents/cybersecurity/SCADA_Security.pdf.

National Institute of Standards and Technology (NIST) Special Publication (SP), 800‐39, DRAFT Managing Risk from Information Systems: An Organizational Perspective, April 2008. See http://csrc.nist.gov/publications/drafts/800‐39/SP800‐39‐spdsz.pdf.

North American Electric Reliability Corporation (NERC), Security Guidelines for the Electricity Sector: Vulnerability and Risk Assessment, June 2002. See http://csrc.nist.gov/publications/fips/fips199/FIPS‐PUB‐199‐final.pdf.

Smart Grid Cyber Security Blog Spot. See http://smartgridsecurity.blogspot.com/.

U.S. Department of Homeland Security National Infrastructure Protection Plan, 2009. See http://www.dhs.gov/nipp.

32

Available Resources (cont’d.) U.S. Department of Homeland Security IT, telecommunications, and

energy sectors sector specific plans (SSPs), and updated tri‐annually. See http://www.dhs.gov/files/programs/gc_1179866197607.shtm

U.S. Department of Energy (DOE) Office of Electricity Delivery and Energy Reliability (OE) and the Energy Sector Control Systems Working Group, Roadmap to Achieve Energy Delivery Systems Cybersecurity, September 2011. See http://www.cyber.st.dhs.gov/wp‐content/uploads/2011/09/Energy_Roadmap.pdf

U. S. Computer Emergency Readiness Team (US‐CERT), U.S. Department of Homeland Security. See http://www.us‐cert.gov/.

American Petroleum Institute Security Guidelines for the Petroleum Industry, April 2005. See http://new.api.org/policy/otherissues/upload/Security.pdf

Idaho National Engineering and Environmental Laboratory A Comparison of Oil and Gas Segment Cyber Security Standards, November 2004. See http://www.naseo.org/eaguidelines/documents/cybersecurity/Comparison of Oil and Gas Security.pdf

33

Thank you!Questions?

Christina Cody Program Officer, Grants and Research

[email protected]

(202) 898‐9374

U. S. Department of Homeland Security Office of Infrastructure Protection

The Association of Electrical Equipment and Medical Imaging Manufacturers

Storm Recovery—Building Stronger, Smarter Electrical Grids

CSG Policy Webinar SeriesJune 12, 2013

The Association of Electrical Equipment andMedical Imaging Manufacturers

NEMA Leads in Standards Development 400-plus member companies

54 Industry Segments Support over 1 million U.S. jobs Operate more than 7,300 facilities Products in the NEMA Scope

• $100 billion U.S. domestic revenue• $30 billion exports

Promotes development and maintenance of product standards—domestic, regional, international NEMA publishes over 500 standards including the following

• 236 NEMA Standards Publications• 46 ANSI/NEMA Standards• 266 American National Standards

81 CANENA Harmonized Product Safety Standards, 6 of which are IEC based • Supported by 24 NEMA Product Sections• 44 active work programs, 21 are IEC based

56 IEC and 6 ISO Technical Advisory Groups (TAGs) 5 international Secretariats

300+ NEMA representatives on committees of other organizations

2


Electrical Perspectives on Storm Recovery

Objectives

Save Lives Protect Property Mitigate Impacts From Future

Outages Reliability Resilience Recovery

Technologies

Smart Grid Solutions Microgrids, Energy Storage,

Distr. Generation Backup Power Wiring, Cabling and

Components Replacing and Relocating

Electrical Equipment Disaster Recovery Planning

3


Google Crisis Map: Long Island, NY

4


Smart Grid Solutions

Key Components Smart Meters Sensors Distribution Automation Global Information Systems Outage Management Systems Cybersecurity

Benefits Fault identification Automated re-routing of

electric power around damaged areas

Verification of power restoration

Volt/Var control Multi-path communications 5


Microgrids, Storage & Distributed Generation

Components Generation Source Distribution System Monitoring & Control Grid Sensing Islanding Capability

Benefits Extreme Reliability Fukushima vs. NYC

• Hundreds evacuated from Bellevue and NYU hospital during Sandy

• Zero evacuations from Tohoku Fukushi University following Fukushima earthquake and tsunami

6

Photo: UC-San Diego Microgrid Projectwww.ucsd.edu


Backup Power Generation

Components Generation Source Fuel Source LOCATION MAINTENANCE & TESTING

Benefits Readily available on the

commercial market Variable sizes for every load

requirement and budget Allows local load shaping

(demand response)

7

Diagram: How it Workswww.amazon.com


Wiring, Cabling & Components

8

Components High-voltage underground

transmission Medium-voltage distribution Cable-in-conduit Self-healing 600V

Underground Distribution (UD) Cables

Arc- and Ground-Fault Circuit Interrupters (AFCI/GFCI)

Benefits Resiliency Submersible Technologies

Photo: Superconducting Transmission Cablewww.greenresearch.com


Replacing and Relocating Equipment

Components Risk Assessment Storm Threat Criticality of the device Site Accessibility Environmental Assessment Facility Hardening

Benefits Increased Resilience Increased Reliability Faster Recovery

Photo: South Street Seaport Museumwww.nycreconnects.com

9


Disaster Recovery Planning

10

Components Assessment Planning Implementation Information Resources

• Sources During the Storm• Responders/Collaborators

Benefits Protect lives Save property Faster Recovery

Diagram: DR Mind Mapwww.workingworld.ca


What can states do?

Start dialog with utility commissions and other utility stakeholders to develop a state-wide implementation plan for smart grid

Ensure your state has an updated disaster recovery plan

Evaluate statutes and regulatory policies that might be prohibitive to microgrids

Adopt and enforce the most current building codes to promote safety and protect property

11


References National Electrical Manufacturers

Association (NEMA) www.nema.org/smartgrid Electrical Standards Product

Guide (ESPG)• http://www.nema.org/Communicat

ions/Pages/ESPG.aspx• Wire & Cable standards

Evaluating Water-Damaged Electrical Equipment

National Institute of Standards and Technology (NIST) www.nist.gov/smartgrid NISTIR 1108R2 – Framework &

Roadmap for Smart Grid NISIR 7628 - Cybersecurity

National Fire Protection Association (NFPA) www.nfpa.org NFPA 70 – National Electrical

Code

US Dept. of Energy Office of Electricity (OE) PNNL Report13277

Underwriters Laboratories UL Standard 2200

North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection

Standards (NERC-CIP)

Smart Grid Interoperability Panel www.sgip.org

12


Questions and Discussion

Paul A. MolitorNational Electrical Manufacturers Association (NEMA)

[email protected] (703) 841-3262

13

“Governors in the Northeast have access to more than $50 billion in reconstruction funds recently allocated by Congress. They can use it to put in ‘traditional’ gear and thereby

return their regions to where they were in 1975. Or they can use that same money to put in "smart" gear and leapfrog their regions into this century. May I suggest that you

download the NEMA paper and forward it to your state lawmakers?”

‐‐ Jesse Berst, SmartGridNews.com, February 27, 2013

Storm Recovery Webinar 6.12 - Council of State...

Documents

Transcript of Storm Recovery Webinar 6.12 - Council of State...