Should security requirements just include the "what" and not the "how"?

H. Christine Richards | Dec 08, 2009


As I perused Energy Central Professional yesterday morning with my morning cup of caffeinated and carbonated joe [i.e., pop (or soda)], I noticed an article from Public Power Weekly entitled "Smart grid cyber standards must work for all utilities, APPA tells NIST." The article discusses the American Public Power Association's (APPA) comments on a draft report by the National Institute of Standards and Technology (NIST). APPA said that NIST "needs to build sufficient flexibility into its cyber security requirements to accommodate the sizes and business models of consumer-owned systems." The statement reminded me that, when moving toward a smarter grid and more intelligent utility, company size -- and other factors -- impacts the shape and scope of smart initiatives for each utility. At the same time, however, minimum levels of security and functionality need to be in place to ensure that these smart efforts are effective and secure. Industry requirements are moving forward to dictate the "what" of security requirements, but do they need to dictate the "how" of accomplishing those requirements? And what impact does the "how" have on various utilities' abilities to move forward with building smarter grids and more intelligent utilities?  

In Intelligent Utility magazine, we have talked about how utilities of all sizes and structures can learn from one another about various smart initiatives, from smart meters to smart substations to smart transmission systems. Whatever specific project a utility is tackling, the project ultimately feeds into a more universal goal of delivering information-enabled energy. What smart initiative a utility chooses to tackle first and how it accomplishes that initiative can vary depending on the utility. As Jim Greer, senior vice president of asset management and engineering at Oncor, pointed out to me in a recent conversation, "It's OK to have multiple definitions for smart grid because each utility, each jurisdiction, is going to have different priorities. What they're going to need is different and therefore our systems will be different. We're moving forward on the areas that make the most sense for us." Things such as different business drivers, utility company structures, regulatory requirements and public policies fuel the different approaches.

OK, so there are different approaches to building out the "smarts." At the same time, even though there are different approaches to building smarter grids and ultimately more intelligent utilities, there are certain requirements that need to be put into place to ensure not just a smarter grid, but also a more efficient and secure grid. Cyber security is obviously one of those requirements. Is it enough though to say what cyber security requirements are, but not prescribe how to best meet those requirements? And should the requirements themselves even be the same for different types of utilities? For example, APPA argues in the article that "while all utilities should implement appropriate safeguards for [personal information], those safeguards do not necessarily have to be at the same level to be effective." APPA also goes on to say that NIST should "avoid requirements that dictate 'how' to comply with a standard or requirement since that can stifle innovative, least-cost options." Do you agree?

We look forward to discussing this and other issues with all the players in the emerging intelligent utility. If you have thoughts you'd like to share, please contact me by e-mail at or by telephone at 303-228-4762.

Related Topics


The "What" not the "how" for smart grid

Hi Christine:

Very interesting comments.

I recently attended a presentation on the "smart grid" by a major mid-western electric utility.  This utility has already started to install "smart meters" in selected service areas.

When I asked whether the utility had looked at what was going on in the rest of the world in the "smart grid" area, the answer I got was disturbing.  The speaker referred to activities in California.  I had to point out to him that I meant the rest of the world as in outside of the US. No, they had not, he said. 

Europe is far ahead of the US in this area and has a somewhat similar utility structure involving a number of different countries/states (and languages) and public and investor owned utilities.  So, why does the US not want to learn from the European experience?  Is the "Not Invented Here" mentality that prevalent?

In August 2003 there was a major blackout involving large parts of the northeastern US and parts of Canada.  Part of the cause appears to have been actions or lack of actions taken by one utility.  If each US utility is left to develop its own version of the "smart grid" driven by its own profit motives, the "smart grid" may rapidly become the "black hole." 

A number of levels of the "smart grid" levels are needed; at least local and global.  Local would be remote meter reading (AMI) and local system control.  Global would be any actions that could have consequences outside the service area of the utility. Some type of firewall would be required between the controls for these two levels.

Cyber security is another issue that should drive how individual utilities implement aspects of the "smart grid".  On a local level, if the AMI system is hacked, energy theft could reach levels currently unimaginable.

On a global level hacking could cause major nationwide blackouts that may take days to correct.  Currently, humans, assisted by computers, make system security decisions (sometimes not wisely, as evidenced by the 2003 blackout) which can take time.  If a hacked computer system or systems are making these decisions at the speed of light the results could be catastrophic.

The midwestern utility assured me that they are going to have their IT people try to hack the system to ensure that it is secure.  Well, I'm sure Microsoft does that too but it does not seem to stop hackers.  I propose that the utility industry establish a "smart grid" Hackers Fund. The prise for hacking the "smart grid" should be large, say, $100,000.00 and no repercussion for the successful hackers so long as they explained in great detail how they had hacked the system.  This would need to be a continuing fund because as the utilities "improve" the system it will become prone to other hacks.

It would appear that NERC should be front and center in the "smart grid" arena since it is responsible for electric system reliability. And it is.  Refer to "Comments of the North American Electric Reliability Corporation (NERC) in response to the commission's (FERC) March 19, 2009 proposed smart grid policy statement."  NERC's comments imply that an overall smart grid implementation policy is needed and it will move forward to establish standards to ensure that happens.  So it would appear that the lone wolf approach to the "smart grid" is not acceptable to NERC or FERC.

Hopefully, US utilities and public utility commissions will not approach the "smart grid" in the same way they approached de-regulation.  Remember the California de-regulation disaster.

This is the message I got when I tried to submit these comments.

The spam filter installed on this site is currently unavailable. Per site policy, we are unable to accept new submissions until that problem is resolved. Please try resubmitting the form in a couple of minutes.