By Meir Shargal
Many utilities are struggling with AMI security standards. One standard that comes up more often than the others is the North American Energy Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards. These standards, while still evolving, are defining the security around control of the transmission grid.
The history of the standards can be found not only in the aftermath of the terrorist attacks in New York and Washington DC in 2001, but also the blackout of 2003 that darkened much of the Northeastern grid in North America. The Federal Energy Regulatory Commission (FERC) pushed hard for grid security to ensure higher grid reliability and protection for generation and transmission. Already in the works by NERC was a set of security standards that would cover most of the control systems for transmission. These standards evolved into today’s eight NERC standards, CIP-002 through CIP-009, which touch everything a utility does from generation and transmission through distribution and corporate operations, and dictate measures utilities must take in identifying and protecting critical cyber assets.
The CIP standards do not make any reference to specific technologies, hardware and software choices, and specifications are left to the utility, including the decisions about encryption algorithms, authentication mechanisms, and even open versus proprietary technologies. What the CIP standards do is dictate that the utility must document its risk-based assessment. The CIP standards consistently make reference to the use of “reasonable business judgment,” and allow for situations when requirements may not be “technically feasible.” In short it is up to the utility to determine how to meet the standards.
Where they do get specific is in two areas that may impact an AMI deployment. The first is the ability to shed 300 MW of load. As more and more utilities look at disconnect switches in all of their meters, they will cross the threshold for the 300 MW load shedding trigger. This will mean that the NERC CIP will apply. If one assumes that each household at peak has a 3 kW load, then any utility that deploys 100,000 meters will be subject to the requirements in the NERC CIP. Because of the change in status of NERC by FERC, even if a utility owns no generation and no transmission and is not a member of NERC, the standards will still apply. Municipal and cooperative utilities that have no current exposure to NERC will find themselves subject to NERC audits and record keeping if they cross this threshold.
The second area is far more of a grey area. This is the one that discusses control systems on the grid. The NERC CIP standard definitions are so broad that any system today with a Home Area Network or a disconnect switch may fall under this requirement. Work is being done to determine how to better define this requirement. Remember that the NERC CIP documents are evolving and that they have been called incomplete by many industry and security specialists. Instead of adopting them as they stand, FERC issued revisions in its Notice of proposed rule making on 19 July. Most utilities were not ready to implement the NERC CIP requirements on the transmission system in July when this ruling was issued, let alone the changes proposed by FERC. The problem of course is that the fines are up to a million dollars per day for violation of the NERC CIP requirements. For many small utilities this cost could, in a few months, exceed the total cost of AMI deployment and completely wipe out a business case. Closing this grey area will be critical.
ANSI C12.22 was supposed to be the answer to security for AMI, but it does not account for the realities of NERC-CIP or the changes in the way that AMI is being deployed with large numbers of disconnect switches. Itron and others have quietly started an effort to update and upgrade C12.22. In addition the Utility AMI group has also quietly started a sub-team called AMI-SEC to look at these issues. There have been a couple of meetings to date and work assignments have been made to various members.
Back on the issue of the NERC CIP, there is work to do there as well. In more technical terms, the CIP standards need to be enhanced to support AMI authentication, authorisation and auditing mechanisms, as well as a host of other fundamental security functions. The residential meter does not inherently fall under the purview of the current standards. The need to comply with the NERC CIP standards will not interfere with the utilities’ choices in selecting AMI technologies. AMI vendors are just starting to learn about operating in a networked environment as they are moving from a world of one-way meters to two-way online meters.
As usual technology has advanced faster than the standards that are required to support it. If one is serious about an AMI deployment in North America then one needs to become very aware of the NERC CIP.