FERC is about to Strengthen the Critical Infrastructure Protection (CIP) Requirements

Security is (so far) likely the most crucial key word in 2016. We all want to live in a secure world with a secure power delivery system and many other infrastructures.
There are many rules set by well known standard setting organizations. One is the US Federal Energy Regulatory Commission (FERC). They have published the Critical Infrastructure Protection (CIP) Reliability Standards years ago. Usually the rules are improved after something serious happened. What happend some months ago? Yes, the Dec 23, 2015 cyber attack on the electric grid in Ukraine.
A lot of reports have been published recently.
FERC seeks comments (in this summer) on possible modifications to the CIP Reliability Standards - and any potential impacts on the operation of the Bulk-Power System resulting from such modifications - to address the following matters:

1. separation between the Internet and BES Cyber Systems in Control Centers performing transmission operator functions; and
2. computer administration practices that prevent unauthorized programs from running, referred to as “application whitelisting,” for cyber systems in Control Centers.

Click HERE to access the FERC Docket No. RM16-18-000 that has all the details.

Security standards are one measure to improve the protection of technical systems - but the most crucial issue is: TRUST! Trust is what it's really all about. I hope that all readers of this IEC 61850 blog trust me! I do my best!

By the way, the security requirements on paper or in a PDF document do not protect any system. It is the human beings (you can trust) that have to understand the complexity of the power delivery system, the software applications, communication, and administration of the hardware and software. This requires well educated people - educated in many different (or even all) domains -, sufficient resources, and decisions to implement what is needed.

Rene Descartes (1596-1650) understood it already very well what we have to do: "Hence we must believe that all the sciences are so interconnected, that it is much easier to study them all together than to isolate one from all others. If, therefore, anyone wishes to search out the truth of things in serious ernest, he ought not to select one special science, for all the sciences are cojoined with each other and interdependent."

And: Teamwork makes the dream work!

Stay safe!

Cisco’s conclusion on FERC’s Non-Ruling on IEC Standards

FERC (Federal Energy Regulatory Commission) decided in July 2011 to not (yet) rule on five Smart Grid standard series suggested by the National Institute of Standards Technology (NIST) / Smart Grid Interoperability Panel (SGIP). These families of standards defined by the International Electrotechnical Commission (IEC) were nominated by NIST/SGIP for consideration by FERC in rule making in October 2011. These are:

• IEC 61968: Application Integration at Electric Utilities-System Interfaces for Distribution Management
• IEC 61970: Energy management system application program interface
• IEC 61850: Communication Networks and Systems for Power Utility Automation
• IEC 60870-6 series: Telecontrol protocols compatible with ISO standards and ITU-T recommendations
• IEC 62351: Power systems management and associated information exchange - data and communications security

Cisco’s position on this FERC non-ruling (according to their website – see below) is:

• "Are the IEC standards really not ready for prime time? This is unlikely because most of these standards are already in use outside North America.
• Is cyber security a solved problem? Not likely, as long as there are hackers in the world, cyber security will be an on-going challenge.
• Is cyber security an intractable problem? Far from it, the public Internet and private Internets (e.g. DoD) can be highly secure networks. And open-standards, community-based security mechanisms are far superior to "security by obscurity", or the status quo in utility networking which largely consists of hundreds of parallel SCADA networks.
• Is greater awareness and education required? Indeed yes. The utility industry and the regulatory commissions need to hear from the Internet community of vendors, service providers, network operators, system admins, and cyber security experts, how packet networks can be made secure.

The FERC non-action is both a temporary setback and a call-to-action for the Smart Grid community. The concerns expressed by FERC and the regulators are genuine and need to be addressed. Unfortunately, the need for standards in transmission and distribution networks can't be put off. Fortunately, the cyber security questions related to the Smart Grid have good answers available from the long experience of the Internet.

Click HERE for the Cisco Developer Network statement on FERC’s non-ruling.

What is true for the security issues (IEC 62351) is true for the other standard families, too! Many engineers need to become aware of the huge challenges by more education and training!!

Investment in peopleware is one of the needed actions to keep the power flowing.

Click HERE for more discussions on peopleware.

Next opportunity in North America:

Nashville (TN, USA)
20.-21. September 2011
Remote Conference
2 day Seminar (conducted by NettedAutomation) on Power System Communication covering IEC 61850, IEC 61400-25, DNP3, NIST Interoperability Roadmap, Smart Grids, security standards, ...
http://www.remotemagazine.com/rem-conf11/rem11_workshop.php

FERC and the five IEC Standard Families

FERC recommended in October 2010 to start a rulemaking process in order to mandate the five families (IEC 61968, IE 61970, IEC 60870-6 TASE.2, IEC 61850 and IEC 62351) for the North American market. For details click HERE.

After many meetings and discussions FERC decided now to recommend these standards – but not to mandate them.

There are good reasons to keep the standardization process going and not to stop the development of these standards and not to freeze the current content. As I always say: We are still at the very beginning of the development and application of theses standards. Of course, the basic technology is defined and mature – but we all need more experience and feedback so that the standards can be improved and extended.

Adoption of any of these standard series mandated by a regulator could harm the whole process of adoption of these standards – because it could stop or blockade the needed maintenance of the standards.

At this time, the five standard families are still recommended by NIST and FERC for guidance in the development of smart(er) grid supporting technologies.

For the standards IEC 61850, IEC 61400-25, IEC 60870-6 TASE.2, and IEC 62351 there seems to be no discussion anymore if these standards will be adopted by the power utility market or not !! The market HAS ADOPTED these standards already. Even if a utility does not ask for IEC 61850 – it will get it! What else?

These standards don’t need any rule making, don’t need to become mandatory standards in the North American market. They are already THE GLOBALLY ACCEPTED AND USED STANDARDS!! The North American market is also about to adopt these standards. The wait for the rulemaking is over (for now) – these standards can and will be used in North America as in the rest of the world.

Note: There is NO competing solution for these standards on my radar screen at all – really.

Click HERE for the official order of FERC [Docket No. RM11-2-000] dated July 19, 2011.