Executive Order 13636 requires, among other things, the National Institute of Standards and Technology (NIST) to develop a “Baseline Framework to Reduce Cyber Risk to Critical Infrastructure.”  There is a lot of good detail as to what is expected to be in this framework, whose requirements run to a full page.  Recently, NIST hosted its first Cybersecurity Framework Workshop to address those necessities.  This particular workshop resulted from the following specific requirement: “In developing the Cybersecurity Framework, the Director shall engage in an open public review and comment process.”  The director of NIST must deliver a framework within 1 year of the publication of the Executive Order (EO); that is, no later than February 19, 2014.

I’m not sure what a framework workshop is, or how many times the word “work” must appear in a meeting title before people will believe that you plan to accomplish something.  At any rate, over 700 people attended the workshop ‑ quite large to qualify as a workshop.  Living in the Dallas-Fort Worth area, I remember years when the Texas Rangers could barely get 700 people to attend their baseball games (unless Nolan Ryan was pitching).  Besides, here in Texas, anything with 700 members is usually called a herd.

Engaged, Considered

Whatever you call it, this event was important.  Strictly speaking, the 700 workshop attendees were allowed to comment, but the EO only requires the Secretary of Homeland Security to “engage and consider” their advice.  Based upon past experience, the likelihood of their input being ignored is very low.

I may be a bit skeptical here because I’ve watched the North American Electric Reliability Corp. (NERC) labor to adopt seemingly minor clarifications to the CIP Reliability Standards (which it then invalidates).  It has repeatedly been hamstrung by large attendee lists that include sometimes contradictory agendas.  Anyway, quoting the EO, 9 months from now we shall have:

• A prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk
• Methodologies to identify and mitigate impacts of the Cybersecurity Framework … on business confidentiality, and to protect individual privacy and civil liberties

After that, quoting Section 8(a) of the EO, “The Secretary, in coordination with Sector-Specific Agencies, shall establish a voluntary program to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and any other interested entities.”

In other words, 1 year to develop a framework of non-binding recommendations for the protection of critical infrastructure.  Here in the smart grid world, we already have that.  It’s called the NISTIR 7628 series.  So maybe it’s a very good call to have NIST run this play.  But you’d have to accept that critical infrastructure owners will spend money on protection that they are not required to spend.  To date, that trend is not encouraging.

During a recent thunderstorm, a power surge fried the motor of my pool pump.  With prime algae-growing season nearly upon us in Texas, this was suboptimal timing.  Still, being a smart grid researcher, I thought I’d write to my co-operative power supplier, CoServ, and find out what happened.  So I sent a short note via their “Contact Us” web page, asking if they could look into their distribution management system for that Sunday morning and see if there had been a power swell in my neighborhood.  This was purely out of curiosity – this is what I do for a living, right?  Here’s the reply that I received about 4 days later:

 Thank you for taking the time to contact CoServ Electric. As you are aware there were adverse weather conditions in your area at the time of the service abnormalities.

CoServ Electric works hard to ensure all our members receive reliable service. However, because of the nature of the electric utility industry, continuous service cannot be guaranteed. (For example, situations involving animals on the lines, unforeseeable equipment issues, or weather events such as happened in your case.) Because this event was an “Act of God” and not something we could have foreseen or prevented, we cannot accept liability for any reported damage. We recommend contacting a qualified electrician to make sure your electric service beyond the point of service (the electric meter) is properly protected from common outside disturbances.

Thank you again for your report and for allowing us to serve you as a member of CoServ Electric. If you would like to discuss this situation further, feel free to contact me.

Okay, I admit that lots of people walk around with an entitlement mentality.  Still, it would never occur to me that my power utility is responsible for lightning strikes.  Is CoServ up there in the sky hurling thunderbolts at my pool?  Of course not.  They bear no liability for the pump.  So why such a defensive response?

Litigation Phobia

Here’s my theory: because their lawyers made them to do it.  In its 108-page tariff for electric service, CoServ already states that it is not responsible for acts of God.  Nor should it be.  Making any utility liable for all acts of God in its service area would most likely render that utility bankrupt.

And that’s the problem.  I have seen (but will not link here) job postings for “NERC Compliance Manager” where one of the essential candidate requirements is a law degree.  An analysis of NERC CIP v4, which added additional clarification of the term “critical cyber asset” (CCA), shows 17 new clauses to define a CCA.  Each of those clauses gives a utility enough wiggle room in a courtroom to escape penalty.

I’m currently researching cyber security for smart grid telecommunications.  As ever, the overriding investment theme for cyber security emerges as avoidance of fines or litigation.  After 23 research interviews I have a consensus response that there are a handful of utilities in the United States that proactively address cyber security, in each case because of a single individual that really cares.  The remaining utilities are characterized by my contacts as doing the minimum necessary to avoid legal consequences.

Don’t get me wrong – I’m all for keeping our utilities healthy financially.  From a purely selfish perspective, researching those utilities puts bread on my table.  But – can we please focus on operations and reliability, not legal ramifications?

Utilities want to know if vendors are overselling their wares.  Are vendors making commitments that that they really should not?  Sometimes it’s hard to know what a product will actually do – or not do – until it’s installed and running.  So most buyers will try to assure themselves that the product – hardware or software – will do what it says on the label.

But there’s another side that gets less attention: do vendors underplay the difficulty of living with a product?   As Calvin once explained to Hobbes, there’s a big difference between getting something and having something.  After the discussion session at a recent smart grid conference, I understand that having meter data management (MDM) can be more complicated than buyers may grasp during the acquisition cycle.

At the conference session, I joined five utility executives discussing their experiences implementing MDM.  The group was given a preset list of questions to discuss.  The first, “What have you learned from going beyond billing?” resulted in a bunch of blank stares.  The reason: that’s all these utilities have done with MDM – generate bills.  There is little “beyond billing” yet.

Perhaps the most common theme of the discussion was the difficulty of installing MDM and then integrating it with other applications.  All of the participants felt that this aspect had been underplayed by their vendors during the MDM purchase cycle.  Integration of MDM to other applications such as energy management, outage management, or customer information systems, has proven far more difficult than expected.

Response Times Slowed

All five utility officials were also dissatisfied with their MDM’s reporting capabilities.  Several utilities had reinstalled legacy reporting systems, piping the data from the new MDM back to the reinstalled legacy systems.  The group also wanted a separate replicated MDM database for reporting because running complex analyses against the online database significantly slows the response to real-time queries – usually driven by customer portals on the Internet or help desk agents on a call.

Everyone present agreed that MDM should be done before a smart meter rollout, or at least simultaneously.  No one thought it a good idea to deploy smart meters before the MDM was in place.  Some of the group felt that the holy grail of smart metering – interval readings every 15 minutes – is useless for residential applications, although useful in commercial and industrial applications.  One panelist said his utility had activated remote disconnect for only 1% of its smart meters, although that was due to local regulations governing disconnect processes.

Navigant Research’s report, Meter Data Management, published 3Q 2012,  stressed the need for detailed planning before installing an MDM system.  These discussions reminded me how true that is!

Utilities expect smart grid technologies to help them in three key areas:  grid efficiency, financial management, and customer engagement.  Of the three, customer engagement gets by far the least attention in the media.  But as often happens, what we read in the papers is merely the tip of utilities’ project iceberg.  At the ElsterConnect conference in San Antonio, I saw an impressive example of enriched customer engagement.  The keynote speaker was Michael Lowe, chief customer executive at Salt River Project (SRP).

Chief what, you ask?  Already you’ve sensed the problem – many utilities don’t rate their customers highly enough to give them their own chief executive.  That was the first hint that SRP is going about things differently.

Mr. Lowe declared that every customer interaction with SRP must be rewarding, easy, and pleasant.  Those three words were on the screen in what looked like 1,000-point font throughout much of his remarks.  SRP’s goal is that 90% of its calls are answered within 30 seconds, and they have set no limit on how long a customer call can last – the company doesn’t even collect that data.  That is pure heresy to classic call center management but pure bliss to SRP customers.

We Guarantee It

SRP says it hires its customer service agents for attitude in a hiring process that’s described as speed dating.  The underlying concept is that happy employees will yield happy customers, and successful current employees are the best judge of who will make great future employees.

SRP’s goal is to make energy tangible to their customers, to get the customers to think about it.  That means giving them enough information, in ways that are easy to receive and digest.  The most popular page on SRP’s website is the daily usage graph, which each customer can access for their own account.  Customers can get a weekly SMS text message showing their anticipated monthly bill, given current usage.  Customers can pay their bill via phone call, text message, at hundreds of kiosks in the Phoenix metropolitan area, or by U.S. mail.  Only 20% are paying via post now.  Meanwhile, giving more information to customers online has reduced phone contacts by 28%.

SRP also offers time-of-use billing through their EZ-3 program, to shift usage away from the 3 p.m. to 6 p.m. peak demand period.  So far, 20% of its customers have volunteered out 845,000 smart meters deployed.  The program includes a money-back guarantee: If TOU billing doesn’t lower a customer’s bill, then SRP refunds the difference and returns the customer to single-rate billing.

Finally, 15% of SRP’s customers use prepaid plans.  Doing the math, that is about 125,000 prepay customers – the largest prepay program in North America and far beyond any definition of a pilot.  Prepay users reduce their monthly energy bills by 12% on average, thanks to the discipline required by prepay plans.  Improving service, apparently, carries benefits for the utility and for its customers.