Navigant Research Blog

New Federal Standard Mandates Physical Grid Security

— August 12, 2014

The North American Electric Reliability Corporation (NERC) is currently drafting a physical security standard for approval by the Federal Energy Regulatory Commission (FERC).  This much needed proposed standard will eventually prescribe physical security for transmission stations and substations operating above 500 kV, and in some cases operating as low as 200 kV.  Say hello to NERC CIP-014-1.

The stated purpose of NERC CIP-014-1 is: “To identify and protect transmission stations and transmission substations, and their associated primary control centers, that if rendered inoperable or damaged as a result of a physical attack could result in widespread instability, uncontrolled separation, or cascading within an interconnection.”

CIP-014-1, or “Sip Fourteen,” requires each transmission operator to perform an initial physical security risk assessment and periodic subsequent physical risk assessments.  Effective security proceeds from a thorough risk assessment – this is the right starting place.  Each risk assessment then requires an audit by a third party.  The plan goes on to require operators to define risk mitigation plans, to have those plans audited by a third party, and to then implement the plan.  Finally, a third party must validate that the plan has been properly implemented.

Not So Wide

This sounds like a long, drawn-out process, but it’s the right pathway: assess the risk, plan the mitigation, and then execute the plan.  Each step audited by a non-affiliated third party.  Security done right.

The FERC liked NERC’s proposal except for one word: widespread.  Where the FERC had directed NERC to develop a plan that requires “identification of facilities whose loss could result in instability, uncontrolled separation, or cascading failures,” NERC modified the requirement to prevent widespread instability.  The FERC rejected this: “The term ‘widespread’ is undefined and could potentially render the Reliability Standard unenforceable or could lead to an inadequate level of reliability by omitting facilities that are critical to the reliable operation of the Bulk-Power System.”

In other words, the FERC is nervous that any given utility may choose to define widespread instability as a total global blackout, making anything less severe outside the scope of this standard.  There’s a precedent for this: the original deployment of NERC CIP standards resulted in 77% of U.S. utilities claiming that they had no critical cyber assets and were therefore automatically NERC CIP-compliant without taking any action.  It’s not exactly back to the drawing board for NERC, as the FERC praised much of NERC’s proposed standard, but it is one more go-round of comments, proposals, and approval.  And to the FERC: Good catch!

Plan B

One other much welcomed bit of goodness in the proposal is resiliency.  The FERC writes in its comments, “Resiliency is as, or even more, important than physical security given that physical security cannot protect against all possible attacks.”  Amen and hallelujah!  As we learned with the Metcalf Substation in April 2013, some kinetic attacks cannot be prevented.  But Pacific Gas and Electric (PG&E) had enough network resiliency in place that even the loss of a large substation resulted in not one outage.  PG&E knew: you can’t hold off all the attackers, but you can have a Plan B in place to deal with their damage.  And if that Plan B is automated, so much the better.


New Approaches Boost Energy Efficiency

— August 7, 2014

National Grid’s U.S. division has rolled out a home energy management (HEM) pilot in Massachusetts that combines free hardware and special applications in a bid to get customers to cut their electricity use and help the utility manage demand more efficiently.  The pilot is targeted at customers in Worcester, which, for the past few years, has been the focal point of National Grid’s testing of smart grid technologies, including new Itron smart meters and other infrastructure upgrades.

About 15,000 customers are eligible to take part in the pilot.  They can choose from several free bundles of technology.  One of the more novel devices is a digital picture frame made by Ceiva that receives electricity consumption data from a smart meter and makes suggestions for reducing use.  Smart thermostats from Carrier and smart electrical plugs from Safeplug are also available.  Ceiva’s software, called Homeview, enables customers to view consumption data online and on mobile devices.  For the utility, Ceiva’s Entryway software suite supports the management of smart meter-connected home area networks, residential demand response (DR) capabilities, and energy efficiency programs.  The pilot is scheduled to last about 2 years at a cost of $44 million.

Cheers All Around

A number of utilities are deploying similar technology to help customers reduce energy consumption.  Glendale Water & Power and San Diego Gas & Electric support Ceiva devices as part of their efforts to encourage customers to use electricity more efficiently.  In addition, utilities like NV Energy, using EcoFactor technology, and Oklahoma Gas & Electric, which has deployed thermostats from Energate and software from Silver Spring Networks, have taken the lead on HEM programs for several years (for a deeper dive into the HEM space, see Navigant Research’s report, Home Energy Management).

Utilities like National Grid and the others mentioned here are to be commended for providing a range of technologies that help customers reduce consumption while also helping utilities meet efficiency targets.  That’s what a smarter grid is intended to do, and more utilities should do the same.


Utilities Warm to Cloud-Based Smart Grid Analytics

— August 5, 2014

Managed services for smart grid applications — also known as smart grid as a service (SGaaS) — haven’t exactly lit a fire under utility executives.  Despite the numerous advantages to outsourcing non-core activities like communications, software applications, monitoring, etc., many large utilities, citing security, control, and economics, prefer to keep these functions in-house.

But as smart grid deployments extend beyond the largest utilities, it seems likely that organizations constrained by finances or personnel will be obliged to consider the SGaaS model if they want to take full advantage of smart grid technology.

Vendors are repackaging their solutions in a spectrum of managed offerings, from hosted to managed to full business process outsourcing.  And cloud service providers, including Amazon, Microsoft, and Google, are actively courting utilities’ business.

On July 14, Itron announced that it has selected Microsoft’s Azure cloud platform for its managed Itron Analytics solution.  Microsoft Azure will maintain the infrastructure, allowing Itron and its customers to focus on the analytics.  Itron says its analytics solutions can be installed locally, run by the utility in the cloud, or operated and managed as part of Itron’s Total Services.

The Whole Enchilada

Itron’s Total Services boxes up the metering, communications, and meter data management, along with analytics, in a fully managed offering.  In other words, Itron will not only turn the knobs, but will also respond to the information coming in.  Texas New Mexico Power (TNMP) in Lewisville, Texas engaged Itron to provide meter data analytics for its 230,000 meters earlier this year.

TNMP told me that “a smart meter can trigger hundreds of alarms; our staff may not have the expertise to best respond, whereas Itron’s analysts do have that proficiency.”  TNMP is also working with ABB’s Ventyx unit for an outage management system (OMS) that will be hosted and administered by Ventyx.

Hefty Growth Ahead

Navigant Research’s report, Smart Grid as a Service, forecasts that the SGaaS market will grow strongly over the next decade.  Our forecast includes a host of managed services for utilities, including home energy management, advanced metering infrastructure (AMI), distribution and substation automation communications, asset management and condition monitoring, demand response, and software solutions and analytics.  We expect to see a $1.7 billion market in 2014 growing to more than $11 billion in 2023.  Software solutions and analytics sold under a software as a service (SaaS) model are the largest category of SGaaS spending today, followed by AMI managed services.

Annual SGaaS Revenue by Category, World Markets: 2014-2023


(Source: Navigant Research)

Challenges to the model do remain, however.  Most notably, the rate of return model that most investor-owned utilities work under encourages them to make their own capital and personnel investments.  But for smaller utilities (e.g., cooperatives and municipals here in the United States), the speed with which solutions can be deployed, and the absence of large upfront investment, will be attractive.


Security Risks of Smart Meters Not New

— August 5, 2014

Recently, the Insurance Journal weighed in on the threats introduced by smart meters.  While I agree that smart metering presents risks both cyber and financial, I submit that many of those risks are merely new flavors of risks that have existed for decades.  And smart meters also introduce benefits that more than offset those threats.

The article seems to equate smart meters with the Internet, though we have yet to find any utility that is actually connecting its meters to the Internet.  (There are utility control systems connected to the Internet, most of which are known to hostile nation-states.)  And it also conflates a number of unrelated topics.  For example, the author cites the recent Havex Trojan, which attacks SCADA systems, not smart meters.  Likewise, the article mentions Stuxnet, which was directed at uranium enrichment centrifuges.  Stuxnet is a cautionary tale for anyone managing a control system, but smart metering networks are not control networks.  Still, the Insurance Journal explores situations worth considering.

Uneasy in the Islands

The successful meter attack described, citing Brian Krebs’ excellent analysis (written 2 years ago), occurred in Puerto Rico.  In that case, former employees of a local utility offered to reprogram residents’ smart meters via the meters’ optical diagnostics port.  For a fee ranging from $300 to $1,000, the technicians would reprogram the meters to under-report energy usage, resulting in a lower electricity bill every month.  This attack had nothing to do with the Internet.

The key to dealing with cyber risks is taking a big picture view of the situation.  In Puerto Rico, the fraud would have been easy to detect.  Utilities can put an additional smart meter at each transformer to measure total energy distributed to the customers on that transformer’s circuit.  When the total energy metered for all the individual customers is less than the total measured at the transformer, clearly something is wrong.  It may or may not be fraud, but it can be identified quickly by the technology described in Navigant Research’s report, Meter Data Management.  The $400 million lost in Puerto Rico indicates that the fraud may have persisted for months or years.  That sum is about 10% of Puerto Rico Electric Power Authority’s (PREPA’s) annual revenue – which seems awfully large to fly under the radar.

Finding Walter White

Smart meters provide other fraud detection capabilities that their electromechanical forebears do not.  One example is credit and collections.  Smart meters typically report energy consumption every 15 minutes.  So, for a customer who is already delinquent and is currently having a large spike in energy consumption (this is a common attribute of illegal activity, such as meth labs), smart meters enable utilities to detect these situations and initiate collection or disconnect activities immediately.  This approach is impossible with monthly-read electromechanical meters.  Plus, remotely disconnecting criminal activities is safer for the utility workforce.

For sure, smart meters introduce attack vectors that did not exist before.  This is a common byproduct of new technology.  Identity theft was much more challenging before we had the Internet – yet, there are few, if any, movements to shut down the Internet because of identity theft.

The Insurance Journal article does quote Navigant Research’s market forecast for global smart meter deployment.  The 1.1 billion smart meters expected to be deployed by 2022 should indicate that it’s time to stop worrying about smart meter security and just get on with it.


Blog Articles

Most Recent

By Date


Clean Transportation, Electric Vehicles, Energy Storage, Policy & Regulation, Renewable Energy, Smart Energy Practice, Smart Energy Program, Smart Grid Practice, Smart Transportation Practice, Utility Innovations

By Author

{"userID":"","pageName":"Smart Utilities Program","path":"\/tag\/smart-utilities-program","date":"8\/28\/2014"}