200 likes | 346 Views
Cybersecurity and Privacy: An Update from California. California Public Utilities Commission NCRA Conference June 17 , 2013. Opening Statements. There is no 100% guarantee of security Ensuring the security of utility grid on par with safety and reliability concerns
E N D
Cybersecurity and Privacy: An Update from California California Public Utilities Commission NCRA Conference June 17, 2013
Opening Statements • There is no 100% guarantee of security • Ensuring the security of utility grid on par with safety and reliability concerns • The grid cannot operate safely and reliably if it is not secure • State PUCs have jurisdiction over electric (and gas and water) utilities distribution networks, and oversee utility investment in that area • Utility rate cases, utility programs (EE, DR), retail market • NERC maintains oversight over the “bulk power market,” i.e., the wholesale market and transmission network • NERC CIP is a compliance based • On-going dialogue across the United States on moving to risk-based approach to cyber-security
Role of California PUC • Regulate electric, natural gas, water, and telecommunications industries • Do not regulate municipal or cooperative utilities • For electric industry, jurisdiction covers distribution grid and retail customers. • FERC has jurisdiction over wholesale markets and the transmission grid • Every three years, or so, utilities filed General Rate Case (GRC) applications to cover expenses. • California is decoupled, so the PUC determines a Revenue Requirement for utilities (Phase 1) and then determines the rates to recover the Revenue Requirement (Phase 2) • In GRCs, utility requests funding to cover operating costs • These requests include funding for cyber-security activities • Also may include requests for new technology • In wake of San Bruno accident, refocusing on safety matters • As part of GRC, PG&E to submit results of safety audit • CPUC Staff recently proposed a $2+ billion penalty against PG&E related to various failures leading to San Bruno accident • Responsible entity for ensuring utility operates in a safe, reliable, and secure manner at a reasonable cost.
Focus on Cybersecurity • As utility seeks funding for new infrastructure investment, need to ensure cybersecurity accounted for in investment • Additionally, need to ensure that legacy investments not left behind • Cybersecurity practices more effective when built in to investment rather than bolted on later • Compliance reporting should act as a floor, not a ceiling • Most wide-spread cybersecurity risk remains phishing • Focus on people! • Risk based approach to cybersecurity offers greater opportunity for utilities to address needs, risks, threats, and response • But there are regulatory challenges….. • And jurisdictional challenges…..
Jurisdictional Issues • Transmission grid (over 100kV) and wholesale markets under FERC jurisdiction • NERC sets cybersecurity requirements here • Distribution grid and retail markets (under 100kV) under state/local jurisdiction • Historically, distribution grid considered “dumber” than transmission grid, so less attention paid to cybersecurity. • However, with increased investment in advanced technologies on distribution grid, increased need to address cybersecurity • Increased tension between Federal and local regulatory bodies as grid becomes more interconnected • Advanced meters • Distributed generation • Demand Response • Efforts by Congress and Administration to mandate standards throughout electric grid
What Do PUCs Need to Know? • Understanding a utility’s process • What are the inputs? • Does the utility have an accurate inventory of its assets? • Cyber threats and vulnerabilities evolve • A 3 year GRC cycle needs to allow sufficient flexibility to meet the changing threats • Separation of IT and ICS networks • Similarities?? Differences?? • Organizational integration • Is there sufficient buy-in across the business unit • Use of standards • Voluntary vs mandatory • Business case for cybersecurity (i.e., cost) • How does one know the “right” amount of money to spend? • How does one know how effective the money was used? • Metrics • Supporting safety and reliability • Understanding the value (and variety) of risks across the business unit • Substations vs. AMI vs. IT etc.
PUC Issues • Limited staff available • Expertise on technical aspects of cybersecurity needed • Who has time to participate in the myriad groups and activities? • Participation by outside parties in proceedings • Valuing something that didn’t happen • Complacency • Costs • Regulatory construct related to pace of technological change • What happens when a cyber-event happens? • What is an acceptable level of risk? • Where will Federal government jurisdiction come down? • Coordination with other agencies, both state and Federal • Pace of threats and vulnerabilities • Access to classified materials and Federal briefings • PUCs likely have few to zero people with security clearances • Reluctance to share information
Information Sharing • Utilities (and vendors) need to be able to share information regarding threats and vulnerabilities • Utilities should also be allowed to share info with regulatory body without fear of liability • Safe Harbor rules may help with information sharing with regulatory bodies • Regulatory bodies should be allowed to protect sensitive information from public release • Laws or rules may be needed to ensure data remains protected • However, would like to have some information available publicly • Metrics
PUC White Paper Recommendations • Suggests CPUC open a rulemaking to consider options for CPUC action on cybersecurity • Cybersecurity framework should be based on a risk-based model • Develop a means to evaluate utility investments in cybersecurity • Develop a reporting protocol for cybersecurity incidents and information sharing regarding breaches and other incidents • Develop an information sharing process that protects sensitive information from release • Develop a Safe Harbor process to protect information sharing with the CPUC • Develop a process for periodic reporting of security tests and audits “The CPUC has a responsibility to ensure the safety and reliability of the grid down to the meter, and to ensure that utilities are prepared for the challenges of grid modernization as it occurs beyond their control. The CPUC also has a responsibility to ensure that ratepayer dollars are being invested effectively in cybersecurity.” White Paper at 23.
Next Steps • Exploration of cybersecurity framework for other industries, i.e., natural gas and water. • To an extent, industries face same challenges: legacy vs advanced technology, IT vs ICS, need to protect infrastructure, need to provide for essential services • Identification of standards • Should the CPUC adopt any? • Identification and adoption of metrics • Need for public reporting balanced with need to protect sensitive information • Creating a culture of security • This is in addition to culture of safety • Vendors • How to address supply chain risks • Shifting responsibility to vendors to meet cybersecurity requirements
Other States • Missouri Public Service Commission opened rulemaking (EW-2013-0011) in July 2012 • Asked 47questions • Responses and reports filed under seal • Texas Public Utility Commission • “Report on Electric Grid Cybersecurity in Texas,” issued November 2012 (http://www.puc.texas.gov/industry/projects/electric/40128/PUCT_Project_40128_Electric_Grid_Cybersecurity_in_Texas.pdf) • Pennsylvania Public Utility Commission • Utilities required to maintain cybersecurity continuity plans, and make available to PA PUC staff • PA PUC staff actively engages with utilities to review practices • Mid-Atlantic Commissions • Joint regulatory effort to coordinate actions and outreach to utilities and other companies to develop a joint, regional plan for cybersecurity • Includes cooperatives, municipal and investor owned utilities, RTOs, FERC, natural gas, and water utilities. • Pennsylvania, Maryland, Delaware, D.C., and New Jersey commissions
Breather • Without security, grid can only be so reliable and safe. • Without privacy, your data can only be so secure. • Challenge for security “is what is enough security?” • Cost-effective • Challenge for privacy is different • Changing cultural norms? • $5+ billion investment in AMI • How to encourage innovation and open data sets while protecting customer privacy • Privacy policies paired with data sharing policies • An informed customer means ______. • Awareness • Understanding • Ability to act/share
Brief History • December 2008: Issued Order Instituting Rulemaking (R.08-12-009) • December 2009: Issued Decision addressing Energy Independence and Security Act requirements and identified customer access issues for next phase of OIR (D.09-12-046) • Declines to adopt PURPA standards as directed by EISA • Sets schedule for providing customers with retail and wholesale price information by end of 2010, access to usage data through an agreement with a third party by end of 2010, and provide access to usage information on a near real-time basis for customers with AMI by end of 2011. • July 29, 2011: Final Decision adopting privacy rules and policies on customer access to data. (D.11-07-056) • Adopts framework for protecting customer privacy • Primary purpose needs without customer consent • Secondary purpose needs require customer consent • Directs utilities to allow customers to share usage information with third parties with consent • Directs utilities to use a standardized method for third party access with customer consent • OpenADE • Customer access form must also be standard • August 31, 2012: Final Decision adopts privacy rules and policies on customer access to data for natural gas companies. (D.12-08-045)
California Actions on Privacy • California has a long history of promoting privacy • California Constitution, Article 1, Section 1 includes right to privacy • SB 1476- signed into law on September 29, 2010 • Utilities and their contractors must maintain customer privacy • Utilities and contractors do not need customer approval for “system, grid, or operational needs, or the implementation of demand response, energy management, or energy efficiency programs…” (i.e., primary purposes) • BUT…customer information cannot not be used for “secondary purposes” without customer consent • CPUC issued D.11-07-056 on July 29, 2011 to implement SB 1476 • D.12-08-45 extends privacy and access rules to natural gas companies
CPUC Privacy Rules • Based on Fair Information Practice Principles • Applies to utilities, utility contractors, and third parties that obtain data from the utilities • To be enforced via utility tariffs • Development of rules mostly result of consensus amongst parties (notably, utilities, privacy advocates, and consumer advocates) • Goals of rules are both to protect customer privacy, but also enable customers to access usage data and share that data with authorized third parties to promote future conservation and grid management activities • Primary Purpose/Secondary Purpose structure • Primary purposes are provision or billing of electricity or gas, provide for system, grid, or operational needs, provide services required by state or federal law or as directed by the CPUC, and “plan, implement, or evaluate” demand response, energy efficiency or energy management programs • Secondary purpose is anything that is not a primary purpose • Primary Purposes do not require customer consent
Green Button • Utilities and CPUC Staff have been active in development of OpenADE and Green Button • NAESB REQ 21 and REQ 22 • SGIP PAP 20 • October 2011: PG&E, SCE, and SDG&E agree to implement Green Button Download My Data • Up and running by January 2012! • Pursuant to D.11-07-056, utilities file applications to implement OpenADE in March 2012 (Green Button Connect My Data) • Final decision expected by this summer. • October 2012: PG&E and SDG&E announce Green Button Connect My Data live (beta) • Remember!! CPUC Privacy rules do not apply to third parties that obtain data directly from customer • Tariffs implementing CPUC Privacy Rules, which will cover third parties obtaining customer data via Green Button Connect My Data, still pending.
So, what are the issues? • Consent Forms • How much information should be provided to the utility • Expiration date? • Consistency across utilities • Who decides when to shut off access? • Upon notice of customer • Upon order of CPUC • But what if Utility believes third party in violation of requirements??? • Utilities propose temporary suspension of access, will notify customer and third party, and third party can appeal to CPUC • Third Parties propose utilities notify CPUC of potential violation and wait for CPUC determination before suspending access. • The real issue is…….. • Utility Liability • Privacy rules do not hold utilities liable for third party violation of rules where third party has customer consent • EXCEPT!!! If utility acts “recklessly” regarding sharing of customer data. • Rhetorical question: If utility is aware of third party actions in violation of privacy rules, but third party has customer consent, is utility acting “recklessly” by continuing to provide access?
On-going Privacy Issues • Smart Grid Rulemaking Phase 3 currently considering ways to make more usage data available in ways that protect privacy • CPUC rules says that data removed of identifiable characteristics not subject to privacy rules, and can be made available without customer consent • Define “aggregated” and “anonymized” • What is sufficiently aggregated? • What is sufficiently anonymized? • Access to other customer data • Energy Efficiency program data • Aggregated building data • Growing pains
One final thought • What about companies not under state PUC jurisdiction? • On going efforts on developing best practices and self-certification for non-jurisdictional third parties • TRUSTe and Future of Privacy Forum Privacy Seal Program • DOE’s Voluntary Code of Conduct effort • AB 1274 • Pending legislation covering companies that provide home area network products that obtain data from the meter • Generally mirrors SB 1476 on privacy requirements • Provides for injunctive relief via courts • Addition to California Civil Code, not Public Utilities Code • “Punitive damages of not less than one hundred dollars ($100) or more than five thousand dollars ($5,000) for each violation as the court deems proper.”
For Further Information CPUC Staff White Paper: http://www.cpuc.ca.gov/NR/rdonlyres/D77BA276-E88A-4C82-AFD2-FC3D3C76A9FC/0/TheEvolvingRoleofStateRegulationinCybersecurity9252012FINAL.pdf NARUC Cybersecurity for State Regulators: http://www.naruc.org/Grants/Documents/NARUC%20Cybersecurity%20Primer%202.0.pdf Chris Villarreal Policy and Planning Division Phone: (415) 703-1566 Email: crv@cpuc.ca.gov