Critical Infrastructure Protection Committee

March 22, 2011

TO:Operating Committee

Planning Committee

Critical Infrastructure Protection Committee

FROM: Mark Lauby

Re: NERC’s Directional Topics to FERC’s Request for Comment on Smart Grid Interoperability Standards

Comments Requested by March 28, 2011

On January 31, 2011, the United States Federal Energy Regulatory Commission (FERC) staff held a technical conference to obtain further information to aid FERC’s determination of whether there is sufficient consensus that certain United States National Institutes of Standards and Technology (NIST) smart grid interoperability standards are ready for consideration by FERC.[1] NERC has posted a draft letter to the Planning, Operating, and Critical Infrastructure Protection Committees identifying three areas to FERC’s Request to which it intends to provide comments. In this letter, NERC provides directional reliability considerations and seeks input from the Planning, Operating, and Critical Infrastructure Protection Committee members regarding the content of this response.

1. How does the NIST process assure that a standard has undergone sufficient review of interoperability and cyber security and is ready for consideration by regulators?

The smart grid interoperability standards development currently coordinated by NIST is separate and not directly related to the NERC bulk power system Reliability Standards. The NIST interoperability standards are directed to the enhancement of communications between devices and equipment rather than the operation of the bulk power system of North America. NERC’s Reliability Standards are designed to ensure the reliability of the bulk power system and apply to facilities of the bulk electric system, given that there is a wide array of types, manufacturers of devices, controls, and systems used to operate the grid.[2] This includes the development of NERC Reliability Standards designed to ensure the protection of cyber assets that are part of the bulk power system. If NIST wants designers/vendors and related entities to adopt requirements that lessen the risk of cyber penetration, the standards should be vetted by industry, through demonstrations and sufficient time provided to ensure through testing.[3]

1. Is it appropriate for reliability and implementation issues to be reviewed by a separate panel, as some panelists commented at the technical conference, composed of utility representatives and NERC?

NERC is supportive of this approach, especially to address parameters for successful integration to ensure that any undue risk on the reliability, security, and resilience of the bulk electric system are understood and addressed.

1. Whether the criteria for FERC’s evaluation should differ for interoperability and functionality, and the extent to which cyber security is an element of each.

The strength of the interoperability design of smart grids, unless carefully planned and operated, can provide a vehicle for intentional cyber attack or unintentional errors impacting bulk power system reliability through a variety of entrance and exit points. Many of the systems implemented using existing smart grid technologies are designed for control functionality and are not responsive to errors resulting from misuse, miscommunications, or information technology (IT) system failures. Security of these control systems can be intentionally defeated or unintentionally corrupted by the installation of software updates, etc. Improvements will be required to provide robust protection from IT and communication system vulnerabilities. “Defense-in-Depth” approaches, when coupled with risk assessment, can provide an overarching organizational approach to cyber security management. Use of risk assessment can help determine appropriate defensive measures.

NERC’s primary mission is to ensure the reliability of the bulk power system of North America, and understands the large and increasing role that cyber security occupies in achieving that goal. NERC believes FERC’s evaluation should take into account whether cyber security component impacts the reliable operation of the bulk power system.

FERC has requested comments by April 8, 2011.[4] Please submit your comments by Monday March 28, 2011 to .

If you have any questions or comments on the aforementioned, please do not hesitate to contact us. Before filing, NERC staff’s draft comments will be sent for your consideration one week before the comment due date.

cc: SGTF Leadership Team

Willie Phillips, Attorney, NERC

[1] NIST identified five SGIP Standards to submit to FERC for consideration: http://www.nist.gov/public_affairs/releases/upload/FERC-letter-10-6-2010.pdf

[2] NERC’s full list of Reliability Standards:

[3] NERC’s Reliability Standards are developed through an American National Standards Institute (ANSI) accredited process:

[4] http://frwebgate3.access.gpo.gov/cgi-bin/PDFgate.cgi?WAISdocID=5Mix2o/5/2/0&WAISaction=retrieve