The Distribution Grid Gap on Cybersecurity

Array
(
    [comments] => Array
        (
        )

    [links] => Array
        (
            [#theme] => links__node
            [#pre_render] => Array
                (
                    [0] => drupal_pre_render_links
                )

            [#attributes] => Array
                (
                    [class] => Array
                        (
                            [0] => links
                            [1] => inline
                        )

                )

            [node] => Array
                (
                    [#theme] => links__node__node
                    [#links] => Array
                        (
                        )

                    [#attributes] => Array
                        (
                            [class] => Array
                                (
                                    [0] => links
                                    [1] => inline
                                )

                        )

                )

            [comment] => Array
                (
                    [#theme] => links__node__comment
                    [#links] => Array
                        (
                        )

                    [#attributes] => Array
                        (
                            [class] => Array
                                (
                                    [0] => links
                                    [1] => inline
                                )

                        )

                )

        )

    [field_authors] => Array
        (
            [#theme] => field
            [#weight] => 0
            [#title] => Author(s)
            [#access] => 1
            [#label_display] => hidden
            [#view_mode] => full
            [#language] => und
            [#field_name] => field_authors
            [#field_type] => entityreference
            [#field_translatable] => 0
            [#entity_type] => node
            [#bundle] => wp_blog
            [#object] => stdClass Object
                (
                    [vid] => 8224
                    [uid] => 115
                    [title] => The Distribution Grid Gap on Cybersecurity
                    [log] => 
                    [status] => 1
                    [comment] => 1
                    [promote] => 0
                    [sticky] => 0
                    [nid] => 6115
                    [type] => wp_blog
                    [language] => und
                    [created] => 1529420761
                    [changed] => 1531354752
                    [tnid] => 0
                    [translate] => 0
                    [revision_timestamp] => 1531354752
                    [revision_uid] => 1
                    [body] => Array
                        (
                            [und] => Array
                                (
                                    [0] => Array
                                        (
                                            [value] => 

Power grid resilience and security are front-and-center in national policy debates. However, the focus on saving uneconomic generation resources (i.e. coal and some nuclear units) takes attention away from more relevant concerns, such as insufficient distribution grid cybersecurity protections.

The distribution grid is becoming more digital and dynamic, as smart grid devices enable two-way communications, and customers are increasingly using on-site generation, software-based energy management tools, and a plethora of internet-of-things appliances. This innovation is positive, yet exposes the grid to additional vulnerabilities.

Most outages on the power grid are related to transmission and distribution system issues (not generation outages). By number of events, most outages occur on the distribution system, with local and limited impacts. Less frequent occurrences of transmission level outages impact a greater number of people.

However, attacks on the distribution system could increasingly reach beyond local impacts. Simultaneous attacks on several distribution utilities or coordinated attacks on a single utility in multiple locations could create widespread outages. These outages could cut power to other critical infrastructure—like water, telecommunications, pipelines, etc.—compounding damages.

In addition, cyber intrusion at the distribution level raises concerns about customer data privacy, potential infiltration of industrial control systems, and other negative outcomes.

And, the distribution grid may present the easiest “target” for attackers, given the lack of cyber protection requirements.

Generation and high-voltage transmission represent the “bulk power system.” Enforceable cybersecurity regulations—called critical infrastructure protection or CIP standards—are developed by the North American Electric Reliability Corporation (NERC) to protect the bulk power system. Utilities (or other entities) with assets that if disrupted would impact the bulk power system are required to comply with the CIP standards.

Transmission (intrastate) and distribution systems are regulated at the state-level by public utility commissions, or by local boards or commissions for rural or municipal cooperatives.

A 2014 study by NRRI estimated only 10 to 20 percent of grid assets are covered by NERC’s CIP standards.

Most of the non-covered assets likely fall under state jurisdiction. A distribution-level substation may not be subject to NERC CIP standards because it exists outside of the bulk power system. However, a successful intrusion at the distribution level has the potential to impact the bulk power system. For example, the December 2015 Ukrainian power outage affecting over 230,000 people originated from cyberattacks on distribution system elements.

The approach to state-level cybersecurity regulation is surprisingly inconsistent, with variation between and within states. In fact, there are no minimum cybersecurity standards in place that all distribution utilities must follow. In general, there are at least two standards potentially available for use.

  • NERC CIP Compliance. Some states require utilities not typically subject to NERC CIPs to comply with these standards (i.e. FERC Order 706), or uses NERC CIP standards as benchmarks to evaluate utility cybersecurity plans. This approach may be expensive to extend to the low-voltage system.
  • Risk-Based Approach. This involves determining priority actions and investments based on an assessment of system-specific vulnerabilities. The NIST Framework for Improving Critical Infrastructure Cybersecurity and NERC’s Reliability Assurance Initiative represent risk-based approaches.

In addition, utilities can use the U.S. DOE’s Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) to evaluate cybersecurity shortcomings.  

As distribution grid modernization advances and distributed energy resources proliferate, so will cyber security vulnerabilities. Distribution-level threats may increase the probability of bulk power system impacts and will raise questions about the line between state and federal jurisdiction in ensuring cybersecurity.

Larger, investor-owned utilities are more capable of and likely to take meaningful action to reduce cyber threats, as a portion of their assets are undoubtedly subject to NERC compliance.

According to the NAS, in 2016 there were 1,954 electric utilities, of which 174 were investor-owned utilities delivering 68 percent of electricity service to retail customers. Approximately, 809 rural cooperatives, 827 municipal utilities, and other publicly owned utilities delivered 13 percent, 12 percent, and 6 percent of electricity to retail customers, respectively.

In other words, it is a target-rich environment for malicious actors.

There is significant room for improvement in developing and enforcing minimum cybersecurity standards for distribution utilities, which may include providing regulators with new authorities. The approach to defending smaller municipal, rural cooperative, and other publicly-owned utilities may prove most challenging.

Meeting such minimum standards may not be cheap, and many other complexities beyond costs are involved. The public benefit of having a secure grid warrants ratepayer cost recovery, and potentially even return on equity incentives to go beyond minimum compliance (when appropriate).

Lower power prices make today the opportune time to embark on these investments, rather than haphazardly devoting precious financial resources to less meaningful distractions (i.e. subsidies for at-risk generation).

[summary] => [format] => full_html [safe_value] =>

Power grid resilience and security are front-and-center in national policy debates. However, the focus on saving uneconomic generation resources (i.e. coal and some nuclear units) takes attention away from more relevant concerns, such as insufficient distribution grid cybersecurity protections.

The distribution grid is becoming more digital and dynamic, as smart grid devices enable two-way communications, and customers are increasingly using on-site generation, software-based energy management tools, and a plethora of internet-of-things appliances. This innovation is positive, yet exposes the grid to additional vulnerabilities.

Most outages on the power grid are related to transmission and distribution system issues (not generation outages). By number of events, most outages occur on the distribution system, with local and limited impacts. Less frequent occurrences of transmission level outages impact a greater number of people.

However, attacks on the distribution system could increasingly reach beyond local impacts. Simultaneous attacks on several distribution utilities or coordinated attacks on a single utility in multiple locations could create widespread outages. These outages could cut power to other critical infrastructure—like water, telecommunications, pipelines, etc.—compounding damages.

In addition, cyber intrusion at the distribution level raises concerns about customer data privacy, potential infiltration of industrial control systems, and other negative outcomes.

And, the distribution grid may present the easiest “target” for attackers, given the lack of cyber protection requirements.

Generation and high-voltage transmission represent the “bulk power system.” Enforceable cybersecurity regulations—called critical infrastructure protection or CIP standards—are developed by the North American Electric Reliability Corporation (NERC) to protect the bulk power system. Utilities (or other entities) with assets that if disrupted would impact the bulk power system are required to comply with the CIP standards.

Transmission (intrastate) and distribution systems are regulated at the state-level by public utility commissions, or by local boards or commissions for rural or municipal cooperatives.

A 2014 study by NRRI estimated only 10 to 20 percent of grid assets are covered by NERC’s CIP standards.

Most of the non-covered assets likely fall under state jurisdiction. A distribution-level substation may not be subject to NERC CIP standards because it exists outside of the bulk power system. However, a successful intrusion at the distribution level has the potential to impact the bulk power system. For example, the December 2015 Ukrainian power outage affecting over 230,000 people originated from cyberattacks on distribution system elements.

The approach to state-level cybersecurity regulation is surprisingly inconsistent, with variation between and within states. In fact, there are no minimum cybersecurity standards in place that all distribution utilities must follow. In general, there are at least two standards potentially available for use.

  • NERC CIP Compliance. Some states require utilities not typically subject to NERC CIPs to comply with these standards (i.e. FERC Order 706), or uses NERC CIP standards as benchmarks to evaluate utility cybersecurity plans. This approach may be expensive to extend to the low-voltage system.
  • Risk-Based Approach. This involves determining priority actions and investments based on an assessment of system-specific vulnerabilities. The NIST Framework for Improving Critical Infrastructure Cybersecurity and NERC’s Reliability Assurance Initiative represent risk-based approaches.

In addition, utilities can use the U.S. DOE’s Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) to evaluate cybersecurity shortcomings.  

As distribution grid modernization advances and distributed energy resources proliferate, so will cyber security vulnerabilities. Distribution-level threats may increase the probability of bulk power system impacts and will raise questions about the line between state and federal jurisdiction in ensuring cybersecurity.

Larger, investor-owned utilities are more capable of and likely to take meaningful action to reduce cyber threats, as a portion of their assets are undoubtedly subject to NERC compliance.

According to the NAS, in 2016 there were 1,954 electric utilities, of which 174 were investor-owned utilities delivering 68 percent of electricity service to retail customers. Approximately, 809 rural cooperatives, 827 municipal utilities, and other publicly owned utilities delivered 13 percent, 12 percent, and 6 percent of electricity to retail customers, respectively.

In other words, it is a target-rich environment for malicious actors.

There is significant room for improvement in developing and enforcing minimum cybersecurity standards for distribution utilities, which may include providing regulators with new authorities. The approach to defending smaller municipal, rural cooperative, and other publicly-owned utilities may prove most challenging.

Meeting such minimum standards may not be cheap, and many other complexities beyond costs are involved. The public benefit of having a secure grid warrants ratepayer cost recovery, and potentially even return on equity incentives to go beyond minimum compliance (when appropriate).

Lower power prices make today the opportune time to embark on these investments, rather than haphazardly devoting precious financial resources to less meaningful distractions (i.e. subsidies for at-risk generation).

[safe_summary] => ) ) ) [taxonomy_wp_blog_tags] => Array ( ) [field_intro_image] => Array ( [und] => Array ( [0] => Array ( [fid] => 2723 [uid] => 115 [filename] => Image Courtesy of Max Pixel.jpg [uri] => public://Image Courtesy of Max Pixel.jpg [filemime] => image/jpeg [filesize] => 300518 [status] => 1 [timestamp] => 1529420761 [focus_rect] => [crop_rect] => [rdf_mapping] => Array ( ) [alt] => [title] => [width] => 1280 [height] => 960 ) ) ) [field_blog_author] => Array ( [und] => Array ( [0] => Array ( [value] => Christina Simeone [format] => [safe_value] => Christina Simeone ) ) ) [field_image_caption] => Array ( [und] => Array ( [0] => Array ( [value] => Image Courtesy of Max Pixel [format] => [safe_value] => Image Courtesy of Max Pixel ) ) ) [field_set_as_featured_] => Array ( [und] => Array ( [0] => Array ( [value] => no ) ) ) [field_authors] => Array ( [und] => Array ( [0] => Array ( [target_id] => 62 [entity] => stdClass Object ( [vid] => 62 [uid] => 1 [title] => Christina Simeone [log] => [status] => 1 [comment] => 1 [promote] => 0 [sticky] => 0 [nid] => 62 [type] => people_bio [language] => und [created] => 1414774970 [changed] => 1542662633 [tnid] => 0 [translate] => 0 [revision_timestamp] => 1542662633 [revision_uid] => 115 [body] => Array ( [und] => Array ( [0] => Array ( [value] =>

Christina Simeone engages in applied research - bringing together analytics, academics, and industry insights - to further the center's mission.

Prior to joining the Kleinman Center, Simeone served as the director of the PennFuture Energy Center for Enterprise and the Environment, where she focused on energy and climate issues that impact Pennsylvania. Simeone worked on federal energy and climate legislation as Policy Director at the Alliance for Climate Protection in Washington, D.C., after spending several years in Harrisburg at the Pennsylvania Department of Environmental Protection (PA DEP), where she worked on climate and energy issues in the Policy Office and as Special Assistant to the Secretary. Additionally, she has experience in private environmental consulting and in the financial management sector.

Simeone holds a master's degree in environmental studies from the University of Pennsylvania, a B.A. in economics from the University of Miami, and B.S. in music industry from Drexel University (with a concentration in opera and piano performance). She is a board member of Philadelphia's Sustainable Energy Fund, former chair of the Climate Change Advisory Committee to the PA DEP, and served as the co-chair to Governor Wolf's transition team for the PA DEP.

[summary] => [format] => full_html [safe_value] =>

Christina Simeone engages in applied research - bringing together analytics, academics, and industry insights - to further the center's mission.

Prior to joining the Kleinman Center, Simeone served as the director of the PennFuture Energy Center for Enterprise and the Environment, where she focused on energy and climate issues that impact Pennsylvania. Simeone worked on federal energy and climate legislation as Policy Director at the Alliance for Climate Protection in Washington, D.C., after spending several years in Harrisburg at the Pennsylvania Department of Environmental Protection (PA DEP), where she worked on climate and energy issues in the Policy Office and as Special Assistant to the Secretary. Additionally, she has experience in private environmental consulting and in the financial management sector.

Simeone holds a master's degree in environmental studies from the University of Pennsylvania, a B.A. in economics from the University of Miami, and B.S. in music industry from Drexel University (with a concentration in opera and piano performance). She is a board member of Philadelphia's Sustainable Energy Fund, former chair of the Climate Change Advisory Committee to the PA DEP, and served as the co-chair to Governor Wolf's transition team for the PA DEP.

[safe_summary] => ) ) ) [field_headshot] => Array ( [und] => Array ( [0] => Array ( [fid] => 1836 [uid] => 10 [filename] => IMG_2538.JPG [uri] => public://IMG_2538_0.JPG [filemime] => image/jpeg [filesize] => 1884043 [status] => 1 [timestamp] => 1495475902 [focus_rect] => 269,241,1135,1134 [crop_rect] => [rdf_mapping] => Array ( ) [alt] => [title] => [width] => 1766 [height] => 2047 ) ) ) [field_org_title] => Array ( [und] => Array ( [0] => Array ( [value] => Director of Policy and External Affairs [format] => [safe_value] => Director of Policy and External Affairs ) ) ) [field_email] => Array ( [und] => Array ( [0] => Array ( [email] => csimeone@upenn.edu ) ) ) [field_phone_number] => Array ( [und] => Array ( [0] => Array ( [value] => 215.573.4096 [format] => [safe_value] => 215.573.4096 ) ) ) [field_people_designation] => Array ( [und] => Array ( [0] => Array ( [value] => staff ) ) ) [field_adboard_organization] => Array ( ) [field_project_years] => Array ( ) [field_bio_type] => Array ( [und] => Array ( [0] => Array ( [tid] => 185 ) ) ) [field_omit] => Array ( [und] => Array ( [0] => Array ( [value] => 0 ) ) ) [field_biodepartment] => Array ( ) [field_teaser] => Array ( [und] => Array ( [0] => Array ( [value] =>

is the director of policy and external affairs at the Kleinman Center for Energy Policy.

[format] => full_html [safe_value] =>

is the director of policy and external affairs at the Kleinman Center for Energy Policy.

) ) ) [field_label_above_name] => Array ( ) [field_year] => Array ( ) [metatags] => Array ( [und] => Array ( [robots] => Array ( [value] => Array ( [0] => 0 [index] => 0 [follow] => 0 [noindex] => 0 [nofollow] => 0 [noarchive] => 0 [nosnippet] => 0 [noodp] => 0 [noydir] => 0 [noimageindex] => 0 [notranslate] => 0 ) ) [article:published_time] => Array ( [value] => ) [article:modified_time] => Array ( [value] => ) ) ) [rdf_mapping] => Array ( [rdftype] => Array ( [0] => sioc:Item [1] => foaf:Document ) [title] => Array ( [predicates] => Array ( [0] => dc:title ) ) [created] => Array ( [predicates] => Array ( [0] => dc:date [1] => dc:created ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [changed] => Array ( [predicates] => Array ( [0] => dc:modified ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [body] => Array ( [predicates] => Array ( [0] => content:encoded ) ) [uid] => Array ( [predicates] => Array ( [0] => sioc:has_creator ) [type] => rel ) [name] => Array ( [predicates] => Array ( [0] => foaf:name ) ) [comment_count] => Array ( [predicates] => Array ( [0] => sioc:num_replies ) [datatype] => xsd:integer ) [last_activity] => Array ( [predicates] => Array ( [0] => sioc:last_activity_date ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) ) [path] => Array ( [pathauto] => 1 ) [cid] => 0 [last_comment_timestamp] => 1414774970 [last_comment_name] => [last_comment_uid] => 1 [comment_count] => 0 [name] => admin [picture] => 0 [data] => b:0; ) [access] => 1 ) ) ) [field_addthis] => Array ( [und] => Array ( [0] => Array ( [value] => Dummy value ) ) ) [field_teaser] => Array ( [und] => Array ( [0] => Array ( [value] =>

As national debate over grid resilience and security drills down on saving at-risk generation units, the regulatory gap on cybersecurity protections at the distribution grid level allows for a target-rich environment that could reach the bulk power system. 

[format] => full_html [safe_value] =>

As national debate over grid resilience and security drills down on saving at-risk generation units, the regulatory gap on cybersecurity protections at the distribution grid level allows for a target-rich environment that could reach the bulk power system. 

) ) ) [field_primary_theme] => Array ( [und] => Array ( [0] => Array ( [tid] => 205 ) ) ) [field_secondary_themes] => Array ( [und] => Array ( [0] => Array ( [tid] => 197 ) [1] => Array ( [tid] => 204 ) ) ) [field_exclude] => Array ( ) [field_more_like_this] => Array ( ) [field_show_cropped_image] => Array ( [und] => Array ( [0] => Array ( [value] => 1 ) ) ) [field_voices] => Array ( ) [metatags] => Array ( [und] => Array ( [og:image] => Array ( [value] => public://Image Courtesy of Max Pixel.jpg ) [article:author] => Array ( ) [article:publisher] => Array ( ) [article:section] => Array ( ) [article:tag] => Array ( ) [article:published_time] => Array ( ) [article:modified_time] => Array ( ) [article:expiration_time] => Array ( ) [profile:first_name] => Array ( ) [profile:last_name] => Array ( ) [profile:username] => Array ( ) [profile:gender] => Array ( ) [book:author] => Array ( ) [book:isbn] => Array ( ) [book:release_date] => Array ( ) [book:tag] => Array ( ) [video:actor] => Array ( ) [video:actor:role] => Array ( ) [video:director] => Array ( ) [video:writer] => Array ( ) [video:duration] => Array ( ) [video:release_date] => Array ( ) [video:tag] => Array ( ) [video:series] => Array ( ) ) ) [rdf_mapping] => Array ( [rdftype] => Array ( [0] => sioc:Item [1] => foaf:Document ) [title] => Array ( [predicates] => Array ( [0] => dc:title ) ) [created] => Array ( [predicates] => Array ( [0] => dc:date [1] => dc:created ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [changed] => Array ( [predicates] => Array ( [0] => dc:modified ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [body] => Array ( [predicates] => Array ( [0] => content:encoded ) ) [uid] => Array ( [predicates] => Array ( [0] => sioc:has_creator ) [type] => rel ) [name] => Array ( [predicates] => Array ( [0] => foaf:name ) ) [comment_count] => Array ( [predicates] => Array ( [0] => sioc:num_replies ) [datatype] => xsd:integer ) [last_activity] => Array ( [predicates] => Array ( [0] => sioc:last_activity_date ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) ) [path] => Array ( [pathauto] => 1 ) [cid] => 0 [last_comment_timestamp] => 1529420761 [last_comment_name] => [last_comment_uid] => 115 [comment_count] => 0 [name] => Christina Simeone [picture] => 0 [data] => a:1:{s:18:"htmlmail_plaintext";i:0;} [entity_view_prepared] => 1 ) [#items] => Array ( [0] => Array ( [target_id] => 62 [entity] => stdClass Object ( [vid] => 62 [uid] => 1 [title] => Christina Simeone [log] => [status] => 1 [comment] => 1 [promote] => 0 [sticky] => 0 [nid] => 62 [type] => people_bio [language] => und [created] => 1414774970 [changed] => 1542662633 [tnid] => 0 [translate] => 0 [revision_timestamp] => 1542662633 [revision_uid] => 115 [body] => Array ( [und] => Array ( [0] => Array ( [value] =>

Christina Simeone engages in applied research - bringing together analytics, academics, and industry insights - to further the center's mission.

Prior to joining the Kleinman Center, Simeone served as the director of the PennFuture Energy Center for Enterprise and the Environment, where she focused on energy and climate issues that impact Pennsylvania. Simeone worked on federal energy and climate legislation as Policy Director at the Alliance for Climate Protection in Washington, D.C., after spending several years in Harrisburg at the Pennsylvania Department of Environmental Protection (PA DEP), where she worked on climate and energy issues in the Policy Office and as Special Assistant to the Secretary. Additionally, she has experience in private environmental consulting and in the financial management sector.

Simeone holds a master's degree in environmental studies from the University of Pennsylvania, a B.A. in economics from the University of Miami, and B.S. in music industry from Drexel University (with a concentration in opera and piano performance). She is a board member of Philadelphia's Sustainable Energy Fund, former chair of the Climate Change Advisory Committee to the PA DEP, and served as the co-chair to Governor Wolf's transition team for the PA DEP.

[summary] => [format] => full_html [safe_value] =>

Christina Simeone engages in applied research - bringing together analytics, academics, and industry insights - to further the center's mission.

Prior to joining the Kleinman Center, Simeone served as the director of the PennFuture Energy Center for Enterprise and the Environment, where she focused on energy and climate issues that impact Pennsylvania. Simeone worked on federal energy and climate legislation as Policy Director at the Alliance for Climate Protection in Washington, D.C., after spending several years in Harrisburg at the Pennsylvania Department of Environmental Protection (PA DEP), where she worked on climate and energy issues in the Policy Office and as Special Assistant to the Secretary. Additionally, she has experience in private environmental consulting and in the financial management sector.

Simeone holds a master's degree in environmental studies from the University of Pennsylvania, a B.A. in economics from the University of Miami, and B.S. in music industry from Drexel University (with a concentration in opera and piano performance). She is a board member of Philadelphia's Sustainable Energy Fund, former chair of the Climate Change Advisory Committee to the PA DEP, and served as the co-chair to Governor Wolf's transition team for the PA DEP.

[safe_summary] => ) ) ) [field_headshot] => Array ( [und] => Array ( [0] => Array ( [fid] => 1836 [uid] => 10 [filename] => IMG_2538.JPG [uri] => public://IMG_2538_0.JPG [filemime] => image/jpeg [filesize] => 1884043 [status] => 1 [timestamp] => 1495475902 [focus_rect] => 269,241,1135,1134 [crop_rect] => [rdf_mapping] => Array ( ) [alt] => [title] => [width] => 1766 [height] => 2047 ) ) ) [field_org_title] => Array ( [und] => Array ( [0] => Array ( [value] => Director of Policy and External Affairs [format] => [safe_value] => Director of Policy and External Affairs ) ) ) [field_email] => Array ( [und] => Array ( [0] => Array ( [email] => csimeone@upenn.edu ) ) ) [field_phone_number] => Array ( [und] => Array ( [0] => Array ( [value] => 215.573.4096 [format] => [safe_value] => 215.573.4096 ) ) ) [field_people_designation] => Array ( [und] => Array ( [0] => Array ( [value] => staff ) ) ) [field_adboard_organization] => Array ( ) [field_project_years] => Array ( ) [field_bio_type] => Array ( [und] => Array ( [0] => Array ( [tid] => 185 ) ) ) [field_omit] => Array ( [und] => Array ( [0] => Array ( [value] => 0 ) ) ) [field_biodepartment] => Array ( ) [field_teaser] => Array ( [und] => Array ( [0] => Array ( [value] =>

is the director of policy and external affairs at the Kleinman Center for Energy Policy.

[format] => full_html [safe_value] =>

is the director of policy and external affairs at the Kleinman Center for Energy Policy.

) ) ) [field_label_above_name] => Array ( ) [field_year] => Array ( ) [metatags] => Array ( [und] => Array ( [robots] => Array ( [value] => Array ( [0] => 0 [index] => 0 [follow] => 0 [noindex] => 0 [nofollow] => 0 [noarchive] => 0 [nosnippet] => 0 [noodp] => 0 [noydir] => 0 [noimageindex] => 0 [notranslate] => 0 ) ) [article:published_time] => Array ( [value] => ) [article:modified_time] => Array ( [value] => ) ) ) [rdf_mapping] => Array ( [rdftype] => Array ( [0] => sioc:Item [1] => foaf:Document ) [title] => Array ( [predicates] => Array ( [0] => dc:title ) ) [created] => Array ( [predicates] => Array ( [0] => dc:date [1] => dc:created ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [changed] => Array ( [predicates] => Array ( [0] => dc:modified ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [body] => Array ( [predicates] => Array ( [0] => content:encoded ) ) [uid] => Array ( [predicates] => Array ( [0] => sioc:has_creator ) [type] => rel ) [name] => Array ( [predicates] => Array ( [0] => foaf:name ) ) [comment_count] => Array ( [predicates] => Array ( [0] => sioc:num_replies ) [datatype] => xsd:integer ) [last_activity] => Array ( [predicates] => Array ( [0] => sioc:last_activity_date ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) ) [path] => Array ( [pathauto] => 1 ) [cid] => 0 [last_comment_timestamp] => 1414774970 [last_comment_name] => [last_comment_uid] => 1 [comment_count] => 0 [name] => admin [picture] => 0 [data] => b:0; ) [access] => 1 ) ) [#formatter] => entityreference_label [0] => Array ( [#theme] => entityreference_label [#label] => Christina Simeone [#item] => Array ( [target_id] => 62 [entity] => stdClass Object ( [vid] => 62 [uid] => 1 [title] => Christina Simeone [log] => [status] => 1 [comment] => 1 [promote] => 0 [sticky] => 0 [nid] => 62 [type] => people_bio [language] => und [created] => 1414774970 [changed] => 1542662633 [tnid] => 0 [translate] => 0 [revision_timestamp] => 1542662633 [revision_uid] => 115 [body] => Array ( [und] => Array ( [0] => Array ( [value] =>

Christina Simeone engages in applied research - bringing together analytics, academics, and industry insights - to further the center's mission.

Prior to joining the Kleinman Center, Simeone served as the director of the PennFuture Energy Center for Enterprise and the Environment, where she focused on energy and climate issues that impact Pennsylvania. Simeone worked on federal energy and climate legislation as Policy Director at the Alliance for Climate Protection in Washington, D.C., after spending several years in Harrisburg at the Pennsylvania Department of Environmental Protection (PA DEP), where she worked on climate and energy issues in the Policy Office and as Special Assistant to the Secretary. Additionally, she has experience in private environmental consulting and in the financial management sector.

Simeone holds a master's degree in environmental studies from the University of Pennsylvania, a B.A. in economics from the University of Miami, and B.S. in music industry from Drexel University (with a concentration in opera and piano performance). She is a board member of Philadelphia's Sustainable Energy Fund, former chair of the Climate Change Advisory Committee to the PA DEP, and served as the co-chair to Governor Wolf's transition team for the PA DEP.

[summary] => [format] => full_html [safe_value] =>

Christina Simeone engages in applied research - bringing together analytics, academics, and industry insights - to further the center's mission.

Prior to joining the Kleinman Center, Simeone served as the director of the PennFuture Energy Center for Enterprise and the Environment, where she focused on energy and climate issues that impact Pennsylvania. Simeone worked on federal energy and climate legislation as Policy Director at the Alliance for Climate Protection in Washington, D.C., after spending several years in Harrisburg at the Pennsylvania Department of Environmental Protection (PA DEP), where she worked on climate and energy issues in the Policy Office and as Special Assistant to the Secretary. Additionally, she has experience in private environmental consulting and in the financial management sector.

Simeone holds a master's degree in environmental studies from the University of Pennsylvania, a B.A. in economics from the University of Miami, and B.S. in music industry from Drexel University (with a concentration in opera and piano performance). She is a board member of Philadelphia's Sustainable Energy Fund, former chair of the Climate Change Advisory Committee to the PA DEP, and served as the co-chair to Governor Wolf's transition team for the PA DEP.

[safe_summary] => ) ) ) [field_headshot] => Array ( [und] => Array ( [0] => Array ( [fid] => 1836 [uid] => 10 [filename] => IMG_2538.JPG [uri] => public://IMG_2538_0.JPG [filemime] => image/jpeg [filesize] => 1884043 [status] => 1 [timestamp] => 1495475902 [focus_rect] => 269,241,1135,1134 [crop_rect] => [rdf_mapping] => Array ( ) [alt] => [title] => [width] => 1766 [height] => 2047 ) ) ) [field_org_title] => Array ( [und] => Array ( [0] => Array ( [value] => Director of Policy and External Affairs [format] => [safe_value] => Director of Policy and External Affairs ) ) ) [field_email] => Array ( [und] => Array ( [0] => Array ( [email] => csimeone@upenn.edu ) ) ) [field_phone_number] => Array ( [und] => Array ( [0] => Array ( [value] => 215.573.4096 [format] => [safe_value] => 215.573.4096 ) ) ) [field_people_designation] => Array ( [und] => Array ( [0] => Array ( [value] => staff ) ) ) [field_adboard_organization] => Array ( ) [field_project_years] => Array ( ) [field_bio_type] => Array ( [und] => Array ( [0] => Array ( [tid] => 185 ) ) ) [field_omit] => Array ( [und] => Array ( [0] => Array ( [value] => 0 ) ) ) [field_biodepartment] => Array ( ) [field_teaser] => Array ( [und] => Array ( [0] => Array ( [value] =>

is the director of policy and external affairs at the Kleinman Center for Energy Policy.

[format] => full_html [safe_value] =>

is the director of policy and external affairs at the Kleinman Center for Energy Policy.

) ) ) [field_label_above_name] => Array ( ) [field_year] => Array ( ) [metatags] => Array ( [und] => Array ( [robots] => Array ( [value] => Array ( [0] => 0 [index] => 0 [follow] => 0 [noindex] => 0 [nofollow] => 0 [noarchive] => 0 [nosnippet] => 0 [noodp] => 0 [noydir] => 0 [noimageindex] => 0 [notranslate] => 0 ) ) [article:published_time] => Array ( [value] => ) [article:modified_time] => Array ( [value] => ) ) ) [rdf_mapping] => Array ( [rdftype] => Array ( [0] => sioc:Item [1] => foaf:Document ) [title] => Array ( [predicates] => Array ( [0] => dc:title ) ) [created] => Array ( [predicates] => Array ( [0] => dc:date [1] => dc:created ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [changed] => Array ( [predicates] => Array ( [0] => dc:modified ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [body] => Array ( [predicates] => Array ( [0] => content:encoded ) ) [uid] => Array ( [predicates] => Array ( [0] => sioc:has_creator ) [type] => rel ) [name] => Array ( [predicates] => Array ( [0] => foaf:name ) ) [comment_count] => Array ( [predicates] => Array ( [0] => sioc:num_replies ) [datatype] => xsd:integer ) [last_activity] => Array ( [predicates] => Array ( [0] => sioc:last_activity_date ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) ) [path] => Array ( [pathauto] => 1 ) [cid] => 0 [last_comment_timestamp] => 1414774970 [last_comment_name] => [last_comment_uid] => 1 [comment_count] => 0 [name] => admin [picture] => 0 [data] => b:0; ) [access] => 1 ) [#uri] => Array ( [path] => node/62 [options] => Array ( [entity_type] => node [entity] => stdClass Object ( [vid] => 62 [uid] => 1 [title] => Christina Simeone [log] => [status] => 1 [comment] => 1 [promote] => 0 [sticky] => 0 [nid] => 62 [type] => people_bio [language] => und [created] => 1414774970 [changed] => 1542662633 [tnid] => 0 [translate] => 0 [revision_timestamp] => 1542662633 [revision_uid] => 115 [body] => Array ( [und] => Array ( [0] => Array ( [value] =>

Christina Simeone engages in applied research - bringing together analytics, academics, and industry insights - to further the center's mission.

Prior to joining the Kleinman Center, Simeone served as the director of the PennFuture Energy Center for Enterprise and the Environment, where she focused on energy and climate issues that impact Pennsylvania. Simeone worked on federal energy and climate legislation as Policy Director at the Alliance for Climate Protection in Washington, D.C., after spending several years in Harrisburg at the Pennsylvania Department of Environmental Protection (PA DEP), where she worked on climate and energy issues in the Policy Office and as Special Assistant to the Secretary. Additionally, she has experience in private environmental consulting and in the financial management sector.

Simeone holds a master's degree in environmental studies from the University of Pennsylvania, a B.A. in economics from the University of Miami, and B.S. in music industry from Drexel University (with a concentration in opera and piano performance). She is a board member of Philadelphia's Sustainable Energy Fund, former chair of the Climate Change Advisory Committee to the PA DEP, and served as the co-chair to Governor Wolf's transition team for the PA DEP.

[summary] => [format] => full_html [safe_value] =>

Christina Simeone engages in applied research - bringing together analytics, academics, and industry insights - to further the center's mission.

Prior to joining the Kleinman Center, Simeone served as the director of the PennFuture Energy Center for Enterprise and the Environment, where she focused on energy and climate issues that impact Pennsylvania. Simeone worked on federal energy and climate legislation as Policy Director at the Alliance for Climate Protection in Washington, D.C., after spending several years in Harrisburg at the Pennsylvania Department of Environmental Protection (PA DEP), where she worked on climate and energy issues in the Policy Office and as Special Assistant to the Secretary. Additionally, she has experience in private environmental consulting and in the financial management sector.

Simeone holds a master's degree in environmental studies from the University of Pennsylvania, a B.A. in economics from the University of Miami, and B.S. in music industry from Drexel University (with a concentration in opera and piano performance). She is a board member of Philadelphia's Sustainable Energy Fund, former chair of the Climate Change Advisory Committee to the PA DEP, and served as the co-chair to Governor Wolf's transition team for the PA DEP.

[safe_summary] => ) ) ) [field_headshot] => Array ( [und] => Array ( [0] => Array ( [fid] => 1836 [uid] => 10 [filename] => IMG_2538.JPG [uri] => public://IMG_2538_0.JPG [filemime] => image/jpeg [filesize] => 1884043 [status] => 1 [timestamp] => 1495475902 [focus_rect] => 269,241,1135,1134 [crop_rect] => [rdf_mapping] => Array ( ) [alt] => [title] => [width] => 1766 [height] => 2047 ) ) ) [field_org_title] => Array ( [und] => Array ( [0] => Array ( [value] => Director of Policy and External Affairs [format] => [safe_value] => Director of Policy and External Affairs ) ) ) [field_email] => Array ( [und] => Array ( [0] => Array ( [email] => csimeone@upenn.edu ) ) ) [field_phone_number] => Array ( [und] => Array ( [0] => Array ( [value] => 215.573.4096 [format] => [safe_value] => 215.573.4096 ) ) ) [field_people_designation] => Array ( [und] => Array ( [0] => Array ( [value] => staff ) ) ) [field_adboard_organization] => Array ( ) [field_project_years] => Array ( ) [field_bio_type] => Array ( [und] => Array ( [0] => Array ( [tid] => 185 ) ) ) [field_omit] => Array ( [und] => Array ( [0] => Array ( [value] => 0 ) ) ) [field_biodepartment] => Array ( ) [field_teaser] => Array ( [und] => Array ( [0] => Array ( [value] =>

is the director of policy and external affairs at the Kleinman Center for Energy Policy.

[format] => full_html [safe_value] =>

is the director of policy and external affairs at the Kleinman Center for Energy Policy.

) ) ) [field_label_above_name] => Array ( ) [field_year] => Array ( ) [metatags] => Array ( [und] => Array ( [robots] => Array ( [value] => Array ( [0] => 0 [index] => 0 [follow] => 0 [noindex] => 0 [nofollow] => 0 [noarchive] => 0 [nosnippet] => 0 [noodp] => 0 [noydir] => 0 [noimageindex] => 0 [notranslate] => 0 ) ) [article:published_time] => Array ( [value] => ) [article:modified_time] => Array ( [value] => ) ) ) [rdf_mapping] => Array ( [rdftype] => Array ( [0] => sioc:Item [1] => foaf:Document ) [title] => Array ( [predicates] => Array ( [0] => dc:title ) ) [created] => Array ( [predicates] => Array ( [0] => dc:date [1] => dc:created ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [changed] => Array ( [predicates] => Array ( [0] => dc:modified ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [body] => Array ( [predicates] => Array ( [0] => content:encoded ) ) [uid] => Array ( [predicates] => Array ( [0] => sioc:has_creator ) [type] => rel ) [name] => Array ( [predicates] => Array ( [0] => foaf:name ) ) [comment_count] => Array ( [predicates] => Array ( [0] => sioc:num_replies ) [datatype] => xsd:integer ) [last_activity] => Array ( [predicates] => Array ( [0] => sioc:last_activity_date ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) ) [path] => Array ( [pathauto] => 1 ) [cid] => 0 [last_comment_timestamp] => 1414774970 [last_comment_name] => [last_comment_uid] => 1 [comment_count] => 0 [name] => admin [picture] => 0 [data] => b:0; ) ) ) [#settings] => Array ( [display] => Array ( [bypass_access] => 0 [link] => 1 ) [field] => Array ( [target_type] => node [handler] => base [handler_settings] => Array ( [target_bundles] => Array ( [people_bio] => people_bio [people_no_bio] => people_no_bio ) [sort] => Array ( [type] => none ) [behaviors] => Array ( [views-select-list] => Array ( [status] => 0 ) ) ) ) ) ) ) [field_intro_image] => Array ( [#theme] => field [#weight] => 1 [#title] => Intro Image [#access] => 1 [#label_display] => hidden [#view_mode] => full [#language] => und [#field_name] => field_intro_image [#field_type] => image [#field_translatable] => 0 [#entity_type] => node [#bundle] => wp_blog [#object] => stdClass Object ( [vid] => 8224 [uid] => 115 [title] => The Distribution Grid Gap on Cybersecurity [log] => [status] => 1 [comment] => 1 [promote] => 0 [sticky] => 0 [nid] => 6115 [type] => wp_blog [language] => und [created] => 1529420761 [changed] => 1531354752 [tnid] => 0 [translate] => 0 [revision_timestamp] => 1531354752 [revision_uid] => 1 [body] => Array ( [und] => Array ( [0] => Array ( [value] =>

Power grid resilience and security are front-and-center in national policy debates. However, the focus on saving uneconomic generation resources (i.e. coal and some nuclear units) takes attention away from more relevant concerns, such as insufficient distribution grid cybersecurity protections.

The distribution grid is becoming more digital and dynamic, as smart grid devices enable two-way communications, and customers are increasingly using on-site generation, software-based energy management tools, and a plethora of internet-of-things appliances. This innovation is positive, yet exposes the grid to additional vulnerabilities.

Most outages on the power grid are related to transmission and distribution system issues (not generation outages). By number of events, most outages occur on the distribution system, with local and limited impacts. Less frequent occurrences of transmission level outages impact a greater number of people.

However, attacks on the distribution system could increasingly reach beyond local impacts. Simultaneous attacks on several distribution utilities or coordinated attacks on a single utility in multiple locations could create widespread outages. These outages could cut power to other critical infrastructure—like water, telecommunications, pipelines, etc.—compounding damages.

In addition, cyber intrusion at the distribution level raises concerns about customer data privacy, potential infiltration of industrial control systems, and other negative outcomes.

And, the distribution grid may present the easiest “target” for attackers, given the lack of cyber protection requirements.

Generation and high-voltage transmission represent the “bulk power system.” Enforceable cybersecurity regulations—called critical infrastructure protection or CIP standards—are developed by the North American Electric Reliability Corporation (NERC) to protect the bulk power system. Utilities (or other entities) with assets that if disrupted would impact the bulk power system are required to comply with the CIP standards.

Transmission (intrastate) and distribution systems are regulated at the state-level by public utility commissions, or by local boards or commissions for rural or municipal cooperatives.

A 2014 study by NRRI estimated only 10 to 20 percent of grid assets are covered by NERC’s CIP standards.

Most of the non-covered assets likely fall under state jurisdiction. A distribution-level substation may not be subject to NERC CIP standards because it exists outside of the bulk power system. However, a successful intrusion at the distribution level has the potential to impact the bulk power system. For example, the December 2015 Ukrainian power outage affecting over 230,000 people originated from cyberattacks on distribution system elements.

The approach to state-level cybersecurity regulation is surprisingly inconsistent, with variation between and within states. In fact, there are no minimum cybersecurity standards in place that all distribution utilities must follow. In general, there are at least two standards potentially available for use.

  • NERC CIP Compliance. Some states require utilities not typically subject to NERC CIPs to comply with these standards (i.e. FERC Order 706), or uses NERC CIP standards as benchmarks to evaluate utility cybersecurity plans. This approach may be expensive to extend to the low-voltage system.
  • Risk-Based Approach. This involves determining priority actions and investments based on an assessment of system-specific vulnerabilities. The NIST Framework for Improving Critical Infrastructure Cybersecurity and NERC’s Reliability Assurance Initiative represent risk-based approaches.

In addition, utilities can use the U.S. DOE’s Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) to evaluate cybersecurity shortcomings.  

As distribution grid modernization advances and distributed energy resources proliferate, so will cyber security vulnerabilities. Distribution-level threats may increase the probability of bulk power system impacts and will raise questions about the line between state and federal jurisdiction in ensuring cybersecurity.

Larger, investor-owned utilities are more capable of and likely to take meaningful action to reduce cyber threats, as a portion of their assets are undoubtedly subject to NERC compliance.

According to the NAS, in 2016 there were 1,954 electric utilities, of which 174 were investor-owned utilities delivering 68 percent of electricity service to retail customers. Approximately, 809 rural cooperatives, 827 municipal utilities, and other publicly owned utilities delivered 13 percent, 12 percent, and 6 percent of electricity to retail customers, respectively.

In other words, it is a target-rich environment for malicious actors.

There is significant room for improvement in developing and enforcing minimum cybersecurity standards for distribution utilities, which may include providing regulators with new authorities. The approach to defending smaller municipal, rural cooperative, and other publicly-owned utilities may prove most challenging.

Meeting such minimum standards may not be cheap, and many other complexities beyond costs are involved. The public benefit of having a secure grid warrants ratepayer cost recovery, and potentially even return on equity incentives to go beyond minimum compliance (when appropriate).

Lower power prices make today the opportune time to embark on these investments, rather than haphazardly devoting precious financial resources to less meaningful distractions (i.e. subsidies for at-risk generation).

[summary] => [format] => full_html [safe_value] =>

Power grid resilience and security are front-and-center in national policy debates. However, the focus on saving uneconomic generation resources (i.e. coal and some nuclear units) takes attention away from more relevant concerns, such as insufficient distribution grid cybersecurity protections.

The distribution grid is becoming more digital and dynamic, as smart grid devices enable two-way communications, and customers are increasingly using on-site generation, software-based energy management tools, and a plethora of internet-of-things appliances. This innovation is positive, yet exposes the grid to additional vulnerabilities.

Most outages on the power grid are related to transmission and distribution system issues (not generation outages). By number of events, most outages occur on the distribution system, with local and limited impacts. Less frequent occurrences of transmission level outages impact a greater number of people.

However, attacks on the distribution system could increasingly reach beyond local impacts. Simultaneous attacks on several distribution utilities or coordinated attacks on a single utility in multiple locations could create widespread outages. These outages could cut power to other critical infrastructure—like water, telecommunications, pipelines, etc.—compounding damages.

In addition, cyber intrusion at the distribution level raises concerns about customer data privacy, potential infiltration of industrial control systems, and other negative outcomes.

And, the distribution grid may present the easiest “target” for attackers, given the lack of cyber protection requirements.

Generation and high-voltage transmission represent the “bulk power system.” Enforceable cybersecurity regulations—called critical infrastructure protection or CIP standards—are developed by the North American Electric Reliability Corporation (NERC) to protect the bulk power system. Utilities (or other entities) with assets that if disrupted would impact the bulk power system are required to comply with the CIP standards.

Transmission (intrastate) and distribution systems are regulated at the state-level by public utility commissions, or by local boards or commissions for rural or municipal cooperatives.

A 2014 study by NRRI estimated only 10 to 20 percent of grid assets are covered by NERC’s CIP standards.

Most of the non-covered assets likely fall under state jurisdiction. A distribution-level substation may not be subject to NERC CIP standards because it exists outside of the bulk power system. However, a successful intrusion at the distribution level has the potential to impact the bulk power system. For example, the December 2015 Ukrainian power outage affecting over 230,000 people originated from cyberattacks on distribution system elements.

The approach to state-level cybersecurity regulation is surprisingly inconsistent, with variation between and within states. In fact, there are no minimum cybersecurity standards in place that all distribution utilities must follow. In general, there are at least two standards potentially available for use.

  • NERC CIP Compliance. Some states require utilities not typically subject to NERC CIPs to comply with these standards (i.e. FERC Order 706), or uses NERC CIP standards as benchmarks to evaluate utility cybersecurity plans. This approach may be expensive to extend to the low-voltage system.
  • Risk-Based Approach. This involves determining priority actions and investments based on an assessment of system-specific vulnerabilities. The NIST Framework for Improving Critical Infrastructure Cybersecurity and NERC’s Reliability Assurance Initiative represent risk-based approaches.

In addition, utilities can use the U.S. DOE’s Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) to evaluate cybersecurity shortcomings.  

As distribution grid modernization advances and distributed energy resources proliferate, so will cyber security vulnerabilities. Distribution-level threats may increase the probability of bulk power system impacts and will raise questions about the line between state and federal jurisdiction in ensuring cybersecurity.

Larger, investor-owned utilities are more capable of and likely to take meaningful action to reduce cyber threats, as a portion of their assets are undoubtedly subject to NERC compliance.

According to the NAS, in 2016 there were 1,954 electric utilities, of which 174 were investor-owned utilities delivering 68 percent of electricity service to retail customers. Approximately, 809 rural cooperatives, 827 municipal utilities, and other publicly owned utilities delivered 13 percent, 12 percent, and 6 percent of electricity to retail customers, respectively.

In other words, it is a target-rich environment for malicious actors.

There is significant room for improvement in developing and enforcing minimum cybersecurity standards for distribution utilities, which may include providing regulators with new authorities. The approach to defending smaller municipal, rural cooperative, and other publicly-owned utilities may prove most challenging.

Meeting such minimum standards may not be cheap, and many other complexities beyond costs are involved. The public benefit of having a secure grid warrants ratepayer cost recovery, and potentially even return on equity incentives to go beyond minimum compliance (when appropriate).

Lower power prices make today the opportune time to embark on these investments, rather than haphazardly devoting precious financial resources to less meaningful distractions (i.e. subsidies for at-risk generation).

[safe_summary] => ) ) ) [taxonomy_wp_blog_tags] => Array ( ) [field_intro_image] => Array ( [und] => Array ( [0] => Array ( [fid] => 2723 [uid] => 115 [filename] => Image Courtesy of Max Pixel.jpg [uri] => public://Image Courtesy of Max Pixel.jpg [filemime] => image/jpeg [filesize] => 300518 [status] => 1 [timestamp] => 1529420761 [focus_rect] => [crop_rect] => [rdf_mapping] => Array ( ) [alt] => [title] => [width] => 1280 [height] => 960 ) ) ) [field_blog_author] => Array ( [und] => Array ( [0] => Array ( [value] => Christina Simeone [format] => [safe_value] => Christina Simeone ) ) ) [field_image_caption] => Array ( [und] => Array ( [0] => Array ( [value] => Image Courtesy of Max Pixel [format] => [safe_value] => Image Courtesy of Max Pixel ) ) ) [field_set_as_featured_] => Array ( [und] => Array ( [0] => Array ( [value] => no ) ) ) [field_authors] => Array ( [und] => Array ( [0] => Array ( [target_id] => 62 [entity] => stdClass Object ( [vid] => 62 [uid] => 1 [title] => Christina Simeone [log] => [status] => 1 [comment] => 1 [promote] => 0 [sticky] => 0 [nid] => 62 [type] => people_bio [language] => und [created] => 1414774970 [changed] => 1542662633 [tnid] => 0 [translate] => 0 [revision_timestamp] => 1542662633 [revision_uid] => 115 [body] => Array ( [und] => Array ( [0] => Array ( [value] =>

Christina Simeone engages in applied research - bringing together analytics, academics, and industry insights - to further the center's mission.

Prior to joining the Kleinman Center, Simeone served as the director of the PennFuture Energy Center for Enterprise and the Environment, where she focused on energy and climate issues that impact Pennsylvania. Simeone worked on federal energy and climate legislation as Policy Director at the Alliance for Climate Protection in Washington, D.C., after spending several years in Harrisburg at the Pennsylvania Department of Environmental Protection (PA DEP), where she worked on climate and energy issues in the Policy Office and as Special Assistant to the Secretary. Additionally, she has experience in private environmental consulting and in the financial management sector.

Simeone holds a master's degree in environmental studies from the University of Pennsylvania, a B.A. in economics from the University of Miami, and B.S. in music industry from Drexel University (with a concentration in opera and piano performance). She is a board member of Philadelphia's Sustainable Energy Fund, former chair of the Climate Change Advisory Committee to the PA DEP, and served as the co-chair to Governor Wolf's transition team for the PA DEP.

[summary] => [format] => full_html [safe_value] =>

Christina Simeone engages in applied research - bringing together analytics, academics, and industry insights - to further the center's mission.

Prior to joining the Kleinman Center, Simeone served as the director of the PennFuture Energy Center for Enterprise and the Environment, where she focused on energy and climate issues that impact Pennsylvania. Simeone worked on federal energy and climate legislation as Policy Director at the Alliance for Climate Protection in Washington, D.C., after spending several years in Harrisburg at the Pennsylvania Department of Environmental Protection (PA DEP), where she worked on climate and energy issues in the Policy Office and as Special Assistant to the Secretary. Additionally, she has experience in private environmental consulting and in the financial management sector.

Simeone holds a master's degree in environmental studies from the University of Pennsylvania, a B.A. in economics from the University of Miami, and B.S. in music industry from Drexel University (with a concentration in opera and piano performance). She is a board member of Philadelphia's Sustainable Energy Fund, former chair of the Climate Change Advisory Committee to the PA DEP, and served as the co-chair to Governor Wolf's transition team for the PA DEP.

[safe_summary] => ) ) ) [field_headshot] => Array ( [und] => Array ( [0] => Array ( [fid] => 1836 [uid] => 10 [filename] => IMG_2538.JPG [uri] => public://IMG_2538_0.JPG [filemime] => image/jpeg [filesize] => 1884043 [status] => 1 [timestamp] => 1495475902 [focus_rect] => 269,241,1135,1134 [crop_rect] => [rdf_mapping] => Array ( ) [alt] => [title] => [width] => 1766 [height] => 2047 ) ) ) [field_org_title] => Array ( [und] => Array ( [0] => Array ( [value] => Director of Policy and External Affairs [format] => [safe_value] => Director of Policy and External Affairs ) ) ) [field_email] => Array ( [und] => Array ( [0] => Array ( [email] => csimeone@upenn.edu ) ) ) [field_phone_number] => Array ( [und] => Array ( [0] => Array ( [value] => 215.573.4096 [format] => [safe_value] => 215.573.4096 ) ) ) [field_people_designation] => Array ( [und] => Array ( [0] => Array ( [value] => staff ) ) ) [field_adboard_organization] => Array ( ) [field_project_years] => Array ( ) [field_bio_type] => Array ( [und] => Array ( [0] => Array ( [tid] => 185 ) ) ) [field_omit] => Array ( [und] => Array ( [0] => Array ( [value] => 0 ) ) ) [field_biodepartment] => Array ( ) [field_teaser] => Array ( [und] => Array ( [0] => Array ( [value] =>

is the director of policy and external affairs at the Kleinman Center for Energy Policy.

[format] => full_html [safe_value] =>

is the director of policy and external affairs at the Kleinman Center for Energy Policy.

) ) ) [field_label_above_name] => Array ( ) [field_year] => Array ( ) [metatags] => Array ( [und] => Array ( [robots] => Array ( [value] => Array ( [0] => 0 [index] => 0 [follow] => 0 [noindex] => 0 [nofollow] => 0 [noarchive] => 0 [nosnippet] => 0 [noodp] => 0 [noydir] => 0 [noimageindex] => 0 [notranslate] => 0 ) ) [article:published_time] => Array ( [value] => ) [article:modified_time] => Array ( [value] => ) ) ) [rdf_mapping] => Array ( [rdftype] => Array ( [0] => sioc:Item [1] => foaf:Document ) [title] => Array ( [predicates] => Array ( [0] => dc:title ) ) [created] => Array ( [predicates] => Array ( [0] => dc:date [1] => dc:created ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [changed] => Array ( [predicates] => Array ( [0] => dc:modified ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [body] => Array ( [predicates] => Array ( [0] => content:encoded ) ) [uid] => Array ( [predicates] => Array ( [0] => sioc:has_creator ) [type] => rel ) [name] => Array ( [predicates] => Array ( [0] => foaf:name ) ) [comment_count] => Array ( [predicates] => Array ( [0] => sioc:num_replies ) [datatype] => xsd:integer ) [last_activity] => Array ( [predicates] => Array ( [0] => sioc:last_activity_date ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) ) [path] => Array ( [pathauto] => 1 ) [cid] => 0 [last_comment_timestamp] => 1414774970 [last_comment_name] => [last_comment_uid] => 1 [comment_count] => 0 [name] => admin [picture] => 0 [data] => b:0; ) [access] => 1 ) ) ) [field_addthis] => Array ( [und] => Array ( [0] => Array ( [value] => Dummy value ) ) ) [field_teaser] => Array ( [und] => Array ( [0] => Array ( [value] =>

As national debate over grid resilience and security drills down on saving at-risk generation units, the regulatory gap on cybersecurity protections at the distribution grid level allows for a target-rich environment that could reach the bulk power system. 

[format] => full_html [safe_value] =>

As national debate over grid resilience and security drills down on saving at-risk generation units, the regulatory gap on cybersecurity protections at the distribution grid level allows for a target-rich environment that could reach the bulk power system. 

) ) ) [field_primary_theme] => Array ( [und] => Array ( [0] => Array ( [tid] => 205 ) ) ) [field_secondary_themes] => Array ( [und] => Array ( [0] => Array ( [tid] => 197 ) [1] => Array ( [tid] => 204 ) ) ) [field_exclude] => Array ( ) [field_more_like_this] => Array ( ) [field_show_cropped_image] => Array ( [und] => Array ( [0] => Array ( [value] => 1 ) ) ) [field_voices] => Array ( ) [metatags] => Array ( [und] => Array ( [og:image] => Array ( [value] => public://Image Courtesy of Max Pixel.jpg ) [article:author] => Array ( ) [article:publisher] => Array ( ) [article:section] => Array ( ) [article:tag] => Array ( ) [article:published_time] => Array ( ) [article:modified_time] => Array ( ) [article:expiration_time] => Array ( ) [profile:first_name] => Array ( ) [profile:last_name] => Array ( ) [profile:username] => Array ( ) [profile:gender] => Array ( ) [book:author] => Array ( ) [book:isbn] => Array ( ) [book:release_date] => Array ( ) [book:tag] => Array ( ) [video:actor] => Array ( ) [video:actor:role] => Array ( ) [video:director] => Array ( ) [video:writer] => Array ( ) [video:duration] => Array ( ) [video:release_date] => Array ( ) [video:tag] => Array ( ) [video:series] => Array ( ) ) ) [rdf_mapping] => Array ( [rdftype] => Array ( [0] => sioc:Item [1] => foaf:Document ) [title] => Array ( [predicates] => Array ( [0] => dc:title ) ) [created] => Array ( [predicates] => Array ( [0] => dc:date [1] => dc:created ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [changed] => Array ( [predicates] => Array ( [0] => dc:modified ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [body] => Array ( [predicates] => Array ( [0] => content:encoded ) ) [uid] => Array ( [predicates] => Array ( [0] => sioc:has_creator ) [type] => rel ) [name] => Array ( [predicates] => Array ( [0] => foaf:name ) ) [comment_count] => Array ( [predicates] => Array ( [0] => sioc:num_replies ) [datatype] => xsd:integer ) [last_activity] => Array ( [predicates] => Array ( [0] => sioc:last_activity_date ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) ) [path] => Array ( [pathauto] => 1 ) [cid] => 0 [last_comment_timestamp] => 1529420761 [last_comment_name] => [last_comment_uid] => 115 [comment_count] => 0 [name] => Christina Simeone [picture] => 0 [data] => a:1:{s:18:"htmlmail_plaintext";i:0;} [entity_view_prepared] => 1 ) [#items] => Array ( [0] => Array ( [fid] => 2723 [uid] => 115 [filename] => Image Courtesy of Max Pixel.jpg [uri] => public://Image Courtesy of Max Pixel.jpg [filemime] => image/jpeg [filesize] => 300518 [status] => 1 [timestamp] => 1529420761 [focus_rect] => [crop_rect] => [rdf_mapping] => Array ( ) [alt] => [title] => [width] => 1280 [height] => 960 ) ) [#formatter] => image [0] => Array ( [#theme] => image_formatter [#item] => Array ( [fid] => 2723 [uid] => 115 [filename] => Image Courtesy of Max Pixel.jpg [uri] => public://Image Courtesy of Max Pixel.jpg [filemime] => image/jpeg [filesize] => 300518 [status] => 1 [timestamp] => 1529420761 [focus_rect] => [crop_rect] => [rdf_mapping] => Array ( ) [alt] => [title] => [width] => 1280 [height] => 960 ) [#image_style] => new_hero [#path] => ) ) [field_image_caption] => Array ( [#theme] => field [#weight] => 2 [#title] => Image Caption [#access] => 1 [#label_display] => hidden [#view_mode] => full [#language] => und [#field_name] => field_image_caption [#field_type] => text [#field_translatable] => 0 [#entity_type] => node [#bundle] => wp_blog [#object] => stdClass Object ( [vid] => 8224 [uid] => 115 [title] => The Distribution Grid Gap on Cybersecurity [log] => [status] => 1 [comment] => 1 [promote] => 0 [sticky] => 0 [nid] => 6115 [type] => wp_blog [language] => und [created] => 1529420761 [changed] => 1531354752 [tnid] => 0 [translate] => 0 [revision_timestamp] => 1531354752 [revision_uid] => 1 [body] => Array ( [und] => Array ( [0] => Array ( [value] =>

Power grid resilience and security are front-and-center in national policy debates. However, the focus on saving uneconomic generation resources (i.e. coal and some nuclear units) takes attention away from more relevant concerns, such as insufficient distribution grid cybersecurity protections.

The distribution grid is becoming more digital and dynamic, as smart grid devices enable two-way communications, and customers are increasingly using on-site generation, software-based energy management tools, and a plethora of internet-of-things appliances. This innovation is positive, yet exposes the grid to additional vulnerabilities.

Most outages on the power grid are related to transmission and distribution system issues (not generation outages). By number of events, most outages occur on the distribution system, with local and limited impacts. Less frequent occurrences of transmission level outages impact a greater number of people.

However, attacks on the distribution system could increasingly reach beyond local impacts. Simultaneous attacks on several distribution utilities or coordinated attacks on a single utility in multiple locations could create widespread outages. These outages could cut power to other critical infrastructure—like water, telecommunications, pipelines, etc.—compounding damages.

In addition, cyber intrusion at the distribution level raises concerns about customer data privacy, potential infiltration of industrial control systems, and other negative outcomes.

And, the distribution grid may present the easiest “target” for attackers, given the lack of cyber protection requirements.

Generation and high-voltage transmission represent the “bulk power system.” Enforceable cybersecurity regulations—called critical infrastructure protection or CIP standards—are developed by the North American Electric Reliability Corporation (NERC) to protect the bulk power system. Utilities (or other entities) with assets that if disrupted would impact the bulk power system are required to comply with the CIP standards.

Transmission (intrastate) and distribution systems are regulated at the state-level by public utility commissions, or by local boards or commissions for rural or municipal cooperatives.

A 2014 study by NRRI estimated only 10 to 20 percent of grid assets are covered by NERC’s CIP standards.

Most of the non-covered assets likely fall under state jurisdiction. A distribution-level substation may not be subject to NERC CIP standards because it exists outside of the bulk power system. However, a successful intrusion at the distribution level has the potential to impact the bulk power system. For example, the December 2015 Ukrainian power outage affecting over 230,000 people originated from cyberattacks on distribution system elements.

The approach to state-level cybersecurity regulation is surprisingly inconsistent, with variation between and within states. In fact, there are no minimum cybersecurity standards in place that all distribution utilities must follow. In general, there are at least two standards potentially available for use.

  • NERC CIP Compliance. Some states require utilities not typically subject to NERC CIPs to comply with these standards (i.e. FERC Order 706), or uses NERC CIP standards as benchmarks to evaluate utility cybersecurity plans. This approach may be expensive to extend to the low-voltage system.
  • Risk-Based Approach. This involves determining priority actions and investments based on an assessment of system-specific vulnerabilities. The NIST Framework for Improving Critical Infrastructure Cybersecurity and NERC’s Reliability Assurance Initiative represent risk-based approaches.

In addition, utilities can use the U.S. DOE’s Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) to evaluate cybersecurity shortcomings.  

As distribution grid modernization advances and distributed energy resources proliferate, so will cyber security vulnerabilities. Distribution-level threats may increase the probability of bulk power system impacts and will raise questions about the line between state and federal jurisdiction in ensuring cybersecurity.

Larger, investor-owned utilities are more capable of and likely to take meaningful action to reduce cyber threats, as a portion of their assets are undoubtedly subject to NERC compliance.

According to the NAS, in 2016 there were 1,954 electric utilities, of which 174 were investor-owned utilities delivering 68 percent of electricity service to retail customers. Approximately, 809 rural cooperatives, 827 municipal utilities, and other publicly owned utilities delivered 13 percent, 12 percent, and 6 percent of electricity to retail customers, respectively.

In other words, it is a target-rich environment for malicious actors.

There is significant room for improvement in developing and enforcing minimum cybersecurity standards for distribution utilities, which may include providing regulators with new authorities. The approach to defending smaller municipal, rural cooperative, and other publicly-owned utilities may prove most challenging.

Meeting such minimum standards may not be cheap, and many other complexities beyond costs are involved. The public benefit of having a secure grid warrants ratepayer cost recovery, and potentially even return on equity incentives to go beyond minimum compliance (when appropriate).

Lower power prices make today the opportune time to embark on these investments, rather than haphazardly devoting precious financial resources to less meaningful distractions (i.e. subsidies for at-risk generation).

[summary] => [format] => full_html [safe_value] =>

Power grid resilience and security are front-and-center in national policy debates. However, the focus on saving uneconomic generation resources (i.e. coal and some nuclear units) takes attention away from more relevant concerns, such as insufficient distribution grid cybersecurity protections.

The distribution grid is becoming more digital and dynamic, as smart grid devices enable two-way communications, and customers are increasingly using on-site generation, software-based energy management tools, and a plethora of internet-of-things appliances. This innovation is positive, yet exposes the grid to additional vulnerabilities.

Most outages on the power grid are related to transmission and distribution system issues (not generation outages). By number of events, most outages occur on the distribution system, with local and limited impacts. Less frequent occurrences of transmission level outages impact a greater number of people.

However, attacks on the distribution system could increasingly reach beyond local impacts. Simultaneous attacks on several distribution utilities or coordinated attacks on a single utility in multiple locations could create widespread outages. These outages could cut power to other critical infrastructure—like water, telecommunications, pipelines, etc.—compounding damages.

In addition, cyber intrusion at the distribution level raises concerns about customer data privacy, potential infiltration of industrial control systems, and other negative outcomes.

And, the distribution grid may present the easiest “target” for attackers, given the lack of cyber protection requirements.

Generation and high-voltage transmission represent the “bulk power system.” Enforceable cybersecurity regulations—called critical infrastructure protection or CIP standards—are developed by the North American Electric Reliability Corporation (NERC) to protect the bulk power system. Utilities (or other entities) with assets that if disrupted would impact the bulk power system are required to comply with the CIP standards.

Transmission (intrastate) and distribution systems are regulated at the state-level by public utility commissions, or by local boards or commissions for rural or municipal cooperatives.

A 2014 study by NRRI estimated only 10 to 20 percent of grid assets are covered by NERC’s CIP standards.

Most of the non-covered assets likely fall under state jurisdiction. A distribution-level substation may not be subject to NERC CIP standards because it exists outside of the bulk power system. However, a successful intrusion at the distribution level has the potential to impact the bulk power system. For example, the December 2015 Ukrainian power outage affecting over 230,000 people originated from cyberattacks on distribution system elements.

The approach to state-level cybersecurity regulation is surprisingly inconsistent, with variation between and within states. In fact, there are no minimum cybersecurity standards in place that all distribution utilities must follow. In general, there are at least two standards potentially available for use.

  • NERC CIP Compliance. Some states require utilities not typically subject to NERC CIPs to comply with these standards (i.e. FERC Order 706), or uses NERC CIP standards as benchmarks to evaluate utility cybersecurity plans. This approach may be expensive to extend to the low-voltage system.
  • Risk-Based Approach. This involves determining priority actions and investments based on an assessment of system-specific vulnerabilities. The NIST Framework for Improving Critical Infrastructure Cybersecurity and NERC’s Reliability Assurance Initiative represent risk-based approaches.

In addition, utilities can use the U.S. DOE’s Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) to evaluate cybersecurity shortcomings.  

As distribution grid modernization advances and distributed energy resources proliferate, so will cyber security vulnerabilities. Distribution-level threats may increase the probability of bulk power system impacts and will raise questions about the line between state and federal jurisdiction in ensuring cybersecurity.

Larger, investor-owned utilities are more capable of and likely to take meaningful action to reduce cyber threats, as a portion of their assets are undoubtedly subject to NERC compliance.

According to the NAS, in 2016 there were 1,954 electric utilities, of which 174 were investor-owned utilities delivering 68 percent of electricity service to retail customers. Approximately, 809 rural cooperatives, 827 municipal utilities, and other publicly owned utilities delivered 13 percent, 12 percent, and 6 percent of electricity to retail customers, respectively.

In other words, it is a target-rich environment for malicious actors.

There is significant room for improvement in developing and enforcing minimum cybersecurity standards for distribution utilities, which may include providing regulators with new authorities. The approach to defending smaller municipal, rural cooperative, and other publicly-owned utilities may prove most challenging.

Meeting such minimum standards may not be cheap, and many other complexities beyond costs are involved. The public benefit of having a secure grid warrants ratepayer cost recovery, and potentially even return on equity incentives to go beyond minimum compliance (when appropriate).

Lower power prices make today the opportune time to embark on these investments, rather than haphazardly devoting precious financial resources to less meaningful distractions (i.e. subsidies for at-risk generation).

[safe_summary] => ) ) ) [taxonomy_wp_blog_tags] => Array ( ) [field_intro_image] => Array ( [und] => Array ( [0] => Array ( [fid] => 2723 [uid] => 115 [filename] => Image Courtesy of Max Pixel.jpg [uri] => public://Image Courtesy of Max Pixel.jpg [filemime] => image/jpeg [filesize] => 300518 [status] => 1 [timestamp] => 1529420761 [focus_rect] => [crop_rect] => [rdf_mapping] => Array ( ) [alt] => [title] => [width] => 1280 [height] => 960 ) ) ) [field_blog_author] => Array ( [und] => Array ( [0] => Array ( [value] => Christina Simeone [format] => [safe_value] => Christina Simeone ) ) ) [field_image_caption] => Array ( [und] => Array ( [0] => Array ( [value] => Image Courtesy of Max Pixel [format] => [safe_value] => Image Courtesy of Max Pixel ) ) ) [field_set_as_featured_] => Array ( [und] => Array ( [0] => Array ( [value] => no ) ) ) [field_authors] => Array ( [und] => Array ( [0] => Array ( [target_id] => 62 [entity] => stdClass Object ( [vid] => 62 [uid] => 1 [title] => Christina Simeone [log] => [status] => 1 [comment] => 1 [promote] => 0 [sticky] => 0 [nid] => 62 [type] => people_bio [language] => und [created] => 1414774970 [changed] => 1542662633 [tnid] => 0 [translate] => 0 [revision_timestamp] => 1542662633 [revision_uid] => 115 [body] => Array ( [und] => Array ( [0] => Array ( [value] =>

Christina Simeone engages in applied research - bringing together analytics, academics, and industry insights - to further the center's mission.

Prior to joining the Kleinman Center, Simeone served as the director of the PennFuture Energy Center for Enterprise and the Environment, where she focused on energy and climate issues that impact Pennsylvania. Simeone worked on federal energy and climate legislation as Policy Director at the Alliance for Climate Protection in Washington, D.C., after spending several years in Harrisburg at the Pennsylvania Department of Environmental Protection (PA DEP), where she worked on climate and energy issues in the Policy Office and as Special Assistant to the Secretary. Additionally, she has experience in private environmental consulting and in the financial management sector.

Simeone holds a master's degree in environmental studies from the University of Pennsylvania, a B.A. in economics from the University of Miami, and B.S. in music industry from Drexel University (with a concentration in opera and piano performance). She is a board member of Philadelphia's Sustainable Energy Fund, former chair of the Climate Change Advisory Committee to the PA DEP, and served as the co-chair to Governor Wolf's transition team for the PA DEP.

[summary] => [format] => full_html [safe_value] =>

Christina Simeone engages in applied research - bringing together analytics, academics, and industry insights - to further the center's mission.

Prior to joining the Kleinman Center, Simeone served as the director of the PennFuture Energy Center for Enterprise and the Environment, where she focused on energy and climate issues that impact Pennsylvania. Simeone worked on federal energy and climate legislation as Policy Director at the Alliance for Climate Protection in Washington, D.C., after spending several years in Harrisburg at the Pennsylvania Department of Environmental Protection (PA DEP), where she worked on climate and energy issues in the Policy Office and as Special Assistant to the Secretary. Additionally, she has experience in private environmental consulting and in the financial management sector.

Simeone holds a master's degree in environmental studies from the University of Pennsylvania, a B.A. in economics from the University of Miami, and B.S. in music industry from Drexel University (with a concentration in opera and piano performance). She is a board member of Philadelphia's Sustainable Energy Fund, former chair of the Climate Change Advisory Committee to the PA DEP, and served as the co-chair to Governor Wolf's transition team for the PA DEP.

[safe_summary] => ) ) ) [field_headshot] => Array ( [und] => Array ( [0] => Array ( [fid] => 1836 [uid] => 10 [filename] => IMG_2538.JPG [uri] => public://IMG_2538_0.JPG [filemime] => image/jpeg [filesize] => 1884043 [status] => 1 [timestamp] => 1495475902 [focus_rect] => 269,241,1135,1134 [crop_rect] => [rdf_mapping] => Array ( ) [alt] => [title] => [width] => 1766 [height] => 2047 ) ) ) [field_org_title] => Array ( [und] => Array ( [0] => Array ( [value] => Director of Policy and External Affairs [format] => [safe_value] => Director of Policy and External Affairs ) ) ) [field_email] => Array ( [und] => Array ( [0] => Array ( [email] => csimeone@upenn.edu ) ) ) [field_phone_number] => Array ( [und] => Array ( [0] => Array ( [value] => 215.573.4096 [format] => [safe_value] => 215.573.4096 ) ) ) [field_people_designation] => Array ( [und] => Array ( [0] => Array ( [value] => staff ) ) ) [field_adboard_organization] => Array ( ) [field_project_years] => Array ( ) [field_bio_type] => Array ( [und] => Array ( [0] => Array ( [tid] => 185 ) ) ) [field_omit] => Array ( [und] => Array ( [0] => Array ( [value] => 0 ) ) ) [field_biodepartment] => Array ( ) [field_teaser] => Array ( [und] => Array ( [0] => Array ( [value] =>

is the director of policy and external affairs at the Kleinman Center for Energy Policy.

[format] => full_html [safe_value] =>

is the director of policy and external affairs at the Kleinman Center for Energy Policy.

) ) ) [field_label_above_name] => Array ( ) [field_year] => Array ( ) [metatags] => Array ( [und] => Array ( [robots] => Array ( [value] => Array ( [0] => 0 [index] => 0 [follow] => 0 [noindex] => 0 [nofollow] => 0 [noarchive] => 0 [nosnippet] => 0 [noodp] => 0 [noydir] => 0 [noimageindex] => 0 [notranslate] => 0 ) ) [article:published_time] => Array ( [value] => ) [article:modified_time] => Array ( [value] => ) ) ) [rdf_mapping] => Array ( [rdftype] => Array ( [0] => sioc:Item [1] => foaf:Document ) [title] => Array ( [predicates] => Array ( [0] => dc:title ) ) [created] => Array ( [predicates] => Array ( [0] => dc:date [1] => dc:created ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [changed] => Array ( [predicates] => Array ( [0] => dc:modified ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [body] => Array ( [predicates] => Array ( [0] => content:encoded ) ) [uid] => Array ( [predicates] => Array ( [0] => sioc:has_creator ) [type] => rel ) [name] => Array ( [predicates] => Array ( [0] => foaf:name ) ) [comment_count] => Array ( [predicates] => Array ( [0] => sioc:num_replies ) [datatype] => xsd:integer ) [last_activity] => Array ( [predicates] => Array ( [0] => sioc:last_activity_date ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) ) [path] => Array ( [pathauto] => 1 ) [cid] => 0 [last_comment_timestamp] => 1414774970 [last_comment_name] => [last_comment_uid] => 1 [comment_count] => 0 [name] => admin [picture] => 0 [data] => b:0; ) [access] => 1 ) ) ) [field_addthis] => Array ( [und] => Array ( [0] => Array ( [value] => Dummy value ) ) ) [field_teaser] => Array ( [und] => Array ( [0] => Array ( [value] =>

As national debate over grid resilience and security drills down on saving at-risk generation units, the regulatory gap on cybersecurity protections at the distribution grid level allows for a target-rich environment that could reach the bulk power system. 

[format] => full_html [safe_value] =>

As national debate over grid resilience and security drills down on saving at-risk generation units, the regulatory gap on cybersecurity protections at the distribution grid level allows for a target-rich environment that could reach the bulk power system. 

) ) ) [field_primary_theme] => Array ( [und] => Array ( [0] => Array ( [tid] => 205 ) ) ) [field_secondary_themes] => Array ( [und] => Array ( [0] => Array ( [tid] => 197 ) [1] => Array ( [tid] => 204 ) ) ) [field_exclude] => Array ( ) [field_more_like_this] => Array ( ) [field_show_cropped_image] => Array ( [und] => Array ( [0] => Array ( [value] => 1 ) ) ) [field_voices] => Array ( ) [metatags] => Array ( [und] => Array ( [og:image] => Array ( [value] => public://Image Courtesy of Max Pixel.jpg ) [article:author] => Array ( ) [article:publisher] => Array ( ) [article:section] => Array ( ) [article:tag] => Array ( ) [article:published_time] => Array ( ) [article:modified_time] => Array ( ) [article:expiration_time] => Array ( ) [profile:first_name] => Array ( ) [profile:last_name] => Array ( ) [profile:username] => Array ( ) [profile:gender] => Array ( ) [book:author] => Array ( ) [book:isbn] => Array ( ) [book:release_date] => Array ( ) [book:tag] => Array ( ) [video:actor] => Array ( ) [video:actor:role] => Array ( ) [video:director] => Array ( ) [video:writer] => Array ( ) [video:duration] => Array ( ) [video:release_date] => Array ( ) [video:tag] => Array ( ) [video:series] => Array ( ) ) ) [rdf_mapping] => Array ( [rdftype] => Array ( [0] => sioc:Item [1] => foaf:Document ) [title] => Array ( [predicates] => Array ( [0] => dc:title ) ) [created] => Array ( [predicates] => Array ( [0] => dc:date [1] => dc:created ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [changed] => Array ( [predicates] => Array ( [0] => dc:modified ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [body] => Array ( [predicates] => Array ( [0] => content:encoded ) ) [uid] => Array ( [predicates] => Array ( [0] => sioc:has_creator ) [type] => rel ) [name] => Array ( [predicates] => Array ( [0] => foaf:name ) ) [comment_count] => Array ( [predicates] => Array ( [0] => sioc:num_replies ) [datatype] => xsd:integer ) [last_activity] => Array ( [predicates] => Array ( [0] => sioc:last_activity_date ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) ) [path] => Array ( [pathauto] => 1 ) [cid] => 0 [last_comment_timestamp] => 1529420761 [last_comment_name] => [last_comment_uid] => 115 [comment_count] => 0 [name] => Christina Simeone [picture] => 0 [data] => a:1:{s:18:"htmlmail_plaintext";i:0;} [entity_view_prepared] => 1 ) [#items] => Array ( [0] => Array ( [value] => Image Courtesy of Max Pixel [format] => [safe_value] => Image Courtesy of Max Pixel ) ) [#formatter] => text_default [0] => Array ( [#markup] => Image Courtesy of Max Pixel ) ) [body] => Array ( [#theme] => field [#weight] => 3 [#title] => Body [#access] => 1 [#label_display] => hidden [#view_mode] => full [#language] => und [#field_name] => body [#field_type] => text_with_summary [#field_translatable] => 0 [#entity_type] => node [#bundle] => wp_blog [#object] => stdClass Object ( [vid] => 8224 [uid] => 115 [title] => The Distribution Grid Gap on Cybersecurity [log] => [status] => 1 [comment] => 1 [promote] => 0 [sticky] => 0 [nid] => 6115 [type] => wp_blog [language] => und [created] => 1529420761 [changed] => 1531354752 [tnid] => 0 [translate] => 0 [revision_timestamp] => 1531354752 [revision_uid] => 1 [body] => Array ( [und] => Array ( [0] => Array ( [value] =>

Power grid resilience and security are front-and-center in national policy debates. However, the focus on saving uneconomic generation resources (i.e. coal and some nuclear units) takes attention away from more relevant concerns, such as insufficient distribution grid cybersecurity protections.

The distribution grid is becoming more digital and dynamic, as smart grid devices enable two-way communications, and customers are increasingly using on-site generation, software-based energy management tools, and a plethora of internet-of-things appliances. This innovation is positive, yet exposes the grid to additional vulnerabilities.

Most outages on the power grid are related to transmission and distribution system issues (not generation outages). By number of events, most outages occur on the distribution system, with local and limited impacts. Less frequent occurrences of transmission level outages impact a greater number of people.

However, attacks on the distribution system could increasingly reach beyond local impacts. Simultaneous attacks on several distribution utilities or coordinated attacks on a single utility in multiple locations could create widespread outages. These outages could cut power to other critical infrastructure—like water, telecommunications, pipelines, etc.—compounding damages.

In addition, cyber intrusion at the distribution level raises concerns about customer data privacy, potential infiltration of industrial control systems, and other negative outcomes.

And, the distribution grid may present the easiest “target” for attackers, given the lack of cyber protection requirements.

Generation and high-voltage transmission represent the “bulk power system.” Enforceable cybersecurity regulations—called critical infrastructure protection or CIP standards—are developed by the North American Electric Reliability Corporation (NERC) to protect the bulk power system. Utilities (or other entities) with assets that if disrupted would impact the bulk power system are required to comply with the CIP standards.

Transmission (intrastate) and distribution systems are regulated at the state-level by public utility commissions, or by local boards or commissions for rural or municipal cooperatives.

A 2014 study by NRRI estimated only 10 to 20 percent of grid assets are covered by NERC’s CIP standards.

Most of the non-covered assets likely fall under state jurisdiction. A distribution-level substation may not be subject to NERC CIP standards because it exists outside of the bulk power system. However, a successful intrusion at the distribution level has the potential to impact the bulk power system. For example, the December 2015 Ukrainian power outage affecting over 230,000 people originated from cyberattacks on distribution system elements.

The approach to state-level cybersecurity regulation is surprisingly inconsistent, with variation between and within states. In fact, there are no minimum cybersecurity standards in place that all distribution utilities must follow. In general, there are at least two standards potentially available for use.

  • NERC CIP Compliance. Some states require utilities not typically subject to NERC CIPs to comply with these standards (i.e. FERC Order 706), or uses NERC CIP standards as benchmarks to evaluate utility cybersecurity plans. This approach may be expensive to extend to the low-voltage system.
  • Risk-Based Approach. This involves determining priority actions and investments based on an assessment of system-specific vulnerabilities. The NIST Framework for Improving Critical Infrastructure Cybersecurity and NERC’s Reliability Assurance Initiative represent risk-based approaches.

In addition, utilities can use the U.S. DOE’s Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) to evaluate cybersecurity shortcomings.  

As distribution grid modernization advances and distributed energy resources proliferate, so will cyber security vulnerabilities. Distribution-level threats may increase the probability of bulk power system impacts and will raise questions about the line between state and federal jurisdiction in ensuring cybersecurity.

Larger, investor-owned utilities are more capable of and likely to take meaningful action to reduce cyber threats, as a portion of their assets are undoubtedly subject to NERC compliance.

According to the NAS, in 2016 there were 1,954 electric utilities, of which 174 were investor-owned utilities delivering 68 percent of electricity service to retail customers. Approximately, 809 rural cooperatives, 827 municipal utilities, and other publicly owned utilities delivered 13 percent, 12 percent, and 6 percent of electricity to retail customers, respectively.

In other words, it is a target-rich environment for malicious actors.

There is significant room for improvement in developing and enforcing minimum cybersecurity standards for distribution utilities, which may include providing regulators with new authorities. The approach to defending smaller municipal, rural cooperative, and other publicly-owned utilities may prove most challenging.

Meeting such minimum standards may not be cheap, and many other complexities beyond costs are involved. The public benefit of having a secure grid warrants ratepayer cost recovery, and potentially even return on equity incentives to go beyond minimum compliance (when appropriate).

Lower power prices make today the opportune time to embark on these investments, rather than haphazardly devoting precious financial resources to less meaningful distractions (i.e. subsidies for at-risk generation).

[summary] => [format] => full_html [safe_value] =>

Power grid resilience and security are front-and-center in national policy debates. However, the focus on saving uneconomic generation resources (i.e. coal and some nuclear units) takes attention away from more relevant concerns, such as insufficient distribution grid cybersecurity protections.

The distribution grid is becoming more digital and dynamic, as smart grid devices enable two-way communications, and customers are increasingly using on-site generation, software-based energy management tools, and a plethora of internet-of-things appliances. This innovation is positive, yet exposes the grid to additional vulnerabilities.

Most outages on the power grid are related to transmission and distribution system issues (not generation outages). By number of events, most outages occur on the distribution system, with local and limited impacts. Less frequent occurrences of transmission level outages impact a greater number of people.

However, attacks on the distribution system could increasingly reach beyond local impacts. Simultaneous attacks on several distribution utilities or coordinated attacks on a single utility in multiple locations could create widespread outages. These outages could cut power to other critical infrastructure—like water, telecommunications, pipelines, etc.—compounding damages.

In addition, cyber intrusion at the distribution level raises concerns about customer data privacy, potential infiltration of industrial control systems, and other negative outcomes.

And, the distribution grid may present the easiest “target” for attackers, given the lack of cyber protection requirements.

Generation and high-voltage transmission represent the “bulk power system.” Enforceable cybersecurity regulations—called critical infrastructure protection or CIP standards—are developed by the North American Electric Reliability Corporation (NERC) to protect the bulk power system. Utilities (or other entities) with assets that if disrupted would impact the bulk power system are required to comply with the CIP standards.

Transmission (intrastate) and distribution systems are regulated at the state-level by public utility commissions, or by local boards or commissions for rural or municipal cooperatives.

A 2014 study by NRRI estimated only 10 to 20 percent of grid assets are covered by NERC’s CIP standards.

Most of the non-covered assets likely fall under state jurisdiction. A distribution-level substation may not be subject to NERC CIP standards because it exists outside of the bulk power system. However, a successful intrusion at the distribution level has the potential to impact the bulk power system. For example, the December 2015 Ukrainian power outage affecting over 230,000 people originated from cyberattacks on distribution system elements.

The approach to state-level cybersecurity regulation is surprisingly inconsistent, with variation between and within states. In fact, there are no minimum cybersecurity standards in place that all distribution utilities must follow. In general, there are at least two standards potentially available for use.

  • NERC CIP Compliance. Some states require utilities not typically subject to NERC CIPs to comply with these standards (i.e. FERC Order 706), or uses NERC CIP standards as benchmarks to evaluate utility cybersecurity plans. This approach may be expensive to extend to the low-voltage system.
  • Risk-Based Approach. This involves determining priority actions and investments based on an assessment of system-specific vulnerabilities. The NIST Framework for Improving Critical Infrastructure Cybersecurity and NERC’s Reliability Assurance Initiative represent risk-based approaches.

In addition, utilities can use the U.S. DOE’s Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) to evaluate cybersecurity shortcomings.  

As distribution grid modernization advances and distributed energy resources proliferate, so will cyber security vulnerabilities. Distribution-level threats may increase the probability of bulk power system impacts and will raise questions about the line between state and federal jurisdiction in ensuring cybersecurity.

Larger, investor-owned utilities are more capable of and likely to take meaningful action to reduce cyber threats, as a portion of their assets are undoubtedly subject to NERC compliance.

According to the NAS, in 2016 there were 1,954 electric utilities, of which 174 were investor-owned utilities delivering 68 percent of electricity service to retail customers. Approximately, 809 rural cooperatives, 827 municipal utilities, and other publicly owned utilities delivered 13 percent, 12 percent, and 6 percent of electricity to retail customers, respectively.

In other words, it is a target-rich environment for malicious actors.

There is significant room for improvement in developing and enforcing minimum cybersecurity standards for distribution utilities, which may include providing regulators with new authorities. The approach to defending smaller municipal, rural cooperative, and other publicly-owned utilities may prove most challenging.

Meeting such minimum standards may not be cheap, and many other complexities beyond costs are involved. The public benefit of having a secure grid warrants ratepayer cost recovery, and potentially even return on equity incentives to go beyond minimum compliance (when appropriate).

Lower power prices make today the opportune time to embark on these investments, rather than haphazardly devoting precious financial resources to less meaningful distractions (i.e. subsidies for at-risk generation).

[safe_summary] => ) ) ) [taxonomy_wp_blog_tags] => Array ( ) [field_intro_image] => Array ( [und] => Array ( [0] => Array ( [fid] => 2723 [uid] => 115 [filename] => Image Courtesy of Max Pixel.jpg [uri] => public://Image Courtesy of Max Pixel.jpg [filemime] => image/jpeg [filesize] => 300518 [status] => 1 [timestamp] => 1529420761 [focus_rect] => [crop_rect] => [rdf_mapping] => Array ( ) [alt] => [title] => [width] => 1280 [height] => 960 ) ) ) [field_blog_author] => Array ( [und] => Array ( [0] => Array ( [value] => Christina Simeone [format] => [safe_value] => Christina Simeone ) ) ) [field_image_caption] => Array ( [und] => Array ( [0] => Array ( [value] => Image Courtesy of Max Pixel [format] => [safe_value] => Image Courtesy of Max Pixel ) ) ) [field_set_as_featured_] => Array ( [und] => Array ( [0] => Array ( [value] => no ) ) ) [field_authors] => Array ( [und] => Array ( [0] => Array ( [target_id] => 62 [entity] => stdClass Object ( [vid] => 62 [uid] => 1 [title] => Christina Simeone [log] => [status] => 1 [comment] => 1 [promote] => 0 [sticky] => 0 [nid] => 62 [type] => people_bio [language] => und [created] => 1414774970 [changed] => 1542662633 [tnid] => 0 [translate] => 0 [revision_timestamp] => 1542662633 [revision_uid] => 115 [body] => Array ( [und] => Array ( [0] => Array ( [value] =>

Christina Simeone engages in applied research - bringing together analytics, academics, and industry insights - to further the center's mission.

Prior to joining the Kleinman Center, Simeone served as the director of the PennFuture Energy Center for Enterprise and the Environment, where she focused on energy and climate issues that impact Pennsylvania. Simeone worked on federal energy and climate legislation as Policy Director at the Alliance for Climate Protection in Washington, D.C., after spending several years in Harrisburg at the Pennsylvania Department of Environmental Protection (PA DEP), where she worked on climate and energy issues in the Policy Office and as Special Assistant to the Secretary. Additionally, she has experience in private environmental consulting and in the financial management sector.

Simeone holds a master's degree in environmental studies from the University of Pennsylvania, a B.A. in economics from the University of Miami, and B.S. in music industry from Drexel University (with a concentration in opera and piano performance). She is a board member of Philadelphia's Sustainable Energy Fund, former chair of the Climate Change Advisory Committee to the PA DEP, and served as the co-chair to Governor Wolf's transition team for the PA DEP.

[summary] => [format] => full_html [safe_value] =>

Christina Simeone engages in applied research - bringing together analytics, academics, and industry insights - to further the center's mission.

Prior to joining the Kleinman Center, Simeone served as the director of the PennFuture Energy Center for Enterprise and the Environment, where she focused on energy and climate issues that impact Pennsylvania. Simeone worked on federal energy and climate legislation as Policy Director at the Alliance for Climate Protection in Washington, D.C., after spending several years in Harrisburg at the Pennsylvania Department of Environmental Protection (PA DEP), where she worked on climate and energy issues in the Policy Office and as Special Assistant to the Secretary. Additionally, she has experience in private environmental consulting and in the financial management sector.

Simeone holds a master's degree in environmental studies from the University of Pennsylvania, a B.A. in economics from the University of Miami, and B.S. in music industry from Drexel University (with a concentration in opera and piano performance). She is a board member of Philadelphia's Sustainable Energy Fund, former chair of the Climate Change Advisory Committee to the PA DEP, and served as the co-chair to Governor Wolf's transition team for the PA DEP.

[safe_summary] => ) ) ) [field_headshot] => Array ( [und] => Array ( [0] => Array ( [fid] => 1836 [uid] => 10 [filename] => IMG_2538.JPG [uri] => public://IMG_2538_0.JPG [filemime] => image/jpeg [filesize] => 1884043 [status] => 1 [timestamp] => 1495475902 [focus_rect] => 269,241,1135,1134 [crop_rect] => [rdf_mapping] => Array ( ) [alt] => [title] => [width] => 1766 [height] => 2047 ) ) ) [field_org_title] => Array ( [und] => Array ( [0] => Array ( [value] => Director of Policy and External Affairs [format] => [safe_value] => Director of Policy and External Affairs ) ) ) [field_email] => Array ( [und] => Array ( [0] => Array ( [email] => csimeone@upenn.edu ) ) ) [field_phone_number] => Array ( [und] => Array ( [0] => Array ( [value] => 215.573.4096 [format] => [safe_value] => 215.573.4096 ) ) ) [field_people_designation] => Array ( [und] => Array ( [0] => Array ( [value] => staff ) ) ) [field_adboard_organization] => Array ( ) [field_project_years] => Array ( ) [field_bio_type] => Array ( [und] => Array ( [0] => Array ( [tid] => 185 ) ) ) [field_omit] => Array ( [und] => Array ( [0] => Array ( [value] => 0 ) ) ) [field_biodepartment] => Array ( ) [field_teaser] => Array ( [und] => Array ( [0] => Array ( [value] =>

is the director of policy and external affairs at the Kleinman Center for Energy Policy.

[format] => full_html [safe_value] =>

is the director of policy and external affairs at the Kleinman Center for Energy Policy.

) ) ) [field_label_above_name] => Array ( ) [field_year] => Array ( ) [metatags] => Array ( [und] => Array ( [robots] => Array ( [value] => Array ( [0] => 0 [index] => 0 [follow] => 0 [noindex] => 0 [nofollow] => 0 [noarchive] => 0 [nosnippet] => 0 [noodp] => 0 [noydir] => 0 [noimageindex] => 0 [notranslate] => 0 ) ) [article:published_time] => Array ( [value] => ) [article:modified_time] => Array ( [value] => ) ) ) [rdf_mapping] => Array ( [rdftype] => Array ( [0] => sioc:Item [1] => foaf:Document ) [title] => Array ( [predicates] => Array ( [0] => dc:title ) ) [created] => Array ( [predicates] => Array ( [0] => dc:date [1] => dc:created ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [changed] => Array ( [predicates] => Array ( [0] => dc:modified ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [body] => Array ( [predicates] => Array ( [0] => content:encoded ) ) [uid] => Array ( [predicates] => Array ( [0] => sioc:has_creator ) [type] => rel ) [name] => Array ( [predicates] => Array ( [0] => foaf:name ) ) [comment_count] => Array ( [predicates] => Array ( [0] => sioc:num_replies ) [datatype] => xsd:integer ) [last_activity] => Array ( [predicates] => Array ( [0] => sioc:last_activity_date ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) ) [path] => Array ( [pathauto] => 1 ) [cid] => 0 [last_comment_timestamp] => 1414774970 [last_comment_name] => [last_comment_uid] => 1 [comment_count] => 0 [name] => admin [picture] => 0 [data] => b:0; ) [access] => 1 ) ) ) [field_addthis] => Array ( [und] => Array ( [0] => Array ( [value] => Dummy value ) ) ) [field_teaser] => Array ( [und] => Array ( [0] => Array ( [value] =>

As national debate over grid resilience and security drills down on saving at-risk generation units, the regulatory gap on cybersecurity protections at the distribution grid level allows for a target-rich environment that could reach the bulk power system. 

[format] => full_html [safe_value] =>

As national debate over grid resilience and security drills down on saving at-risk generation units, the regulatory gap on cybersecurity protections at the distribution grid level allows for a target-rich environment that could reach the bulk power system. 

) ) ) [field_primary_theme] => Array ( [und] => Array ( [0] => Array ( [tid] => 205 ) ) ) [field_secondary_themes] => Array ( [und] => Array ( [0] => Array ( [tid] => 197 ) [1] => Array ( [tid] => 204 ) ) ) [field_exclude] => Array ( ) [field_more_like_this] => Array ( ) [field_show_cropped_image] => Array ( [und] => Array ( [0] => Array ( [value] => 1 ) ) ) [field_voices] => Array ( ) [metatags] => Array ( [und] => Array ( [og:image] => Array ( [value] => public://Image Courtesy of Max Pixel.jpg ) [article:author] => Array ( ) [article:publisher] => Array ( ) [article:section] => Array ( ) [article:tag] => Array ( ) [article:published_time] => Array ( ) [article:modified_time] => Array ( ) [article:expiration_time] => Array ( ) [profile:first_name] => Array ( ) [profile:last_name] => Array ( ) [profile:username] => Array ( ) [profile:gender] => Array ( ) [book:author] => Array ( ) [book:isbn] => Array ( ) [book:release_date] => Array ( ) [book:tag] => Array ( ) [video:actor] => Array ( ) [video:actor:role] => Array ( ) [video:director] => Array ( ) [video:writer] => Array ( ) [video:duration] => Array ( ) [video:release_date] => Array ( ) [video:tag] => Array ( ) [video:series] => Array ( ) ) ) [rdf_mapping] => Array ( [rdftype] => Array ( [0] => sioc:Item [1] => foaf:Document ) [title] => Array ( [predicates] => Array ( [0] => dc:title ) ) [created] => Array ( [predicates] => Array ( [0] => dc:date [1] => dc:created ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [changed] => Array ( [predicates] => Array ( [0] => dc:modified ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [body] => Array ( [predicates] => Array ( [0] => content:encoded ) ) [uid] => Array ( [predicates] => Array ( [0] => sioc:has_creator ) [type] => rel ) [name] => Array ( [predicates] => Array ( [0] => foaf:name ) ) [comment_count] => Array ( [predicates] => Array ( [0] => sioc:num_replies ) [datatype] => xsd:integer ) [last_activity] => Array ( [predicates] => Array ( [0] => sioc:last_activity_date ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) ) [path] => Array ( [pathauto] => 1 ) [cid] => 0 [last_comment_timestamp] => 1529420761 [last_comment_name] => [last_comment_uid] => 115 [comment_count] => 0 [name] => Christina Simeone [picture] => 0 [data] => a:1:{s:18:"htmlmail_plaintext";i:0;} [entity_view_prepared] => 1 ) [#items] => Array ( [0] => Array ( [value] =>

Power grid resilience and security are front-and-center in national policy debates. However, the focus on saving uneconomic generation resources (i.e. coal and some nuclear units) takes attention away from more relevant concerns, such as insufficient distribution grid cybersecurity protections.

The distribution grid is becoming more digital and dynamic, as smart grid devices enable two-way communications, and customers are increasingly using on-site generation, software-based energy management tools, and a plethora of internet-of-things appliances. This innovation is positive, yet exposes the grid to additional vulnerabilities.

Most outages on the power grid are related to transmission and distribution system issues (not generation outages). By number of events, most outages occur on the distribution system, with local and limited impacts. Less frequent occurrences of transmission level outages impact a greater number of people.

However, attacks on the distribution system could increasingly reach beyond local impacts. Simultaneous attacks on several distribution utilities or coordinated attacks on a single utility in multiple locations could create widespread outages. These outages could cut power to other critical infrastructure—like water, telecommunications, pipelines, etc.—compounding damages.

In addition, cyber intrusion at the distribution level raises concerns about customer data privacy, potential infiltration of industrial control systems, and other negative outcomes.

And, the distribution grid may present the easiest “target” for attackers, given the lack of cyber protection requirements.

Generation and high-voltage transmission represent the “bulk power system.” Enforceable cybersecurity regulations—called critical infrastructure protection or CIP standards—are developed by the North American Electric Reliability Corporation (NERC) to protect the bulk power system. Utilities (or other entities) with assets that if disrupted would impact the bulk power system are required to comply with the CIP standards.

Transmission (intrastate) and distribution systems are regulated at the state-level by public utility commissions, or by local boards or commissions for rural or municipal cooperatives.

A 2014 study by NRRI estimated only 10 to 20 percent of grid assets are covered by NERC’s CIP standards.

Most of the non-covered assets likely fall under state jurisdiction. A distribution-level substation may not be subject to NERC CIP standards because it exists outside of the bulk power system. However, a successful intrusion at the distribution level has the potential to impact the bulk power system. For example, the December 2015 Ukrainian power outage affecting over 230,000 people originated from cyberattacks on distribution system elements.

The approach to state-level cybersecurity regulation is surprisingly inconsistent, with variation between and within states. In fact, there are no minimum cybersecurity standards in place that all distribution utilities must follow. In general, there are at least two standards potentially available for use.

  • NERC CIP Compliance. Some states require utilities not typically subject to NERC CIPs to comply with these standards (i.e. FERC Order 706), or uses NERC CIP standards as benchmarks to evaluate utility cybersecurity plans. This approach may be expensive to extend to the low-voltage system.
  • Risk-Based Approach. This involves determining priority actions and investments based on an assessment of system-specific vulnerabilities. The NIST Framework for Improving Critical Infrastructure Cybersecurity and NERC’s Reliability Assurance Initiative represent risk-based approaches.

In addition, utilities can use the U.S. DOE’s Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) to evaluate cybersecurity shortcomings.  

As distribution grid modernization advances and distributed energy resources proliferate, so will cyber security vulnerabilities. Distribution-level threats may increase the probability of bulk power system impacts and will raise questions about the line between state and federal jurisdiction in ensuring cybersecurity.

Larger, investor-owned utilities are more capable of and likely to take meaningful action to reduce cyber threats, as a portion of their assets are undoubtedly subject to NERC compliance.

According to the NAS, in 2016 there were 1,954 electric utilities, of which 174 were investor-owned utilities delivering 68 percent of electricity service to retail customers. Approximately, 809 rural cooperatives, 827 municipal utilities, and other publicly owned utilities delivered 13 percent, 12 percent, and 6 percent of electricity to retail customers, respectively.

In other words, it is a target-rich environment for malicious actors.

There is significant room for improvement in developing and enforcing minimum cybersecurity standards for distribution utilities, which may include providing regulators with new authorities. The approach to defending smaller municipal, rural cooperative, and other publicly-owned utilities may prove most challenging.

Meeting such minimum standards may not be cheap, and many other complexities beyond costs are involved. The public benefit of having a secure grid warrants ratepayer cost recovery, and potentially even return on equity incentives to go beyond minimum compliance (when appropriate).

Lower power prices make today the opportune time to embark on these investments, rather than haphazardly devoting precious financial resources to less meaningful distractions (i.e. subsidies for at-risk generation).

[summary] => [format] => full_html [safe_value] =>

Power grid resilience and security are front-and-center in national policy debates. However, the focus on saving uneconomic generation resources (i.e. coal and some nuclear units) takes attention away from more relevant concerns, such as insufficient distribution grid cybersecurity protections.

The distribution grid is becoming more digital and dynamic, as smart grid devices enable two-way communications, and customers are increasingly using on-site generation, software-based energy management tools, and a plethora of internet-of-things appliances. This innovation is positive, yet exposes the grid to additional vulnerabilities.

Most outages on the power grid are related to transmission and distribution system issues (not generation outages). By number of events, most outages occur on the distribution system, with local and limited impacts. Less frequent occurrences of transmission level outages impact a greater number of people.

However, attacks on the distribution system could increasingly reach beyond local impacts. Simultaneous attacks on several distribution utilities or coordinated attacks on a single utility in multiple locations could create widespread outages. These outages could cut power to other critical infrastructure—like water, telecommunications, pipelines, etc.—compounding damages.

In addition, cyber intrusion at the distribution level raises concerns about customer data privacy, potential infiltration of industrial control systems, and other negative outcomes.

And, the distribution grid may present the easiest “target” for attackers, given the lack of cyber protection requirements.

Generation and high-voltage transmission represent the “bulk power system.” Enforceable cybersecurity regulations—called critical infrastructure protection or CIP standards—are developed by the North American Electric Reliability Corporation (NERC) to protect the bulk power system. Utilities (or other entities) with assets that if disrupted would impact the bulk power system are required to comply with the CIP standards.

Transmission (intrastate) and distribution systems are regulated at the state-level by public utility commissions, or by local boards or commissions for rural or municipal cooperatives.

A 2014 study by NRRI estimated only 10 to 20 percent of grid assets are covered by NERC’s CIP standards.

Most of the non-covered assets likely fall under state jurisdiction. A distribution-level substation may not be subject to NERC CIP standards because it exists outside of the bulk power system. However, a successful intrusion at the distribution level has the potential to impact the bulk power system. For example, the December 2015 Ukrainian power outage affecting over 230,000 people originated from cyberattacks on distribution system elements.

The approach to state-level cybersecurity regulation is surprisingly inconsistent, with variation between and within states. In fact, there are no minimum cybersecurity standards in place that all distribution utilities must follow. In general, there are at least two standards potentially available for use.

  • NERC CIP Compliance. Some states require utilities not typically subject to NERC CIPs to comply with these standards (i.e. FERC Order 706), or uses NERC CIP standards as benchmarks to evaluate utility cybersecurity plans. This approach may be expensive to extend to the low-voltage system.
  • Risk-Based Approach. This involves determining priority actions and investments based on an assessment of system-specific vulnerabilities. The NIST Framework for Improving Critical Infrastructure Cybersecurity and NERC’s Reliability Assurance Initiative represent risk-based approaches.

In addition, utilities can use the U.S. DOE’s Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) to evaluate cybersecurity shortcomings.  

As distribution grid modernization advances and distributed energy resources proliferate, so will cyber security vulnerabilities. Distribution-level threats may increase the probability of bulk power system impacts and will raise questions about the line between state and federal jurisdiction in ensuring cybersecurity.

Larger, investor-owned utilities are more capable of and likely to take meaningful action to reduce cyber threats, as a portion of their assets are undoubtedly subject to NERC compliance.

According to the NAS, in 2016 there were 1,954 electric utilities, of which 174 were investor-owned utilities delivering 68 percent of electricity service to retail customers. Approximately, 809 rural cooperatives, 827 municipal utilities, and other publicly owned utilities delivered 13 percent, 12 percent, and 6 percent of electricity to retail customers, respectively.

In other words, it is a target-rich environment for malicious actors.

There is significant room for improvement in developing and enforcing minimum cybersecurity standards for distribution utilities, which may include providing regulators with new authorities. The approach to defending smaller municipal, rural cooperative, and other publicly-owned utilities may prove most challenging.

Meeting such minimum standards may not be cheap, and many other complexities beyond costs are involved. The public benefit of having a secure grid warrants ratepayer cost recovery, and potentially even return on equity incentives to go beyond minimum compliance (when appropriate).

Lower power prices make today the opportune time to embark on these investments, rather than haphazardly devoting precious financial resources to less meaningful distractions (i.e. subsidies for at-risk generation).

[safe_summary] => ) ) [#formatter] => text_default [0] => Array ( [#markup] =>

Power grid resilience and security are front-and-center in national policy debates. However, the focus on saving uneconomic generation resources (i.e. coal and some nuclear units) takes attention away from more relevant concerns, such as insufficient distribution grid cybersecurity protections.

The distribution grid is becoming more digital and dynamic, as smart grid devices enable two-way communications, and customers are increasingly using on-site generation, software-based energy management tools, and a plethora of internet-of-things appliances. This innovation is positive, yet exposes the grid to additional vulnerabilities.

Most outages on the power grid are related to transmission and distribution system issues (not generation outages). By number of events, most outages occur on the distribution system, with local and limited impacts. Less frequent occurrences of transmission level outages impact a greater number of people.

However, attacks on the distribution system could increasingly reach beyond local impacts. Simultaneous attacks on several distribution utilities or coordinated attacks on a single utility in multiple locations could create widespread outages. These outages could cut power to other critical infrastructure—like water, telecommunications, pipelines, etc.—compounding damages.

In addition, cyber intrusion at the distribution level raises concerns about customer data privacy, potential infiltration of industrial control systems, and other negative outcomes.

And, the distribution grid may present the easiest “target” for attackers, given the lack of cyber protection requirements.

Generation and high-voltage transmission represent the “bulk power system.” Enforceable cybersecurity regulations—called critical infrastructure protection or CIP standards—are developed by the North American Electric Reliability Corporation (NERC) to protect the bulk power system. Utilities (or other entities) with assets that if disrupted would impact the bulk power system are required to comply with the CIP standards.

Transmission (intrastate) and distribution systems are regulated at the state-level by public utility commissions, or by local boards or commissions for rural or municipal cooperatives.

A 2014 study by NRRI estimated only 10 to 20 percent of grid assets are covered by NERC’s CIP standards.

Most of the non-covered assets likely fall under state jurisdiction. A distribution-level substation may not be subject to NERC CIP standards because it exists outside of the bulk power system. However, a successful intrusion at the distribution level has the potential to impact the bulk power system. For example, the December 2015 Ukrainian power outage affecting over 230,000 people originated from cyberattacks on distribution system elements.

The approach to state-level cybersecurity regulation is surprisingly inconsistent, with variation between and within states. In fact, there are no minimum cybersecurity standards in place that all distribution utilities must follow. In general, there are at least two standards potentially available for use.

  • NERC CIP Compliance. Some states require utilities not typically subject to NERC CIPs to comply with these standards (i.e. FERC Order 706), or uses NERC CIP standards as benchmarks to evaluate utility cybersecurity plans. This approach may be expensive to extend to the low-voltage system.
  • Risk-Based Approach. This involves determining priority actions and investments based on an assessment of system-specific vulnerabilities. The NIST Framework for Improving Critical Infrastructure Cybersecurity and NERC’s Reliability Assurance Initiative represent risk-based approaches.

In addition, utilities can use the U.S. DOE’s Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) to evaluate cybersecurity shortcomings.  

As distribution grid modernization advances and distributed energy resources proliferate, so will cyber security vulnerabilities. Distribution-level threats may increase the probability of bulk power system impacts and will raise questions about the line between state and federal jurisdiction in ensuring cybersecurity.

Larger, investor-owned utilities are more capable of and likely to take meaningful action to reduce cyber threats, as a portion of their assets are undoubtedly subject to NERC compliance.

According to the NAS, in 2016 there were 1,954 electric utilities, of which 174 were investor-owned utilities delivering 68 percent of electricity service to retail customers. Approximately, 809 rural cooperatives, 827 municipal utilities, and other publicly owned utilities delivered 13 percent, 12 percent, and 6 percent of electricity to retail customers, respectively.

In other words, it is a target-rich environment for malicious actors.

There is significant room for improvement in developing and enforcing minimum cybersecurity standards for distribution utilities, which may include providing regulators with new authorities. The approach to defending smaller municipal, rural cooperative, and other publicly-owned utilities may prove most challenging.

Meeting such minimum standards may not be cheap, and many other complexities beyond costs are involved. The public benefit of having a secure grid warrants ratepayer cost recovery, and potentially even return on equity incentives to go beyond minimum compliance (when appropriate).

Lower power prices make today the opportune time to embark on these investments, rather than haphazardly devoting precious financial resources to less meaningful distractions (i.e. subsidies for at-risk generation).

) ) [submitted_by] => Array ( [0] => Array ( ) [#weight] => 12 [#access] => ) )
June 19, 2018
Image Courtesy of Max Pixel

Power grid resilience and security are front-and-center in national policy debates. However, the focus on saving uneconomic generation resources (i.e. coal and some nuclear units) takes attention away from more relevant concerns, such as insufficient distribution grid cybersecurity protections.

The distribution grid is becoming more digital and dynamic, as smart grid devices enable two-way communications, and customers are increasingly using on-site generation, software-based energy management tools, and a plethora of internet-of-things appliances. This innovation is positive, yet exposes the grid to additional vulnerabilities.

Most outages on the power grid are related to transmission and distribution system issues (not generation outages). By number of events, most outages occur on the distribution system, with local and limited impacts. Less frequent occurrences of transmission level outages impact a greater number of people.

However, attacks on the distribution system could increasingly reach beyond local impacts. Simultaneous attacks on several distribution utilities or coordinated attacks on a single utility in multiple locations could create widespread outages. These outages could cut power to other critical infrastructure—like water, telecommunications, pipelines, etc.—compounding damages.

In addition, cyber intrusion at the distribution level raises concerns about customer data privacy, potential infiltration of industrial control systems, and other negative outcomes.

And, the distribution grid may present the easiest “target” for attackers, given the lack of cyber protection requirements.

Generation and high-voltage transmission represent the “bulk power system.” Enforceable cybersecurity regulations—called critical infrastructure protection or CIP standards—are developed by the North American Electric Reliability Corporation (NERC) to protect the bulk power system. Utilities (or other entities) with assets that if disrupted would impact the bulk power system are required to comply with the CIP standards.

Transmission (intrastate) and distribution systems are regulated at the state-level by public utility commissions, or by local boards or commissions for rural or municipal cooperatives.

A 2014 study by NRRI estimated only 10 to 20 percent of grid assets are covered by NERC’s CIP standards.

Most of the non-covered assets likely fall under state jurisdiction. A distribution-level substation may not be subject to NERC CIP standards because it exists outside of the bulk power system. However, a successful intrusion at the distribution level has the potential to impact the bulk power system. For example, the December 2015 Ukrainian power outage affecting over 230,000 people originated from cyberattacks on distribution system elements.

The approach to state-level cybersecurity regulation is surprisingly inconsistent, with variation between and within states. In fact, there are no minimum cybersecurity standards in place that all distribution utilities must follow. In general, there are at least two standards potentially available for use.

  • NERC CIP Compliance. Some states require utilities not typically subject to NERC CIPs to comply with these standards (i.e. FERC Order 706), or uses NERC CIP standards as benchmarks to evaluate utility cybersecurity plans. This approach may be expensive to extend to the low-voltage system.
  • Risk-Based Approach. This involves determining priority actions and investments based on an assessment of system-specific vulnerabilities. The NIST Framework for Improving Critical Infrastructure Cybersecurity and NERC’s Reliability Assurance Initiative represent risk-based approaches.

In addition, utilities can use the U.S. DOE’s Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) to evaluate cybersecurity shortcomings.  

As distribution grid modernization advances and distributed energy resources proliferate, so will cyber security vulnerabilities. Distribution-level threats may increase the probability of bulk power system impacts and will raise questions about the line between state and federal jurisdiction in ensuring cybersecurity.

Larger, investor-owned utilities are more capable of and likely to take meaningful action to reduce cyber threats, as a portion of their assets are undoubtedly subject to NERC compliance.

According to the NAS, in 2016 there were 1,954 electric utilities, of which 174 were investor-owned utilities delivering 68 percent of electricity service to retail customers. Approximately, 809 rural cooperatives, 827 municipal utilities, and other publicly owned utilities delivered 13 percent, 12 percent, and 6 percent of electricity to retail customers, respectively.

In other words, it is a target-rich environment for malicious actors.

There is significant room for improvement in developing and enforcing minimum cybersecurity standards for distribution utilities, which may include providing regulators with new authorities. The approach to defending smaller municipal, rural cooperative, and other publicly-owned utilities may prove most challenging.

Meeting such minimum standards may not be cheap, and many other complexities beyond costs are involved. The public benefit of having a secure grid warrants ratepayer cost recovery, and potentially even return on equity incentives to go beyond minimum compliance (when appropriate).

Lower power prices make today the opportune time to embark on these investments, rather than haphazardly devoting precious financial resources to less meaningful distractions (i.e. subsidies for at-risk generation).

Our blog highlights the research, opinions, and insights of individual authors. It does not represent the voice of the Kleinman Center.