Presentation to the EMS USER GROUP Meeting Compiled by Chuck Newton Newton-Evans Research Company September 2012
Welcome to this briefing session: 2012 Usage Patterns and Trends in Control Center SOP, Visualization and Cyber Security
A Review of Findings from Three Studies Conducted in 2012 by Newton-Evans Research • (1) Standard Operating Procedures For Control Room Operations. • Larger utilities and ISO/RTOs • Small Sample (26 IOUs, RTO/ISOs and Large Public Utilities) • Study commissioned by American Engineering University • (2) NERC CIP Compliance Topical Study • Small-Midsize utilities – Up to 200,000 customers • More than 100 U.S. and Canadian Utilities Participated • Study commissioned by Cyber Security Specialist Firm • (3) Newton-Evans Study of Cyber Security for Protection and Control • Larger Utilities (North America and International) • More than 60 utilities from 30+ countries Participating • Commissioned by CIGRE JWG B5 D2.46
Standard Operating Procedures Control Systems Operations Managers and Senior Staffers
1. How much of the details of real-time operating procedures are driven internally from the organization, how much driven from reliability (Reliability Coordinator, Transmission Operator, Balancing Authority) or regulatory organizations (NERC, FERC, state)?
< -- mostimportant least important -- > 0.00 1.00 2.00 3.00 4.00 5.00 1.12 1.40 SCADA data 1.48 1.12 3.08 Contingency Analysis 3.00 3.60 data 2.92 3.52 State Estimation 3.56 3.76 data 3.44 2.64 Verbal 2.60 1.92 communications 2.80 4.64 Other information 4.44 4.24 sources 4.72 Normal operation Emergency operation Restorative operation Post contingency 2. Please rank the following types of information based on their importance in making decisions for various real-time procedures in each scenario. Use a scale of 1-5, with 1=”most important” and 5=”least important” (Using each number only once.)
4. Who in the operational hierarchy executes the EMS applications, the higher or lower reliability authority? (Check all that apply)
Other 12% No 17% Yes, all involved 71% 5. Do any of the entities checked above in question #4 run EMS applications and compare results?
6a. How are actions coordinated for events near the boundaries of Balancing Authority Areas or Reliability Coordinating Areas? (Check all that apply) For the survey group as a whole, verbal communications is the dominant method for coordinating events near the boundaries of BAA’s or RCA’s. ICCP, however, is also frequently used among all of the domestic utilities and RTO’s.
0% 20% 40% 60% 80% 100% Cooperative decisions and actions by both the Balancing 88% Authority and Reliability Coordinatingareas Only the Balancing Authority 8% decides and takes action Only the Reliability Coordinating area decides 4% and takes action 6b. How is corrective action decided and carried out? By a impressive margin (88%), corrective action is decided and carried out through cooperative decisions and actions by both the Balancing Authority and Reliability Coordinating Areas.
0% 20% 40% 60% Proximity of event to boundary 0% (i.e. further away) Equipment responsibility or 44% ownership Severity of event 17% Time - criticalness of response 22% Other 17% 6c. If just one entity decides and takes corrective action, what is the MAIN driver of this decision? (Pick one) Equipment responsibility or ownership (44%) is the main driver for the eighteen respondents to this question. However, this value increases to seventy-one percent (71%) if only the responses from the seven investor owned utilities are considered.
9. What visualizations are most relevant during NORMAL SECURE (NORMAL) OPERATION of the grid? Ninety-two percent (24 out of 26) of the survey respondents rated Topological Visuals as Extremely Important during Normal Secure (Normal) Operation of the grid. Dynamically Colored Visuals were also viewed as Extremely Important to 58% of respondents.
0% 20% 40% 60% 80% 100% Geographical Visuals 27% 58% 15% Topological Visuals 92% 8% 0% Contour Visuals 15% 31% 54% Tabular Visuals 54% 35% 12% Animated Visuals 31% 15% 54% Dynamically Colored 69% 12% 19% Dynamically Sized 8% 31% 62% Extremely Important Somewhat Important Not Important to Our Operations 10. What visualizations are most relevant during NORMAL INSECURE (ALERT/CONTINGENCY) OPERATION of the grid?
11. What visualizations are most relevant during EMERGENCY OPERATION of the grid?
12. What visualizations are most relevant during RESTORATION OPERATION of the grid?
13. Which type of display (large control center board or desk top screen) is an operator more likely to use in the following situations? Desk top computer screens are more likely to be used by a control room operator during all operation phases. However, during Normal and Post Contingency Operations the respondents tend to use them slightly more (69% and 73% respectively) than during Emergency and Restorative conditions where the use of a control center board significantly Increases (from 19% to 31%).
14. What is the difference between the visualizations on the control center board and the operator’s desk top computer screen? Responses from the survey group find that visualizations on the operator’s desktop computer screen offer significantly more benefits than the control center board. The control center board is cited as being better for wide area viewing.
15. Are certain visualizations more appropriate or efficient on the control center board or operator’s desk top computer screen? Overall, responses to this question provided a little more balance when comparing visualizations on the control center board to operator desk computer screens. However, there are some significant differences in three areas: Tabular Visuals efficiency on operator’s desk computer screen received an overwhelming preference (84%) to those of control center boards, Geographical Visuals were found to be more appropriate for control center board use by a 3 to 1 margin, while Topological Visuals were better suited to operator desk top computers by a 2 to 1 margin.
16. How are critical events visualized (e.g. operating limit violations, line tripping, generator tripping, etc)? (Check all that apply) 0% 20% 40% 60% 80% 100% Blinking values 81% Character Tag 38% Highlighted and 73% Blinking Values Zooming 12% Exception List 42% Panning 8% Other 23% The two visualization methods predominantly used by the twenty-six respondents for critical events are Blinking Values (81%) and Highlighted and Blinking Values (73%). IOU’s indicated the highest use of Character Tag and Exception List.
most relevant least relevant--> < -- -- > 0.00 2.00 4.00 6.00 8.00 Voltage 2.54 Current 4.00 Power 2.79 Frequency 3.58 Device states 2.21 Other 5.88 20. Please rank the relevancy of the following data in the visualization of the grid from 1-6 where 1=”most relevant” and 6=”least relevant” (Using each number only once). Device states (2.21), Voltage (2.54) and Power (2.79) were ranked the “most relevant” data in the visualization of the grid by survey respondents. For the most part, this was pretty consistent among all of the survey groups with the exception of the one European utility.
Study of Small-to-Mid-Size Utilities Regarding NERC CIP Topics • Study undertaken Jan-Apr 2012 • More than 100 Utilities Participated • Having from 20,000 to 200,000 customers
1. Does your utility have Critical Cyber Assets under NERC CIP? • In spite of the seeming change in definitions of what is a critical cyber asset, two-thirds of the respondents indicated that they had NO cyber assets that are considered “critical” under current NERC CIP definitions.
2. How much did your utility spend on cyber security Operations and Maintenance in 2011? Responses here were reported across all dollar ranges. More than one-third spent less than $25,000 per year on cyber security O&M in 2011. Just over one third spent from $25,000 to $200,000. Thirteen percent spent more than $200,000. Four respondents indicated that cyber security O&M was not a budgeted item.
4. What were your utility’s capital expenditures for cyber security in 2011? One half of the respondents to this question reported spending less than $25,000 in capital expenditures for cyber security during 2011. Nearly one quarter stated that expenditures ranged from $25,000 to $200,000. Thirteen percent replied that they had invested more than $200,000 for cyber security items. Again four respondents replied that cyber security was not a separately budgeted CAPEX line item.
6. Have utility work practices and procedures changed as a result of NERC CIP requirements? Seventy percent of all respondents indicated that utility work practices and procedures have changed as a result of NERC CIP requirements. Importantly, 40% of all respondents stated that work practices and procedures have changed significantly due to NER CIP requirements. Most of the 30% reporting ‘no change’ in work practices and procedures hold the view that they do not have critical cyber assets as currently defined by NERC.
If NERC CIP requirements have caused changes, please explain: Respondent #1 We have added workflows to the process to demonstrate/document compliance. Respondent #4 Station access procedures Respondent #5 Limiting and logging access to dispatch & other source areas; lots of documentation & audit preparation; lots of effort to ensure compliance but not necessarily improve security. Respondent #6 Installation of new SCADA system required improvements in physical access requirements Respondent #7 Maintenance of CIP rules is a massive and continuous undertaking. It took 14 FTE's to get through the most recent audit Respondent #8 Device installation, testing, access management, patch management Respondent #9 NERC CIP does not apply Respondent #10 Level of reporting and documentation requirements required have increased significantly. Respondent #12 All actions and occurrences have to be verified under CIP regulations Respondent #13 While our utility does not currently fall under version 4 of the CIP standards we are actively preparing for full compliance because we anticipate version 5 will affect us significantly. At the very least a proactive cyber security program is a good practice and enhances the reliability of both the BES and non-BES power systems.
Respondent #19 Add a tremendous burden for security and logging of activities Respondent #20 Process to develop a security program has begin. We are taking small incremental steps. Respondent #24 Sign in sheets required into certain areas during certain time frames; escorts required into certain areas Respondent #25 Since NERC CIP requirements are not yet applicable, our efforts are in anticipation of future changes. However, such future changes shown in pending drafts of the NERC standards will have a VERY significant impact to work practices and procedures. Respondent #26 At this time, our utility will not consider substation LANs for IEDs & RTUs due to pending NERC requirements. Respondent #27 We are distribution but have made changes in anticipation of NERC/CIP Respondent #28 We evaluate each new technology initiative for its ability to put us into CIP requirements. Using communicating faulted circuit indicators as an example, we chose a hosted service rather than bringing the data in-house to avoid any potential CIP changes.
7. Does your utility offer in-house training for cyber security? Nearly one half (47%) of the survey respondents reported that their utility offers some form of in-house training for cyber security. Another 17% plan to offer such in-house training by 2014. More than one third (37%) of the survey sample do not offer cyber security training on an in-house basis.
9. Do you currently outsource any cyber security tasks to a third party? More than one half (53%) of the survey participants indicated that they DO outsource at least some cyber security tasks to outside services to third parties. Another 10% plan to do so by year-end 2014.
12. What are the certification requirements that your employees must have to work with projects involving cyber security Perhaps surprisingly, more than three quarters of the responding utility officials reported that there are currently NO certification requirements for employees in order to work with projects involving cyber security topics. Of the handful of utilities that indicated one or more certifications as requirements, CISSP (15%), CISM (11%), CISA (7%) and Comp TIA (4%) were specifically cited. A few reported other requirements such as CISCO Systems in the listing below the chart.
Have NERC CIP requirements caused your utility to increase the number of full time employees dedicated to cyber security activity? No, 77% Yes, 23% 16. Have NERC CIP requirements caused your utility to increase the number of full time employees dedicated to cyber security activity?
19. Which of the following cyber security technologies/methods do you currently use?
Newton-Evans Survey for CIGRE JWG B5 D2.46Cyber Security for P&C Systems Larger Utilities (North America and International) Participation from More than 60 utilities in 30+ countries Conducted with P&C Managers; Operations Managers; Some IT Management Involvement
1a. Are you offering your P&C System personnel (engineers and field technicians) any cybersecurity training for their job? ?responsibilities?
1a. Are you offering your P&C System personnel (engineers and field technicians) any cybersecurity training for their job? responsibilities?
1b. Do you tailor cybersecurity training to address the issues related to job responsibility?
2a. How would you consider the quality and completeness of cybersecurity training in your organization?
4. Do you have a cybersecurity incident response plan for your P&C system?
5. Do you monitor P&C system personnel access to and use of P&C system components?
6. Do you test P&C system patches to correct cybersecurity defects prior to deployment?
7a. Do you have adequate controls in place to monitor P&C system behavior in order to indicate that a security incident has taken place?
7b. Do you benchmark or maintain a scorecard of P&C system cybersecurity incidents?
8. What is your short list of cybersecurity solutions needed to protect your P&C systems?
11a. Do you allow employees to use their personal devices (i.e. personal flash drive, smart phone, tablet, etc.) for P&C maintenance or configuring P&C components?