UtiliPointPerdue

As attendees of the annual utility customer service event CS Week converged on Washington DC in May 2009, many were asking about cyber security and the Smart Grid. To provide a better understanding of the utility marketplace for customer service solutions, UtiliPoint recently conducted interviews with over a dozen executives from some of the leading vendors in the utility customer service sector. As always, the interviews provide interesting insights about where the customer service sector is headed, and how companies intend to address current market challenges.

This article provides a summary of what industry leaders in utility customer service shared with us regarding Smart Grid security. More specifically, we will look at the steps that companies are taking to improve security of customer data and/or the electric utility grid. We hope that you enjoy reading the various opinions offered by those operating in the market today.

Denise Antoniadis

Partner, Utility Industry Leader

CSC

The electric industry is poised to make a significant transformation from a centralized, producer-controlled network to one that is less centralized and more consumer-interactive. The move to a smarter grid will change the industry's entire business model and its relationship with all stakeholders (e.g. utilities, regulators, energy service providers, technology and automation vendors and all consumers of electric power).

The U.S. government identified utility infrastructure (electric and water) as critical and potential targets for terrorist activities. Most recently, growing concerns about the physical security are exacerbated by cyber security issues and the potential threat of malicious intrusion to energy control systems resulting from increased appetite for process data, proliferation of ubiquitous communication standards and a need to align business partners' process in an increasingly unbundled environment. This leads to the need for utilities to have structured, repeatable methods for assessing and remediating vulnerability challenges, securing networks and infrastructure, and capturing and managing data for demonstrating compliance on an enterprise wide basis.

To help take the appropriate measures to fully safeguard sensitive customer data, CSC offers and delivers a Protected Enterprise solution providing a broad approach to utility clients for managing security and compliance. Protected Enterprise focuses on the wider context of risk and business value, rather than on implementing multiple, reactive point solutions that add complexity, are difficult to manage and hamper flexibility. CSC's substantial business and IT expertise and the specific skills and experience of more than 100 Lead Information Risk Managers (LIRMs) ensure that Protected Enterprise solutions are measured and effective balancing risk, cost and business impact. Like all CSC services, Protected Enterprise solutions are integrated with the utility's business processes, are easy-to-manage and inherently scalable.

In addition to supporting utility clients with their security work on Smart Meter, Smart Grid and NERC CIP, CSC is also trusted by many of the world's most demanding security customers, including the U.S. Homeland Security, Department of Defense, the Intelligence Community and many premier Global 2000 organizations. The Protected Enterprise framework was developed in response to challenges identified working with both public sector and commercial companies, namely protecting facilities, operations, systems and data effectively, without compromising the organization's flexibility. Additionally CSC is actively involved in high-level governmental committees and venues addressing and providing advice and expertise on security matters and standards development.

Scott Braynard

Regional Director

HP Enterprise Software &

Anthony Erickson

Global Utilities Director

EDS, an HP Company

Many industry groups, including utilities, collaborate with HP on a wide variety of security initiatives. HP brings more than four decades of industry experience, thought leadership and in-depth knowledge in information security from the financial, manufacturing, consumer, government, health care and defense industries to the utility marketplace. From intelligence gathering and vulnerability assessment to post-event evaluation, the HP solutions portfolio addresses all phases of utility security, homeland security, and public safety support.

Additionally, with the trend for utilities to cut costs by outsourcing their customer communications (i.e., printing and mailing billing statements and other correspondence) to print service providers (PSPs), it becomes increasingly important for companies to protect the security of their customers' data. With the HP Exstream solution, users have the ability to keep raw customer data inside their organization without the risk of inadvertently compromising the privacy of their customers. By utilizing HP Exstream to design, format, compile and compose customer data into print-ready documents, utility companies can feed these documents to their PSP without allowing their customers' data to be unbundled. Instead, the PSP will simply print and mail the single print stream and the customers' data remains secure.

Vince Burkett

President and CEO

Ventyx

Much of our Smart Grid focus is providing enterprise applications in the utility commercial office to deliver effective demand response programs, distributed energy management, and resource optimization, so this is an important area for us. Accordingly, in addition to our close work with customers on security and privacy of customer data in these areas, we actively track emerging Smart Grid standards like the efforts underway by NIST, the Gridwise Architecture Council, EPRI and others to understand what's required to meet emerging cyber security requirements and other critical needs.

Dr. Stefan Engelhardt

Head of the Utilities Industry Business Unit

SAP

Data security has always been a key issue, and coupled with Smart Grid, it becomes even more pinnacle. SAP's extensive experience and global resources ensure data security and compliance. SAP relies on transport layer security encryption technology with X.509 certificates to prevent unauthorized parties from intercepting network traffic. The required encryption software is part of up-to-date client operating systems, so there is no need to install additional software. But we need to keep in mind that Smart Grid technologies requires numerous technologies, both hardware and software, to work collaboratively together, and like a chain, it, being data security, is only as strong as the weakest link.

Quentin Grady

Senior Vice President & General Manager

Oracle's Tax & Utilities Global Business Unit

Our utilities-specific applications have long been characterized by very high levels of security-robust pass wording and identity management, the ability to password individual data elements, restrict use of specific data elements, and the like.

Oracle also offers utilities market-leading security policy compliance under the Governance, Regulation, and Compliance banner. We help utilities comply with NERC CIP and similar security initiatives.

We will continue to consult with the utility grid operators and the various national and international governing bodies on the need for increased grid security and quickly respond to any needed changes in our software and technology.

Michael F. Guerriero

President and CEO

Continental Utility Solutions, Inc. (CUSI)

CUSI is committed to the continued evolution of its service offering to meet the ever-changing needs to the utility market through our UMS.net product line. We are already well positioned to work with these new technologies based upon our .net environment and security protocols. CUSI's technology adheres to the latest security standards but is continually being reviewed and improved upon as the market adopts new processes to maintain and secure critical data.

Andrew Hansen

CEO

Hansen Technologies

The Hansen MDM is built with enterprise-strength data security in mind. The Peace CIS is proven to meet the security needs one of North America's largest utilities. Together, the Hansen 'smart-enabled' solution leverages developments from advanced-metering initiatives in global markets to provide a vision for Smart Grid solutions that is secure, innovative, and robust.

Jim Hassman

General Manager, AMX Utilities

AMX International, Inc.

While the concept of the Smart Grid is just in its infancy, we all know enough to realize that it's pretty easy for hackers to obtain technologies used in today's grid, tear them apart, and find out ways to disrupt power systems and steal data passing through the grid.

AMX subscribes to any and all standards board's releasing integration and security standards for a smarter grid today and the Smart Grid of tomorrow. AMX is closely watching FERCs proposed policy statement and action plan released March 19, 2009 for any legislation that may implicate additional security standards for Smart Grid communication.

In addition, AMX's next generation Enterprise Utility Management suite, Utiligy360 released in 2008, is based on an open platform and also supports MultiSpeak standards. While this may sound counterintuitive to security, the most robust security systems out there are largely based on established standards. AMX uses Oracle BPEL framework for smart grid integrations and supports all industry SSL encryption standards over TCP/IP.

Kate Joslyn

President & CEO

Cognera

Security of our client data is always top of mind for us. To further enhance the emphasis we place on security of our client data we recently created the role of Corporate Compliance Officer. Our Corporate Compliance Officer is responsible for auditing all processes and procedures pertaining to the protection of client data as well as recommending and implementing enhancements where deemed appropriate. Additionally, as a result of reviews and analysis by third-party security experts, we have made a combination of hardware and software changes to ensure we are providing a best-in-class solution.

One such change that we have made is to implement Oracle's Virtual Private Database (VPD) to protect our clients' data. VPD restricts the data accessible to each user based on customizable configuration. Securing data at the database level ensures that users can only access their own data, regardless of how they are accessing it. VPD also ensures that a malicious attack from any application, primarily web-based applications, will not expose the entire database to the attacker.

Paddy Padmanabhan

General Manager

Head of Energy & Utilities Business, North America

Wipro has had a world-class IT security practice for many years. Wipro's Enterprise Security Solutions (ESS) practice offers a gamut of services that streamline security technologies and management processes to mitigate the risks and enhance the security assurance. ESS practice aids customers in defining, evaluating, implementing and managing robust security architectures that comprehensively meet their security needs. These capabilities have been leveraged by our utility clients to help them ensure cyber security processes and technologies, especially in the area of AMI.

Wipro, with its rich experience in security practice, has created an AMI (Advanced Metering Infrastructure) security framework approach. This framework evaluates various components and assets of AMI right from HAN (Home Area Network) devices, meters, communication devices, head-end system, MDMS (Meter Data Management System) to utility applications. This security framework defines the AMI security principles, identifies the assets that need to be assessed for the security risk, methodologies to identify a security risk and defining the controls to mitigate the potential risk. Wipro has implemented this security framework for several large utilities.

Wipro also provides consulting and delivery services in the area of architectural services for security rollouts in AMI, AMI intrusion detection systems, Identity & Access management and AMI security event monitoring and management.

Dan Sullivan

Managing Director of North America Utilities

Vertex Business Services

Vertex has always considered security a key issue and a core competency of ours. Given that we operate on three continents, we also have to make sure that we address security not only in the context of external threats but also in the context of jurisdictional-specific privacy aspects of data security. Smart Grid security is a valid concern not only because of potential vulnerabilities that can be created as some vendors rush products to market; but also the catastrophic impacts that could occur when a proper diligence regimen is not adhered to. We feel that the standards we meet and our experience in having our infrastructure support multiple markets allows us to meet our end of this critical issue. As an example, we currently serve 45 million consumers a year and manage nearly 30 million payment transactions, and have not had a security issue to speak of with this tremendous volume.

J. Kevin Swenke

Vice President

Nexant Inc.

In 2008, Nexant partnered with Promia to launch CIPGuard™, a comprehensive solution for implementing, monitoring and improving cyber-security compliance.

This initiative is particularly important for large-scale deployment of IP-enabled devices such as smart meters.

The value of CIPGuard comes from its capability to embed a risk management methodology in form of software rules into a common repository of all IP-enabled devices within a utility organization. These devices are automatically discovered and map to the proper business rules for CIP compliance. With such central repository, compliance rules are easily enforced and modified, thus reducing the cost of this critical activity.

Related to security of customer data, our billing solution continues to provide encryption of key data fields related to sensitive customer data and audit capabilities/reporting to track access.

Russ Vanos

Vice President, Marketing

Itron

The improvements in security to the overall energy grid proposed and implemented through the smart grid far exceed anything in place today. Security of advanced metering and Smart Grid networks is very much something that Itron and the utility industry has taken, and will continue to take, seriously.

OpenWay® by Itron, our AMI solution that utilizes smart meters and advanced two-way communication networks between the utility and each meter, is designed and architected to be secure. This solution makes attack unproductive, unappealing, unprofitable and traceable. In fact, in February, we released an enhanced security version of OpenWay that exceeds standard requirements by providing industry leading security consistent with Federal Energy Regulatory Commission (FERC) and North American Electric Reliability Corporation (NERC) “Critical Cyber Asset” requirements, and National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) standards.

Itron has been and continues to be well-engaged with both government agencies and the utility industry in designing and providing standards-based security solutions.

Conclusions

The development of the Smart Grid inherently creates data privacy and security risks because of the nature and volume of the information they collect. It appears from the responses that the customer service information technology providers are certainly aware of the security concerns of the industry, and are actively addressing these concerns.

Many standards and enhancements will be coming to Smart Grid implementations in the near future. As developing power plants becomes more challenging both economically and socially, the industry will be forced to address energy usage and could shift from encouraged conservation to mandates for conservation. With new cyber threats on the grid, monitoring, controlling and optimizing the grid will be more critical than ever.

Back to UtiliPoint