February 7, 2008

DYONYX participates in global utility security panel

---

Mr. Tom Kropp, Director of Energy Services at DYONYX, was privileged to be invited as a panelist at the final conference of the European Union GRID project, at which the GRID Project’s roadmap for research into cyber protection of the electric power grid was announced. This meeting was held in Brussels on 7 February 2008. EU Representatives discussed the philosophy and development decisions which guided the development of the GRID Roadmap and Mr. Kropp represented the US view on a panel which discussed practical considerations for implementing the roadmap.

DYONYX recognizes the significant commonalities in the security considerations for the Electric Power Grid in Europe and North America. Mr. Kropp, who joined DYONYX in January 2008 after managing EPRI ‘s transmission cyber security program for several years, brings strong international experience to DYONYX. Among other international ties, Mr. Kropp is the designated United States representative to CIGRE’s SCD2 Study Committee. CIGRE is the International Council On Large Electric Systems, based in Paris.

The GRID Project’s roadmap is titled “ICT Vulnerabilities of Power Systems: A Roadmap for Future Research.” It was developed only after significant input from electric power companies in both North America and Europe.

The European Union has the same concerns about cyber security of the electric power grid as does North America. The EU pays close attention to what happens in North America and is well aware of our actions and policies, such as the report on the 2003 blackout and the NERC CIP cyber security standards. For this conference, they were particularly interested in the North American perspective on three questions:

1. How can European and international R&D projects facilitate the transition from labs to industrial uptake?
2. Which could be the best way to balance incremental solutions with the fast pace of technological evolution and the urgency of security requirements?
3. Which mechanisms can be mobilized for promoting the involvement of all stakeholders?

These questions addressed concerns under the three main areas of investigation supported in the GRID roadmap:

1. Risk and Vulnerability Assessment Tools and Methods
   Future work should focus particularly on the relations between the ICT (Information and Communication Technologies) functions and the power system. The assessment should support the risk management by the single operator as well as the governance of the whole infrastructure, including cross-border aspects.
2. Control Architectures and Technologies
   Due to their complexity, full redesign of control architectures for power systems is not suitable, so that research and development must focus on their upgrade. ICT upgrades in control centers that expose protection and control functions to unsecured access along with the existing use of telecommunications may introduce vulnerabilities. In that context, understanding cascading effects of ICT faults on power system functionality and developing mitigation failure mechanisms is crucial.
3. Awareness and Governance of Risk in Society
   A general culture of risk awareness will have to permeate the human, organisational and societal dimension of the power infrastructure, embracing the physical and ICT aspects of the systems. Future developments should also focus on the creation of educational tools and methods that not only make power engineers aware of ICT security risks and vulnerabilities, but also of how such vulnerabilities interact with the electric grid and what can be done to prevent and mitigate risks.

As does the “Roadmap to Secure Control Systems in the Energy Sector,” the GRID roadmap lays out research goals for the near term (0 – 3 years), the mid-term (3 – 8 years) and the long term (8 – 15 years). While these differ in length from the DOE sponsored roadmap, they convey the same idea of scheduling research efforts to obtain results as soon as possible while recognizing that some efforts require more time and must be planned accordingly. Just as the DOE facilitated roadmap contained a “Vision for Securing Control Systems in the Energy Sector:”

In 10 years, control systems for critical applications will be designed, installed, operated, and maintained to survive an intentional cyber assault with no loss of critical function, the GRID roadmap contains a “Vision for the power systems of 2020:”

The power system maintains efficient and secure operation and continues fully utilizing its ICT functionalities without loss of load, in spite of incidents occurring in supporting ICT systems or intentional cyber assaults.

There are two differences of particular interest between the North American and European Union roadmaps:

1. The GRID roadmap of necessity must consider cooperation between multiple independent nations sharing a common electric power grid. Unlike the United States and Canada, which have cooperated in managing a joint electric power grid for decades, this situation is relatively new for Europe, where national electric grids were the norm until just a few years ago.
2. The GRID roadmap recognizes the need to increase the awareness of security issues in society. Indeed, it will not be possible for electric power companies to fund the security requirements without public support of the cost increases which will accompany increased security.

DYONYX believes that activities which foster the exchange of information between European, Asian, and North American electric power companies is of great benefit to all three regions. Our issues and concerns are more similar than they are different, we are all served by the same control system vendors, and we all have the primary goal of providing safe and reliable energy to support our citizens, our businesses, and our governments.

Readers seeking more information on the GRID project should visit the GRID Project web site at http://grid.jrc.it or contact DYONYX at (214) 726-0201 or (415) 672-5393.

DYONYX is an IT and Management Consulting Firm specializing in working with government and enterprise customers to assess, design, deploy, and support programs that complement the operation of their critical infrastructures. Using a proven set of methodologies, coupled with deep technical skills and industry specific experience, DYONYX consulting services have been widely acclaimed in providing comprehensive analysis and workable security solutions.