December 8, 2016

Ukraine Cyberattack is a Wake-up Call for America’s Utility Grid

Still think all of those concerns about cybersecurity protections on the electric grid are overblown? Try asking the 225,000 people in the Ukraine whose power was cut last December by a Russian hacking group that calls itself “Sandworm.” During the hack, Sandworm’s savvy experts remotely switched breakers in a way that cut power to users after installing malware, according to the Department of Homeland Security in the United States.

Making matters more damaging and disruptive, the same hackers may also have spammed the Ukrainian utility’s customer-service center with a barrage of phone calls designed to block real customers from reporting true conditions after the hackers breached the system, according to Reuters citing a report issued by SANS Inc.

While it is generally believed that the hack of the Ukrainian utility was the first of its kind, don’t think for a moment that hackers elsewhere weren’t encouraged, and possibly emboldened, to try the same thing in the United States or elsewhere.

FERC Recognizes Threats
The breadth and depth of complex electric utility networks make them uniquely vulnerable to cybersecurity threats. Officials in the U.S. are only too aware of this.

Evidence: In July, the Federal Energy Regulatory Commission (FERC) directed the North American Electric Reliability Corporation (NERC) to develop a new supply chain risk management standard that addresses risks to information systems and related bulk electric system assets.

“The 2015 cyberattack on the electric grid in Ukraine is an example of how cyber systems used to operate and maintain interconnected networks more efficiently can have the unintended effect of creating cyber vulnerabilities,” the agency said in its July notice.

The new or modified Reliability Standard is designed to address software integrity and authenticity, vendor remote access, information systems planning, and vendor risk management and procurement controls. In each case, the ability to keep a firm grip on document control is absolutely vital. There’s both good and bad news here. The good news is FERC is not forcing a “one-size-fits-all” requirement on anyone. The bad news is that this move places even more responsibility on those entrusted with the security of the utility grid to get the job done. Failure is not an option.

“Don’t think for a moment that hackers elsewhere weren’t encouraged, and possibly emboldened, to try the same thing in the United States.”

Document Control Demanded
FERC tasked NERC with developing a forward-looking, objective-based Critical Infrastructure Protection (CIP) Reliability Standard that requires each affected entity to “develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations.”

FERC also took it a step further. It also issued a Notice of Inquiry (NOI) into modifying COP standards regarding the protection of control centers that are used to monitor and control the bulk electric systems in real-time. FERC seeks comments on possible modifications, and any potential impacts they may have on the operation of the Bulk-Power system, to address separation between the internet and the cybercontrol systems in control centers that perform transmission operator functions. The agency also wants to hear from industry regarding computer administration practices that prevent unauthorized programs from running, also called “application whitelisting,” for those cybersystems in key control centers.

DHS Spreads the Word: Security Matters
Circling back to the real-life situation in the Ukraine, it is important to recall that the Department of Homeland Security (DHS) initially downplayed the significance of the security breach. It changed its tune a few months later and launched a nationwide campaign at the end of March that included a dozen in-person briefings and online webinars designed to help those in the power infrastructure understand the latest threats.

“These events represent one of the first known physical impacts to critical infrastructure which resulted from cyber-attack,” acknowledged an announcement by the DHS Industrial Control Systems Cyber Emergency Response Team when the sessions were announced.

It went on, “The attacks leveraged commonly available tools and tactics against the control systems which could be used against infrastructure in every sector.”

In other words, the nation’s top cybersecurity officials realize they may have underestimated this threat to the utility grid. If they’ve changed their minds, it probably means those tasked with protecting America’s energy infrastructure ought to consider doing the same in the hopes of being ready to prevent or at least mitigate the next attempted terrorist strike. History tells us the threat is real. It also tells us the stakes are high.


There’s No Such Thing as HIPAA Certification: 4 Myths Surrounding Hosting Providers

Ron Shoop, SVP, National Sales Manager & Strategic Alliances, Medical Web Experts

Ron Shoop, SVP, National Sales Manager & Strategic Alliances, Medical Web Experts

As more physicians are integrating their patient EMR with third-party patient portals, they’re looking for clarifications on many issues in order to stay within the various regulations boundaries and to be Meaningful Use-attested. It can be difficult to differentiate fact from misconception, however, so let’s clarify and dispel 4 myths related specifically to HIPAA ‘certification’ among hosting providers.

Myth #1: My current or prospective hosting provider is HIPAA certified.
Fact: There is no such thing as a HIPAA certification for any organization, hosting company or provider. There are guidelines, and there are certifications that may include some or all of the guidelines as set forth in HIPAA. It is therefore impossible for a hosting company, patient portal vendor, or other health IT developer to be HIPAA certified. (A hosting company can, however, acknowledge what HIPAA is and state that they adhere to these regulations in their own business practices or in a particular product offering – which is currently being done with some hosting companies.)

Myth #2: My current or prospective hosting provider is SSAE16 certified.
Fact: In the hosting world, there’s an audit standard called SSAE16 (formerly SAS70). It’s important to understand that this is an auditing standard, which is a guide used for attestation to the standard. Therefore, there is no such thing as “SSAE16 certification.”

mythfactimageYou can, however, complete an SSAE16 attestation engagement and receive different levels of reports. These reports are geared towards organizations that offer outsourced services that could affect the financial statements of a company using their services. Organizations that handle customer financial data receive a SSAE16/SOC 1 report. IT Infrastructure-as-a-Service (IaaS) solution providers – like most hosting companies – are audited under a based on AT section 101 of AICPA professional standards and are issuing SOC 2 and SOC 3 reports. The guidelines as set forth in SSAE16 generally encompass the guidelines of standards such as HIPAA and PCI.

Myth #3: HIPAA is generally focused on how companies (and especially health providers) handle patient information.
Fact: In most cases, hosting companies don’t “handle” data. Therefore, it’s generally a low-risk situation as compared to how the software “transmits” data or how the “covered entities” (healthcare organizations, payers, EMR and patient portal vendors, etc.) control data access. There are some specific “rules” that can be interpreted as rules that a typical hosting organization would need to follow in order to meet HIPAA guidelines. It is, however, the responsibility of the healthcare organization to implement best practices to ensure that the data is kept secure from start to finish.

Myth #4: HIPAA has minimum server hardware requirements.
Fact: HIPAA guidelines don’t provide or even mention specific hardware requirements such as the use of firewalls or “certified” servers as some industry experts suggest. You can certainly receive advice from 3rd party vendors, but “caveat emptor” (let the buyer beware)!

Here are some additional HIPAA resources:

About Ron Shoop:

Ron’s passion for patient portals was born in the fall of 2010 after having spent nearly 20 years as a Finance & Accounting Executive. When a prospective client first told him about the world of patient portals and telemedicine he immediately got it. Ron did an extensive amount of research on the subject – seeing who the players were in the marketplace, how far along they had developed their solutions, and understanding the challenges. He soon landed a position at a leading telemedicine company as a Senior Vice President, presenting Tele-Triage & Remote Patient Monitoring (RPM) solutions to self-funded corporations, state Medicaid divisions, and hospitals. He now lives his passion every day at MWE by providing patient portals and telemedicine solutions to prospective clients. Ron is SVP, National Sales Manager & Strategic Alliances, Medical Web Experts.


Medical Device Cybersecurity Risks Are The Wrong Kind of Halloween Fright

Michael Causey, Editor & Publisher,

Michael Causey, Editor & Publisher,

Well, Halloween is approaching boys and girls. And while it’s fun to don a Dracula (or Miley Cyrus) costume and get some yucks faux scaring folks, the FDA is acting like a responsible parent by setting up a medical device cybersecurity educational seminar later this month in Arlington, VA. It appears to have filled up already, but a webcast recording will be made available.

Getting a tiny adrenalin rush when a nine-year-old Frankenstein jumps out at you in the dark is one thing; finding out some nineteen-year-old hacker has infiltrated your proprietary product and customer information isn’t the right kind of fright.

Seems like someone out there in the bureaucracy has a little sense of humor, because October is National Cybersecurity Awareness Month. FDA, along with the Department of Health and Human Services and the Department of Homeland Security, hope to bring together a wide swath of stakeholders, including medical device makers, to their Oct. 20-21 “Collaborative Approaches for Medical Device and Healthcare Cybersecurity.”

Participants will be encouraged to help regulators identify barriers to promoting medical device cybersecurity; discuss innovative strategies to address challenges that may jeopardize critical infrastructure; and enable proactive development of analytical tools, processes, and best practices by the stakeholder community in order to strengthen medical device cybersecurity. It’s shaping up to be a good agenda, but it’ll probably only be as strong as the attendees who show up to share war stories and discuss best practices with regulators and others.

iStock_000020037007SmallBroadly speaking, the symposium hopes to help advance medical device cybersecurity by swapping information about the most current online threats, identifying gaps, advancing usage of the feds’ “Framework for Improving Critical Infrastructure Cybersecurity”, and developing tools and standards to build robust, comprehensive protection programs, among other areas of focus.

One of the topics will be the FDA’s new guidance “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” released Oct. 2. That guidance provides some helpful definitions (helpful in the sense that this is how the FDA views the world), and what kind of cybersecurity protection program the agency expects from medical device makers and their kin.

Some say the threat of medical device security hacks has been hyped up a bit. I’m no expert there. But a report issued earlier this year from a cyber expert at SANS Institute (sponsored by cybersecurity vendor Norse), says some 94% of medical institutions report being victims of some type of cyberattack. This isn’t a report specifically about medical device makers, and I’m certain the vast majority of the attacks were relatively small and easy to thwart. Regardless, those numbers deserve some attention.

Hyped or not, I don’t imagine you’ll see an attendee at FDA’s event getting a jump on Halloween and showing up dressed as a sophisticated hacker, though. That’s just too scary.


FERC Order to Impose Stricter Physical Security Standards on Electric Utilities

Trey Kirkpatrick, Vice President, Energy & Utilities Compliance, AssurX Inc.

Vice President, Energy & Utilities Compliance, AssurX Inc.

On March 7th, FERC released a new order (Docket No. RD14-6-000) directing the North American Electric Reliability Corporation (NERC) to develop new reliability standards for the NERC registered entities, the owners and operators of the Bulk-Power System, to address the risks due to physical security threats and vulnerabilities.

“Because the grid is so critical to all aspects of our society and economy, protecting its reliability and resilience is a core responsibility of everyone who works in the electric industry.” FERC Acting Chairman Cheryl LaFleur said. “Today’s order enhances the grid’s resilience by requiring physical security for the facilities most critical to the reliable operation of the Bulk-Power System. It will complement the ongoing efforts of FERC and facility owners and operators to ensure the physical security of the grid.”

In the Commission’s release the order directed the owners and operators of the Bulk-Power System to take at least three steps to protect physical security.

Gerry Cauley, NERC President and CEO, released a statement on NERC’s website:

FERClogo2“On Friday evening, March 7th, FERC issued a directive to NERC to develop reliability standards to address risks due to physical security threats and vulnerabilities. As you know, FERC Acting Chairman Cheryl LaFleur asked NERC to work with her staff to determine the need for a mandatory standard for physical security. I believe we identified a path forward that focuses on the most critical assets, incorporates risk assessment and further affirms foundational physical security efforts, while providing enough flexibility to avoid prescriptive, lock-step regulation. Any standard must be dynamic and adaptable to the constantly changing threat environment. As we review the order, I take seriously the comments made by all the Commissioners to ensure that a standard achieves the goals identified in a cost effective manner.”

As mentioned in a previous AssurX blog, NERC and Industry Move in the Right Direction for Greater Reliability, security vulnerabilities of the electric grid has been a focus for the regulators and registered entities since the attack by gunmen at a California (Metcalf) substation.

Commissioner John Norris, writing a separate opinion, wants Congress to act on protecting sensitive security information “I believe that our success in developing a comprehensive approach to addressing physical vulnerabilities relies at least in part on Congress taking steps to ensure the confidentiality of sensitive security information regarding the physical vulnerabilities of our grid. Currently, industry remains concerned that confidential security information submitted to the Commission would be subject to disclosure through Freedom of Information Act requests. These concerns have understandably left industry reluctant to provide the Commission with its most sensitive security information related to potential physical threats or vulnerabilities to our power grid. A reliability standard will likely have limited impact if industry, NERC, and the Commission remain unable to safely and securely exchange such information. Thus, I urge Congress to act expeditiously by creating a clearly-defined exemption to the Freedom of Information Act to allow for such exchange of information without fear of disclosure.”


Electronic Medical Records: Don’t Feel So Secure

Patrick Stone

Patrick Stone, President, TradeStoneQA

How often do we see HIPAA violations issued because a regulated entity did not secure the electronic records at the hospital and small clinics? Large scale security breaches and, sometimes, the selling of your e-records by various third party sources are in the news. In Massachusetts and New Hampshire an e-record vendor recently admitted to large scale e-record breaches. The FDA has provided some guidance on what is expected for e-records, but no real guidance on security. That may be one of the reasons that so many of the E-Systems I have reviewed meet the minimal requirements but have security vulnerabilities.

The second half of this story will send shivers down your spine, and then make you mad. Your e-records are being sold to insurance companies, debt collectors, and prospective employers. Yes your e-records are for sale to the highest bidder.  The 1996 HIPAA law left provisions for certain entities to access your entire medical record. Some of the stolen or hacked e-records get sold, and that’s terrible of course, but ironically most of the time your e-records are sold it is “legal.” Securing medical e-records comes with a price and even with some of the best security there may still be a breach. In most business models for building e-record systems security is last on the list. Sadly, it doesn’t appear to be much different in the healthcare industry.

So, what’s to be done?

doctor electronic health recordWill it take a 21st century modernization of HIPAA, written almost twenty years ago and before the e-record mandate? Or will we limp along with legislation that is increasingly showing its age?

In our digital age of e-records our security should be insured since we pay for the care we receive. HHS and congress should be focusing on this but they are currently being distracted by advocating or decrying Obamacare.

And speaking of Obamacare, that new law also has some troubling provisions about who is allowed access to your records, and some “interesting” exceptions to those provisions.

But don’t get me started on Obamacare implentation before we deal with HIPAA.

For now we can only trust (read: hope) but not verify who really has access to our medical e-records that are weakly protected by a 20th century law.

Patrick Stone is the author of Bubble Gum Badge – An FDA His-Story. You can also follow him on Twitter.



FDA Seeks to Plug Swiss Cheese-size Holes in Medical Device Security Systems

Michael Causey, Editor & Publisher,

Michael Causey, Editor & Publisher,

The Internet giveth and the Internet taketh away.

For years, we’ve been hearing about the benefits online tools will bring to the medical industry, especially at hospitals and physicians’ offices.  Many of those promises have come true, and its been a benefit for patients and industry.

But that sound you are hearing could be the other shoe dropping.

Perhaps reacting in part to a sobering year-long series by The Washington Post finding big, big holes in medical device security systems, the FDA this week (June 17) issued a new safety communication suggesting the hospitals take this threat to medical devices seriously.

Meantime, the FDA have been busy beavers. Last week the agency issued an alert and notices bulletin advising the industry to shore up key medical device security provisions.

Among its recommendations for responsible medical device manufacturers:

  • Swiss CheeseKick the tires on your program designed to limit unauthorized device access to trusted users.
  • Utilize stronger security controls such as user authentication, user ID and password, smartcard or biometrics; strengthening password protection by avoiding hard-coded passwords and limiting public access to passwords used for technical device access; physical locks; card readers; and guards.
  • Use design approaches that maintain a device’s critical functionality, even when security has been compromised, known as “fail-safe modes.”
  • Provide methods for retention and recovery after an incident where security has been compromised

No, neither Woodward or Bernstein were involved in The Post piece, but its pretty thorough and damning for the medical device industry nonetheless.

Security analysts at cyber security firm Cylance found it was depressingly easy to figure out hundreds of passwords for sensitive surgical equipment, patient monitors, among others.

“We stopped after we got to 300,” Billy Rios, who found the passwords with his colleague Terry McCorkle, told The Post.

They tell me Swiss cheese holes are the result of bacteria popping (some use a grosser word). I’m no foodie, leaving that to fellow blogger Kim Egan and celebrity chefs, but I do understand that these are “good” holes.

Holes in medical device security programs are not among them.


Part 2: Cloud Vendor Selection for Your Life Science Company – Strategies to Ensure Benefits and Mitigate Risk

Russ King, Managing Partner, Methodsense

Know your Cloud options

Cloud computing is defined to have several deployment models, each of which provides distinct trade-offs which are migrating applications to a cloud environment.  NIST defines the cloud deployment models as follows:

  • Private cloud: The cloud infrastructure is operated solely for an organization.  It may be managed by the organization or a third party and may exist on premise or off premise.
  • Community cloud: The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g.  mission, security requirements, policy, and compliance considerations).  It may be managed by the organizations or a third party and may exist on premise or off premise.
  • Public cloud: The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.
  • Hybrid cloud:  The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e g , cloud bursting for load-balancing between clouds).

Choosing the correct deployment can depend on who needs to access the service, budget and security concerns.

Private clouds are the most secure and most expensive. Private clouds allow companies to have isolated sections of a cloud where you can launch resources in a virtual network. You can have complete control over your virtual networking environment and place your backend systems, such as databases or application servers with no Internet access. You can limit access to these servers based on access control, physical hardware, and IP address. A Private Cloud is therefore mostly suited for sensitive data, where the customer is dependent on a certain degree of security. Private Clouds, to an extent, lose the economy of scale compared to a Public Cloud.

Community clouds spread costs over fewer users than a public cloud. This option is more expensive but may offer a higher level of privacy, security and/or policy compliance.

Public clouds are the least expensive deployment. When most people think about cloud computing, they think of a public cloud deployment. All resources are shared but can be secured. If you are comfortable with the level of security of your cloud provider or have budget constraints, public clouds are your best option.

Hybrid clouds are the typical deployment model for most enterprises. In this cloud deployment model, an organization provides and manages some resources in-house and has others provided externally. The main benefit of the hybrid cloud is that it provides the scalability and low costs of a public cloud without exposing mission-critical applications and data to third-parties.

Know your privacy, security and disaster recovery needs

When it comes to comes to privacy, security, and disaster recovery, you need to first determine your requirements and budget. The Cloud provider can provide you tools to help protect your data, but you need to implement those tools. For example, Cloud providers can allow you to limit access to your data based on their physical machine or location; but you need to remove those access rights when machine or location no longer needs access.


Your Cloud provider needs policies, processes, and control activities for the delivery of each of their services. The collective control environment encompasses the people, processes, and technology. Your Cloud provider needs well trained staff that has limited physical access to your data and processes that protect your data and technology by keeping prying eyes away from sensitive areas. Accordingly, you should choose a Cloud vendor that maintain proper certifications like SAS 70 (the Statement on Auditing Standards No. 70), ISO/IEC 27001, and FISMA.

You also need to ensure the Cloud provider stores your data in the proper region. The selection of a region within an acceptable geographic jurisdiction to the customer provides a solid foundation to meeting location-dependent privacy and compliance requirements, such as the EU Data Privacy Directive.

You need to have proper disaster recovery controls in place. A traditional approach to disaster recovery involves different levels of off-site duplication of data and infrastructure.  Critical business services are set up and maintained on this infrastructure and tested at regular intervals.  The disaster recovery environment’s location and the source infrastructure should be a significant physical distance apart to ensure that the disaster recovery environment is isolated from faults that could impact the source site. Accordingly, it is important that your Cloud provider has data centers located in different physical locations and are isolated from faults from the other data centers. When dealing with a disaster, it’s very likely that you will have to modify network settings as you are failing over to another site. For the most critical systems you want to choose a Cloud provider that will allow you to automate the changing of the network settings.

Although the Cloud provider is responsible to maintain the infrastructure, it is still your responsibility to test your disaster recovery plan.

Choose a Cloud Vendor who can support your FDA Quality Management System needs

Cloud vendors commonly implement quality measures ranging from verbally shared processes and practices to SOPs and trouble ticket software to highly structured Quality Systems.  However, advertising a level of quality management does not guarantee that the Cloud Vendor will meet your life science quality management expectations.  To meet your compliance obligations, your cloud provider may need to make existing processes and procedures more robust and in a way that is more collaborative than they originally intended. Be aware that many Cloud Vendors consider their services to be proprietary and comprised of trade secrets, which may make collaborating around quality more difficult.

Choose a Cloud Vendor who can support your FDA Vendor Management needs

When selecting your Cloud Vendor, be sure they support your vendor management obligations. Cloud vendors who rightly take pride in their SAS 70 Type II certification, for example, often mistakenly insist that the certification should satisfy all quality and auditing needs. These certifications frequently focus on security issues and may not sufficiently cover life science regulatory concerns. Life science companies face validation requirements and regulatory concerns that go above and beyond SAS 70 certification, such as installation qualifications, change control, audit trails, electronic signatures, and permissions configuration. These requirements should be defined for the cloud environment and services and then implemented in your Service Level Agreements.

Be prepared to massage and coax the understanding of the vendor for cooperation before and during this process. By educating the Cloud Vendor about your requirements, you’ll be much more likely to complete a successful migration to the cloud.

Conclusion: Your Cloud Vendor needs to be a partner who fits into your regulatory and quality framework.

Shifting your technology operation to the cloud can garner many significant benefits including:

  • Improved scalability and cost savings
  • Increased access to and utilization of key business assets
  • Improved controls on security and data access
  • Increased innovation due to collaboration and availability of resources

However, regulatory burdens are not abated by shifting to the cloud, and Cloud Vendors today are by and large unschooled on FDA regulations, which, if not addressed, can create risk.  Life science companies should select a Cloud Vendor with the expectation that many will depend on coaching and assistance in order to meet regulatory requirements.   The Cloud Vendor’s ability to accept and then in a timely fashion respond to your regulatory requirements should, therefore, become a highlighted vendor characteristic in your vendor selection criteria.

Read Part I of this series here.

About the authors:

Russ King is President of Methodsense, a consulting firm that helps clients deliver medical and technological breakthroughs by effectively meeting the requirements needed to bring their products to market.   He can be reached at (919) 313-3962 or

Jason Rock is Chief Technology Officer of GlobalSubmit, a products and services company that provides transparency in regulated healthcare products. He may be reached at  888-840-9580.


Do You Know About Heavyweight NERC CIP 011-1?

Ron Lepofsky

Ron Lepofsky, President, ERE Information Security Auditors

Electrical utilities are already challenged with the process of becoming certified for compliance with the NERC CIP standard for IT security.

The NERC CIP standard is evolving, thank goodness. Perhaps you haven’t noticed the innocuous sounding proposed new standard now in the creation process. To me it looks like the heavyweight in the list of otherwise fairly general standards.

It’s called CIP 011-1 BES Cyber System Protection (in draft) and can be found at the end of the NERC CIP list of standards.

In order to understand this new standard in context, it is useful to look at the other existing standards which are as follows:

CIP 001-1 Sabotage Detection
CIP 002-1 Critical Cyber Asset Identification
CIP 003-1 Security Management Controls
CIP 004-1 Personnel and Training
CIP 005-1 Electronic Security Perimeter(s)
CIP 006-1 Physical Security of Critical Cyber Assets
CIP 007-1 Systems Security Management
CIP 008-1 Incident Reporting and Response Planning
CIP 009-1 Recovery Plans for Critical Cyber Assets
CIP 010-1 BES Cyber System Categorization ( in draft)
CIP 011-1 BES Cyber System Protection (in draft)

What’s Different about CIP 011-1

NERC CIP 011-1 puts a knockout punch into NERC CIP by defining very specific control points. These control points do not contradict other CIP standards but instead are drilldowns and complementary to them.

In my opinion 011-1 control points resemble NIST security control points defined in the document: Recommended Security Controls for Federal Information Systems and Organizations. The 011-1 control points, which I have listed below for clarity, will be costly to implement and to audit but I think they are specifying critical requirements to harden our electrical security grid.

CIP-011-1 Table R3 – Cyber Security Training
CIP-011-1 Table R3 – Cyber Security Training
CIP-011-1 Table R5 – Physical Security for BES Cyber Systems
CIP-011-1 Table R5 – Physical Security for BES Cyber Systems
CIP-011-1 Table R6 – Physical Access Control Systems
CIP-011-1 Table R7 – Account Management Specifications
CIP-011-1 Table R8 – Account Management Implementation
CIP-011-1 Table R9 – Access Revocation
CIP-011-1 Table R9 – Access Revocation
CIP-011-1 Table R10 – Account Access Control Specifications
CIP-011-1 Table R11 – Wireless and Remote Electronic Access Documentation
CIP-011-1 Table R12 – Wireless and Remote Electronic Access Management
CIP-011-1 Table R13 – Remote Access Revocation
CIP-011-1 Table R14 – Wireless and Remote Electronic Access Controls
CIP-011-1 Table R15 – Malicious Code
CIP-011-1 Table R16 – Security Patch Management
CIP-011-1 Table R17 – System Hardening
CIP-011-1 Table R18 – Security Event Monitoring
CIP-011-1 Table R19 – Communications and Data Integrity
CIP-011-1 Table R20 – Electronic Boundary Protection
CIP-011-1 Table R21 – System Boundary Protection
CIP-011-1 Table R22 – Protective Cyber Systems
CIP-011-1 Table R23 – Configuration Change Management
CIP-011-1 Table R23 – Configuration Change Management
CIP-011-1 Table R24 – Information Protection
CIP-011-1 Table R25 – Media Sanitization
CIP-011-1 Table R26 – Maintenance
CIP-011-1 Table R27 – Cyber Security Incident Response Plan Specifications
CIP-011-1 Table R28 – Cyber Security Incident Response Plan Testing Specifications
CIP-011-1 Table R29 – Cyber Security Incident Response Plan Review, Update, and Communication Specifications
CIP-011-1 Table R30 – Recovery Plan Specifications
CIP-011-1 Table R31 – Recovery Plan Testing Specifications
CIP-011-1 Table R32 – Recovery Plan Review, Update, and Communication Specifications

Wouldn’t it knock us all out if we find out critically important NIST standards are finally implemented by the custodians of our electrical grid?

Have a secure week. Ron Lepofsky CISSP, CISM, BA. SC. (mechanical)



Weighing Pros and Cons of Energy Storage Technologies

James Holler, Founder, Abidance Consulting

Last time we made the argument that advanced energy storage has a demonstrable track record of positive environmental and economic benefits. Now let’s look at some of the energy storage technologies available in today’s marketplace:

Dynamic Power Resources (DPR)

  • Ramp Rate Control: DPRs monitor output from a renewable generation source on a microsecond basis and automatically responds by either absorbing renewable output or supplying additional power so that the grid receives smooth, clean power at a desired MW/minute rate.
  • Firming/Shaping: Coupling a DPR with a renewable generation forecast allows the utility to organize other generation resources to meet expected demand based on its guaranteed day-ahead renewable output schedules, as well as reshape output to deliver power during peak demand times regardless if the renewable asset is generating power or not.  If a forecast is inaccurate, the DPR automatically supplies or absorbs power on a microsecond basis to ensure the day-ahead output schedule is met.
  • Curtailment Mitigation: if there are times when the utility needs to curtail renewable output, the DPR can take advantage of all of the as-available fuel by storing curtailed power and redistributing it at other times throughout the day, whenever the grid needs excess energy.
  • Ancillary Services:  the speed and accuracy of the full four-quadrant DPR are unparalleled to that of typical generation resources.
    • Voltage Support: the DPR has the ability to supply and absorb reactive power (VARs) while simultaneously supplying real power (Watts). This allows the system to maintain a target power factor while continuing to provide other functions that require real power management such as services mentioned in this section.
    • Frequency Regulation: the DPR can respond to both AGC signals and/or frequency deviations with sophisticated control algorithms to help maintain nominal grid frequency. The DPR is capable of providing the frequency support during loss of generation or system disturbance, as well as address less severe frequency deviations due to normal grid operations throughout the course of each day.
    • Spinning Reserve: the unique sizing scheme of the DPR allows the customer to add more energy storage (MWh) and act as a back-up power reserve for extreme generation trip scenarios by providing power while offline generation units ramp up to replace lost generation.
  • Transmission and Distribution Upgrade: Deferral: instead of undertaking costly T&D upgrades, utilize DPRs to supply power for incremental increases in load, as well as to enhance grid reliability for weak and/or congested T&D lines.
  • Peak-Shaving/Load-Leveling: Similar to ramp rate control, but for longer periods of time, a DPR can absorb and provide power, charging during off-peak times for use during on-peak times. Peak loads are lessened, which ultimately enables traditional generation to run more efficiently.

James Holler is founder of Abidance Consulting.


Energy Storage Delivers Financial, Environmental Benefits for Power Entities

James Holler, Founder, Abidance Consulting

Advanced energy storage has proven that it delivers significant environmental and economic benefits as well as superior Bulk Electric System (BES) reliability. Let’s look at some of its key benefits:

Reduces the Need for Reserve Power Plants: Electricity storage technologies provide effective methods of responding to daily fluctuations in demand. Electricity produced at off-peak hours is now capable of being stored and used later to meet demand spikes, thereby reducing the need for expensive, aging, and carbon emitting fossil-fired reserve generation plants.

Cuts the Cost of Power Failures: As a result of the aging U.S. electricity grid, the DOE estimates that electricity outages and interruptions cost the U.S. approximately $150 billion annually.  Electricity storage technologies can provide power to the grid to “bridge” gaps and smooth out short-term fluctuations until backup generation sources can be brought online.

Boosts Renewable Energy Integration: Wind and solar power are the two largest sustainable sources of carbon-free natural resources. But both are intermittent, varying widely in the energy that they can provide at any one time during the day due to fluctuation in the wind patterns and intermittent cloud cover for solar panels. Power storage technologies can smooth out this variability and allow unused electricity to be dispatched at a later time when it is needed at peak times. In addition, paired with renewables, energy storage can provide regulation services such as ramp control, curtailment mitigation, firming/shaping of power and other grid reliability services.

Currently there are about six energy storage technologies available in the market today: pumped hydropower, batteries, compressed air energy storage, flywheels, superconducting magnetic energy storage, and electrochemical capacitors.  Solid state battery technologies are suited to quick, modular, scalable deployments with few environmental risks. We’ll survey each in our next blog tomorrow.

James Holler is founder of Abidance Consulting.