Cyber Security and

Privacy Program
2014 Annual Review

Addressing Existing and Emerging Threats

to an Interconnected Electric System through
Technology, Processes, and Standards

Cyber Security Overview

Contents
3 Introduction

Review of 2014 and Introduction to 2015 Research

4 183A Cyber Security and

Privacy Technology Transfer

and Industry Collaboration

Dear Cyber Security Advisors and Industry Stakeholders,

8 183B Cyber Security

Technologies

Welcome to the 2014 Cyber Security and Privacy Program Annual Review. This brochure summarizes
the research results produced by the program in 2014 and presents our research plans for 2015.

12 183D Information Assurance

Cyber security has become a critical priority for electric utilities. The evolving electricity sector is
increasingly dependent on information technology and telecommunications infrastructures to
ensure the reliability and security of the electric grid. Cyber security measures must be designed and
implemented to protect the electrical grid from attacks by nation-states and hackers. Strong cyber
security measures can also support the grids resiliency against inadvertent threats such as equipment
failures and user errors.

15 Supplemental Project Updates

16 US DOE Projects
18 Cyber Security and Privacy

Team Members
19 Summary of Deliverables
20 Abbreviations

As utilities continue to deploy advanced monitoring and communications systems to support widearea situational awareness applications, distributed energy resources, distribution automation, and
advanced metering infrastructures, they face several cyber security challenges:
Combination of legacy and next-generation equipment in operational environments
Convergence of information technology and operational technology for power control systems
Separate security architectures and incident management systems for operational domains
Insufficient security management tools for the networks, systems, and end devices that are in the
field
Uncertain regulatory and legislative environment for cyber security.
The Electric Power Research Institutes (EPRIs) Cyber Security and Privacy Program addresses the
emerging threats to an interconnected electric system through collaborative research on cyber security
technology, standards, and business processes to protect the electric grid.
Ongoing program activities include:
Security solutions and implementation guidance for legacy systems
Security management and protection technology for power delivery systems
Incident management for power delivery systems
Methodologies for assessing and monitoring risk
Metrics to support the risk assessment activities
Improving procurement methodologies and language to support cyber security.

Reach the EPRI Cyber Security team

at: CyberSecurity@epri.com

In 2015, the program will develop lab-based implementations for several of these activities, including
advanced incident correlation techniques and security management technology for intelligent
electronic devices (IEDs). The program will continue to refine and pilot approaches to assessing and
monitoring risk.
Galen Rasche, Senior Program Manager

The EPRI Cyber Security and Privacy Program

addresses the cyber security challenges
facing the electricity sector by developing
security architectures, creating new security
technologies, and performing lab assessments
of technologies. Since the rapid pace of change
in the electricity sector creates a challenging
environment for utilities, the program also
monitors the activities of industry groups and
helps members understand the cyber security
impact of new technologies.

Cyber Security and Privacy Technology

Transfer and Industry Collaboration
This project set provides a high-level view of the cyber
security and privacy landscape coupled with a broad
view of ongoing collaborative efforts within the electric
sector. The landscape and newsletter updates are issued
quarterly, while more frequent webcasts provide a deeper
dive into specific technical topics. Face-to-face meetings
provide additional opportunities to network and to learn
about and contribute to industry collaborative efforts.

EPRIs Cyber Security and Privacy Program provides:

Status of industry and government collaborative
efforts and standards initiatives
Guidance on developing cyber security strategies
and selecting requirements
Practical approaches to mitigating system risk
Technology for protective measures for power
delivery systems
Early identification of security gaps through lab
assessments of security technology
Technology to support managing cyber security
threats to power systems.
Utilities may use the products developed by this
program to improve the security monitoring of their
operations systems, to enhance their current cyber
security posture, and to increase the security of systems
that are deployed in the future.

Cyber Security Technologies

Information Assurance

This project set explores several topics affecting power

delivery systems, including developing an integrated
security operations center, demonstrating DNP3 Secure
Authentication Version 5, and applying a network
management system to a substation environment. Issues
impacting legacy equipment and security interoperability
are also addressed.

This project set focuses on security issues that affect

multiple operational domains at a utility. This includes
approaches to building security controls into power
delivery systems, a methodology for applying a maturity
model assessment to evaluate the security posture of
operations systems, and guidance for implementing cyber
security risk management.

Cyber Security and Privacy Technology Transfer and Industry Collab

EPRI continues to keep pace with

new technologies, best practices,
and policies related to cyber security.
Active participation and contribution
to collaborative efforts and interest
groups helps the EPRI technical staff
keep utility members informed about
industry activities and helps increase
the usability of the work products of
these groups. Two main projects are a
part of technology transfer and industry
collaboration efforts: 1) a quarterly
newsletter and 2) the white paper,
Guidelines for Justifying Risk-Based
Cyber Security Control Projects for
Utility Business Units.
The quarterly newsletter is a single
reference for members so they can
monitor research developments
and the activities of interest groups.
Coverage of international activities
continues to expand as security threats
become more global in nature, this
year incorporating news on cyber
security activities in Europe.
The white paper examines
approaches for creating risk-based
business cases for cyber security
controls in utility business units. Many
utilities currently prioritize cyber security
investments for their operations systems
based on regulatory requirements.
By leveraging a risk-based approach
to implementing security controls,
utilities can more effectively prioritize
their investments while increasing their
overall security posture.
The Project 183A lead is Galen Rasche,
Senior Program Manager,
grasche@epri.com

Success Story:
183A Working Group
Overview

The development of strong business

cases for cyber security risk mitigation
projects has been a challenge for many
electric utilities in the past. This process
is especially difficult for projects that
are focused on mitigating risk within
the operations business units such as
transmission, distribution, or generation.
With the goal of aiding member utilities in
this process, EPRI has launched a targeted
working group composed of members
of program 183 project set A. As one of
the core efforts within this working group,
utilities are sharing examples of successful
business cases and the processes that
develop them. Through this effort, there
have been some initial findings that will
help participants in the short term and
chart the course for future working group
tasks and deliverables.

Project Risk Mitigation and

Business Cases

As one of the initial topics for the working

group, the various techniques employed
for risk management at participating
utilities were reviewed. Specifically, the
prioritization of various cyber risks was
important to the working group due to
its role in ranking risk mitigation efforts.
The utility advisors were in agreement
that properly understood risks lead to
appropriately targeted risk mitigation
business plans and successful risk
mitigation projects.
While the central focus of the working
group was cyber risk mitigation for

business projects, it is almost impossible

to discuss cyber security in the operations
business units at utilities without
addressing regulatory compliance
driven projects. This comes from the
understanding that the majority of cyber
security related projects that impact these
operational business units are currently
driven by regulatory standards such as
NERC CIP or other external mandates.
Many advisors were interested in changing
that dynamic by proactively addressing
cyber risk before the risk mitigation
measure or control becomes mandatory.
This approach has multiple benefits
for the utility since it is able to address
each risk, based on unique aspects of
environment or existing architecture while
also exercising the control outside of a
regulatory compliance program.
Longer term benefits beyond the
initial business case development and
project execution were also identified.

By developing risk mitigation business

cases instead of waiting and reacting
to regulatory standards, a utility is
much more capable of adjusting
and preempting threats in a dynamic
landscape. Some of the advisors noted
that this agility would produce benefits
as the regulatory standards change,
such as the transition from CIP v3/4 to
v5. Utilities that only react to mandatory
standards face a daunting task with the
NERC CIP transition due to the extremely
significant leap between these versions
of CIP requirements. In the case where
utilities had already moved beyond the
mandatory bounds of CIP to address
specific security risks, they were generally
more prepared to make the adjustments
to process artifacts and evidence required
by version 5.
Moving beyond the justification for
using risk management techniques to
develop project business cases and scope,

oration (183A)

guidelines for the development of strong

business cases were explored. The value
of risk mitigation projects within the
typical paradigm of cost-benefit analysis
was one of the first hurdles to overcome
in the development of a compelling
business case. In the most common
perception of a business case, the costbenefit relationship may be quantified in
financial terms by return on investment or
ROI. For many common utility projects,
this metric can be calculated using a
standard set of assumptions and inputs.
One example could be an extension of
the power distribution infrastructure to
serve a new load. In this case, additional
power sales revenue would be the core
benefit while the cost is the total expense
of all the new infrastructure and resources
required to serve this new load. Since the
majority of business cases are quantified
or measured in this way, many regulated
entities set rates and develop budgets
by applying their pre-defined ROI to all
relevant project outlays in a given time
period. Cyber security risk-mitigation
projects are an anomaly in this system
since the expected return is difficult to
quantify. In a broad sense, these projects
serve to protect the anticipated return of
other projects by mitigating risks to the
continuing operation of the power grid.
This complicates the evaluation of cyber
security risk mitigation projects and forces
the individual developing the business
case to dig deeply into the likelihood
and potential impact of certain risks to
establish the connection to core business
drivers such as reliability, safety, and
efficiency.
With the central benefit of risk
mitigation projects being separated from

core utility business drivers by one or more

degrees, this connection is important
to preserve for the benefit side of the
business case. One example discussed
within the working group involved
mitigation measures that served to protect
networks that carried critical traffic for
applications such as transmission systems
SCADA and EMS. In this scenario, the
relationships among the network, the
critical applications, and the operational
impacts that might occur without these
applications must be well understood
and communicated to budgetary
decision makers. These relationships
would be difficult to communicate in
the best case, and with the additional
separation through organizational division
of responsibilities across the various
systems; the difficulty is increased by an

Strong cooperation
between OT and IT
is the key to articulate
a business case
that mitigates the
consequences of
a cyber-induced
failure or disruption
of mission-critical
operations.
Dennis K. Holstein, OPUS Consulting
Group

order of magnitude. To effectively roll

these relationships up into a compelling
narrative that communicates the bottom
line risk to an executive with budgetary
responsibility is a significant achievement.

Benefits to Utilities: A Business

Case Catalog and More

As most would imagine, assembling

these business cases requires a high
degree of coordination across the various
organizations and disciplines involved.
This coordination comes from greater
communication between those responsible
for traditional IT domains like networks.
One significant strength of the working
group is the diversity in technological
backgrounds both across the IT and
operational domains and within each
domain. As an output of each working
session there has been at least one
completely new scenario or relationship
that has been discovered through the
open discussions. To preserve the value
of these connections, future efforts within
the working group will be focused on
developing a catalog of business cases
available to all members of the cyber
security program.
This business case catalog will be
based on elements of utility-submitted
business cases as well as newly developed
cases. Each business case documented
will be focused on a commonly applied
risk mitigation control, and will include
general information concerning the risks
addressed, potential relationships among
various systems, and key elements of
cost. Based on initial feedback from the
utility advisors the following risk mitigation
controls will be explored in future work:
Substation segmentation and isolation

Advanced management of legacy IEDs

Application of software-defined
networking on control system networks.

In addition to the value captured by the
development of the business case catalog,
this effort will advance the level of
understanding outside each individual
participants existing technology domain.
This improved understanding can
also be applied within each member
utility to improve cross-organizational
collaboration, in addition to the
development of stronger cyber risk
mitigation business cases. In the
continuing maturation of cyber security
within operations business units, the
transition from mandatory compliance
driven cyber security projects to cyber risk
mitigation projects is a large step with
significant benefits. By contributing to the
business case development process, this
working group will positively impact those
who participate or use the business case
catalog.
Ultimately, the process that is used
to create the business cases may
create additional value beyond the risk
assessment output. Through the open
discussion facilitated by the business case
development process, each operational
subject-matter expert will learn more
about cyber risk. In turn, each contributor
with a cyber security background will
learn more about the operations business
units and the priorities that drive them.
As a result, all participants derive benefit
from the process along with a better
understanding of their organizational role
in the management of risk.
For more information: jstewart@epri.com
5

Cyber Security and Privacy Technology Transfer and Industry Collaboration (183A)
Cyber Security and Privacy Industry Tracking Newsletters

Cyber Security and Privacy

Newsletter (183A)
Utility personnel are often unavailable
to track and participate in the numerous
industry groups and public-private
partnerships that help shape new security
requirements and technologies. The
quarterly Cyber Security and Privacy
Newsletter addresses this challenge by
offering a single point of reference for
utility staff so they can stay abreast of
changes in the industry.
The newsletter contains reports on the
present state of standards and guideline
developments, as well as regulatory
governance. It informs readers of cyber
security meetings and events in North
America and abroad. EPRI cyber security
research and technology developments
from across the industry are also
updated. Newsletters published for the
2014 funding year include editions in
April, July, and October 2014, and one in
December 2014.

Newsletters are available on the

Cyber Security and Privacy Cockpit on
www.epri.com.
April 2014 - 3002003319
July 2014 - 3002003325
October 2014 - 3002003327
December 2014 - 3002003328
The Cyber Security and Privacy
Newsletter allows utility advisors
to stay up-to-date on key industry
activities as well as EPRIs cyber
security research projects.

Cyber Security White Papers

Guidelines for Justifying Risk-Based

Cyber Security Controls for Utility
Business Units (183A)
Drawing from utility field experience
and insights from subject-matter experts
across the industry, EPRI published a
white paper that examines the challenges
faced by utilities as they develop riskdriven business cases for cyber security
controls. Specifically, these risk mitigation
measures target business or operations
units that historically are organizationally
separate from the IT cyber security
function.
Currently, many projects related to
security in these areas are primarily
driven and justified by regulatory
compliance and do not specifically
emerge as the output of an independent
risk assessment program.

This report identifies the challenges of

developing effective, risk-based business
case justifications for implementing cyber
security controls and recommends a future
approach for addressing these issues.
3002000391
Creating effective, risk-based business
cases for cyber security controls
allows organizations to successfully
prioritize their investments in cyber
security.

For more information: grasche@epri.com

 Looking Ahead to 2015

The landscape of cyber security activities in the electricity sector involves
numerous industry, government, and regulatory groups. While tracking
these groups can be a daunting effort, it is critical for utilities to be up-todate on key industry activities.
In 2015, this project set provides members with a current view of
industry activities through active participation in several collaborative
organizations and interest groups. Participation in this project set provides
access to credible industry experts who interpret, support, contribute
technically, and bring the utility perspective to these fundamental
and foundational groups. Additionally, EPRI will continue developing
guidelines and approaches for justifying risk-based cyber security
controls for utility business units.

Project Set Offers:

Active participation in and

contribution to:
CIGRE, the International Council
on Large Electric Systems
European Network and
Information Security Agency
(ENISA)
International Electrotechnical
Commission (IEC)
Institute of Electrical and
Electronics Engineers (IEEE)
Information from this project
such as detailed summaries of
industry activities will be
provided through a quarterly
newsletter. In addition, EPRIs
cyber security experts are
available to answer questions
and support the utility advisors.

Reach the EPRI Cyber Security

team at: CyberSecurity@epri.com

Value to Members:

Reduce risk through increased

awareness
Visibility of cyber security
developments
Help in shaping standards
Efficient tracking of industry
efforts
Ask the Expert - Direct access
to EPRI Cyber Security staff

How to Use the EPRI Cockpit

Members and Non-Members:
Search for Reports.
Example: 3002003739

www.epri.com

Members: Log in
at either link

Member Login:
Program Cockpits
Choose Program
Status of Projects
Research Results
Meetings

Cyber Security Technologies (183B)

This project set addresses several

challenges facing operators of power
delivery systems, such as reducing
the security risk to legacy systems,
developing protective measures, and
managing cyber incidents to increase
the resiliency of the grid.
In 2014, three distinct security
projects were included in this project
set. These involved strategies for
legacy systems, protective measures,
and managing incidents for power
delivery systems. The legacy effort
entailed working with vendors and
utilities on the use of DNP3 Secure
Authentication Version 5. The protective
measures research enabled progress
in developing a secure management
architecture, and the research on
managing incidents resulted in
the development of guidelines for
integrating electric utility control center
systems into an integrated security
operations center.
The Project Set 183B lead is
Ralph King, Principal Technical Leader,
reking@epri.com

Success Story:
Cyber Security Technologies
DNP3 Secure Authentication
Overview

2014 witnessed significant progress

in the adoption of the Secure
Authentication features available for
the DNP3 (Distributed Network Protocol
3) protocol. This included results of
interoperability tests conducted by
multiple vendors at an EPRI Plug-Fest,
as well as development of utility-focused
guidelines on implementing DNP3 Secure
Authentication.

Background

The severity and sophistication of

security threats against the electric power
grid continues to increase requiring
protective measures for the various
systems and devices that comprise the
operational network. Since DNP3 is the
most widely used utility communications
protocol in North America, securing this
communication is an important protective
measure for operators of power delivery
systems. DNP3 provides communication
among computers, field devices, and
systems in control centers and substations,
such as intelligent electronic devices
(IEDs) and remote terminal units (RTUs).
Additionally, the National Institute of
Standards and Technology (NIST) Smart
Grid Interoperability Framework has
recognized DNP3 as one of the key
standards, IEEE 1815, to be used in smart
grid deployments.

Project Interoperability Tests

EPRI, along with key technology vendors,
accomplished a major milestone for
securing DNP3 communications on
September 17, 2014. EPRI hosted a
Plug-Fest event with several cyber
security solution providers, conducting

the first Secure Authentication/Version 5

(DNP3 SAv5) Multi-Vendor Interoperability
Test. DNP3 SAv5 communication is
more secure than previous versions. The
increase in security of this latest version is
achieved by ensuring messages are sent
from a trusted source and have not been

tampered with through a man-in-the

middle attack, and that eavesdropping of
the message has not occurred.
The interoperability test took place at
EPRIs Cyber Security Research Lab in
Knoxville, Tennessee. Twelve technical
experts representing nine industry vendors
took part in the three-day event, including
Applied Systems Engineering, Eaton,
ESCRYPT, GRIDCO, OSI, NovaTech,
Schneider Electric, Subnet, and Triangle
Microworks. Over two-hundred tests
were completed over a three day period,
including topology, protocol, and key
management tests. Leading the testing
event was Grant Gilchrist, an industry
authority on DNP3, from EnerNex
Corporation. Following the event, Gilchrist
commented:
We were all extremely pleased about
how well the Plug-Fest went. To have
so few problems when connecting up
this many vendors for the first time is
a wonderful tribute to the hard work
of all the people at the IEEE, IEC and
DNP Users Group who developed and
reviewed the standard.
Jacques Benoit of Eaton Corporation
provided these comments about the event:
DNP3 Secure Authentication is the
industrys answer to the growing concern
about the security of the electrical sector.
From the very beginning, Eatons Cooper
Power Systems has chosen to support
this technology as it helps meets the

performance requirements of automation

systems, which is not always the case
with solutions designed for IT systems.

The DNP3 Plug-Fest

provided a unique
opportunity for vendors
to demonstrate that
Secure Authentication is
mature and that products
can work together to
provide the security that
utilities now require.
Jacques Benoit, Eaton Corporation

Project Workshop and Guidebook

for Utilities
Following the interoperability test, EPRI
hosted a DNP3 technology transfer
workshop on November 6, 2014 in
Knoxville, Tennessee. Representatives
from several electric power utilities
and solution providers attended the
event. The workshop provided detailed
information regarding EPRIs DNP3
SAv5 Implementation Guide, authored
by Gilchrist, and a live demonstration
that together helped transfer the
technology to the electric utilities that
are planning to adopt and implement

Vendor technologists at the Plug-Fest

the standard. Besides demonstrating the

basic functionality of DNP3 SAv5, the
workshop provided a demonstration of
a hybrid environment of devices utilizing
DNP3-SAv5, DNP3-SAv2, and nonsecure protocols. Another important part
of the demonstration was showing a key
management solution that was designed
as part of the overall DNP3 Secure
Authentication project.

We were all
extremely pleased
about how well the
Plug-Fest went.
Grant Gilchrist, EnerNex

The final milestone of the project was

the delivery of EPRI Technical Update
3002003736, DNP3 (IEEE Std 1815TM)
Secure Authentication: Implementation
and Migration Guide and Demonstration
Report. This report serves as a tutorial
for implementing DNP3 SAv5, providing
guidelines for design, implementation,
and migration to the standard.
Additionally, the report provides detailed
results from the multi-vendor operability
test or Plug-Fest.

Benefits to Utilities

The work from this project and the report

provide guidance to operators of power
delivery systems to enhance the security
of their operational network utilizing
the protective measures and features of
DNP3.
For more information: reking@epri.com
9

Cyber Security Technologies (183B)

Security Strategies and Solutions
for Legacy Systems

Protective Measures for Securing

T&D Systems

Each year, advisors provide input on the

key legacy security systems issue they
would like included in EPRI research.
In 2014, implementation of DNP3
(Distributed Network Protocol 3) Secure
Authentication Version 5 was the top
choice. DNP3 is an IEEE standard
communications protocol used primarily in
the electric power industry.
The project involved testing, training,
and the creation of an implementation
guidebook. In addition, EPRI sponsored a
Plug-Fest event at which several cyber
security vendors conducted interoperability
tests. A training workshop for utilities
was held in November, at which vendors
demonstrated the interoperability of their
products. A DNP3 Secure Authentication
Version 5 Implementation and Migration
Guide incorporates results of the Plug-Fest
and the workshop, and details how to
migrate to DNP3 SAv5.
This report will help utilities transition to
DNP3 Secure Authentication Version 5 in
their power delivery environments.
3002003736

The objective of this project is to develop

a security management architecture for
power delivery systems so that network
operations centers (NOC), SCADA
operations, substations, and field
equipment supporting these functions
have a consistent set of information
security objects in place and built on a
standards-based taxonomy.
The 2014 project focus was analysis
of IEC 62351-7 implementations and
applications for network and system
management for intelligent electronic
devices (IEDs). A workshop in the last
quarter of 2014 helped convey research
findings, and a report on the assessment
of IEC 62351-7 describes use cases and
the implementation of a prototype system
in EPRIs lab.
The implementation of the IEC 62351-7
standard developed in this project clearly
demonstrated the value of advanced
technology in securing and monitoring
power delivery systems and networks.
3002003738

DNP3 SAv5 offers utilities a

straightforward approach to securing
the integrity and authenticity of
communications to their field devices.
10

Advanced network and system

management allow utilities to more
effectively monitor and manage
operational systems health and
security.

Managing Cyber Security

Incidents for T&D Systems

Monitoring and correlating events across

a utilitys entire enterprise is critical to
staying ahead of todays advanced threats
and attacks on electric utilities. This
project entails identifying strategies and
guidelines that utilities can use to integrate
electric utility control center systems into
an integrated security operations center
(ISOC). An ISOC is designed to collect,
integrate, and analyze alarms and logs
from traditionally siloed organizations,
providing much greater situational
awareness to the utilitys security team.
The 2014 research focused on
understanding potential attack scenarios,
developing requirements, understanding
the impact of different ISOC architectures
on the security monitoring process, and
developing guidelines for implementation.
Research results are available in
Guidelines for Integrating Control Center
Systems into an Integrated Security
Operations Center. 3002003739

The integrated security operations
center approach allows utilities to
efficiently detect and correlate events
across organizational and functional
boundaries.

For more information: reking@epri.com

 Looking Ahead to 2015

The severity and sophistication of security threats against the electric power grid continues
to increase, requiring protective measures for the various systems and devices that
comprise the operational network. The operators of power delivery systems face significant
challenges as they work to deter, prevent, or mitigate these threats. These challenges
include protecting legacy equipment, improving the ability to monitor the health of
operational equipment, and effectively managing security incidents.
This project set addresses these challenges by developing protective measures through
a focus on procedures, emerging standards, and innovative security tools that provide
end-to-end security and support defense-in-breadth strategies. In addition, this project set
investigates managing cyber incidents through advanced security operational intelligence,
detection, response, and recovery to increase security operational awareness that can
improve the resiliency of the grid. This includes correlating cyber events with physical
access control and monitoring systems.

Project Set Offers:

Focus on end-to-end security and

defense-in-breadth capabilities, such as:
Network and system management
for power delivery systems and field
networks
Protective measures for legacy devices
Integrated security operations center
(ISOC) test bed for verifying incident
detection methodologies

Value to Members:

Understanding how to apply protective

measures
Advancing technology for threat
intelligence, incident detection,
response, and recovery from cyber
incidents
Applying standards to cyber security
technology
Monitoring and management of
substation and field network security
Providing guidelines for integrating
substations and field devices into an
ISOC

Reach the EPRI Cyber Security team at: CyberSecurity@epri.com

11

Information Assurance (183D)

Security challenges that affect multiple

operational domains at a utility are
the focus of this project set. Projects
involve designing security into products,
creating security metrics for the electricity
sector, and refining risk assessment
methodologies for
power systems.
There were three
main projects in
2014. The first
was establishing
cyber security
requirements that
were tailored to the
power industry, with
specifications that
can be used during
the procurement
process. The second
was providing practical guidance
on implementing cyber security risk
management. The third was providing
application guidance for performing a
capability maturity model assessment
on systems using the U.S. Department
of Energy (DOE) Electricity Subsector
Cybersecurity Capability Maturity Model
(ES-C2M2). The guidance stems from a
joint effort with DOE and several utility
trade organizations including the Edison
Electric Institute (EEI), the National
Rural Electric Cooperative Association
(NRECA), and the American Public
Power Association (APPA)as well as
EPRI utility members.
The Project Set 183D lead is
Annabelle Lee, Senior Technical Executive,
alee@epri.com

12

Success Story:
Risk Management in Practice
Overview

This success story details an EPRI project to

help utilities assess and apply the various
cyber security guidance documents. This
entailed compiling and evaluating existing
documents and comparing appropriate
applications of each.

Background

Currently, the nations power system

consists of both legacy and next
generation technologies. This increased
digital functionality provides a larger
attack surface for any potential
adversaries, such as nation-states,
terrorists, malicious contractors, and
disgruntled employees. The U.S. federal
government has responded to all of
these changes in technology and the
threat environment by developing and
updating cyber security guidance. Utilities
are dedicating significant resources to
understand the guidance and determine
what is applicable. For many utilities with
limited cyber security technical expertise,
attempting to understand and implement
all this guidance is daunting. The objective
of the EPRI project was not to develop a
new guidance document, but to assist
utilities in navigating all the diverse
existing guidance that is applicable to the
electric sector.
New grid technologies are introducing
millions of novel, intelligent components
to the electric grid that communicate in
much more advanced ways (two-way
communications, dynamic optimization,
and wired and wireless communications)

By examining,
comparing, and
indexing cyber
security documents
from across the
utility space, EPRI
helped utility
employees answer
a critical question:
Which documents do
I need for my cyber
security efforts, and
where do I start?
Maurice Martin, CRN Program
Manager, NRECA

than in the past. These new components

will operate in conjunction with legacy
equipment that may be several decades
old and provide little to no cyber security
controls. In addition, with alternative
energy sources such as solar power and
wind, there is increased interconnection
across organizations and systems. With
the increase in the use of digital devices
and more advanced communications,
the overall cyber risk has increased. For
example, as substations are modernized,
the new equipment is digital, rather
than analog. These new devices include

commercially available operating

systems, protocols, and applications with
vulnerabilities that may be exploited.

Risk Management in Practice

A Guide for the Electricity Sector
Some utilities have the technical expertise
to assess and use the various documents
as part of an overall cyber security risk
management program. However, not
all utilities have in-house expertise and
must rely on external organizations and
guidance. In addition, some utilities
are being asked by management and
by regulatory organizations, such as
state public utility commissions (PUCs),
to demonstrate how they meet the
requirements and/or content of these
various documents. Currently, responding
to these requests is difficult because there
is no overarching guidance that tells
utilities how to get started.
To address this constantly changing
environment including new technology,
threats, guidance, and regulations, EPRI
initiated a collaborative effort with DOE,
utilities, the trade associations, CarnegieMellon University, and researchers. The
goal was to assist utilities in assessing
and applying the various cyber security
documents, rather than developing new
guidance.
The first task was to develop a
flowchart that related the guidance
and methodologies of an enterprise
risk management process and strategy,
focusing on cyber security. All the new
cyber security guidance needs to be

The T&D Cybersecurity [risk assessment methodology] RAM allows our

business units to identify risks, map risk decisions to mitigation outcomes,

and model risk by mapping the companys susceptibility and the potential
impact to the company. It has transformed our risk management process
by enabling leadership to make informed business decisions based on
cybersecurity risk. Joe Sagona, Southern Company
Enterprise Risk Management
Process and Strategy

Financial Risk
Strategy

DOE Risk
Management
Process

Cyber Security
Risk Strategy

Executive
Order
13636

NIST
Cybersecurity
Framework

Mission Risk
Strategy

included in the context of an overall

enterprise risk management process
and strategy. The flowchart (at left) has
been used by utility cyber security staff in
meetings with management, to provide an
overview of cyber security.
The second task was to provide a
comparative analysis of the referenced
documents. All of the documents included
in the diagram are at different levels of
specificity and may be used for different
purposes related to managing cyber
security risk. For example, the ES-C2M2
may be used to determine the maturity
level of an organization and the National
Institute of Standards and Technology
Interagency Report (NISTIR) 7628 security
requirements may be used as part of a
cyber security risk assessment of specific
control systems.

Benefits to Utilities

NESCOR Risk
Assessment
Methodology

ES-C2M2

Maturity Model
Methodology

NISTIR 7628

Control-Based
Methodology

NERC CIPs

Compliance
Methodology

NEI 08-09/
NRC RG 5.71
Organizations

IT and OT
Systems

NRECA
Guidance

ES-C2M2
Application
Guidance

Bulk Electric
Systems

Currently, there are many versions of

the comparative analysisdeveloped
by utilities and contractors. The goal of
the EPRI project was to have a common
baseline set that is publicly available at
no cost and may be used by everyone.
This first version is not intended to be
finaland the goal is to have people use
the comparative analysis tables included
in the risk management report and the
companion documents and provide
comments for future versions.

For more information: alee@epri.com

13

Information Assurance (183D)

Assessing and Monitoring Risks

A cyber security risk management

framework provides the basis for
determining the type, nature, and severity
of cyber security risks facing a utility and
provides the basis for all subsequent risk
decision making, including mitigating or
accepting risks. The number and diversity
of cyber security guidance documents
can create confusion among utilities
since many of the documents address the
same subject from different perspectives
at different levels of detail.
The goal of the project is to provide a
framework and comparative analyses of
existing guidance that may be used by
cyber security practitioners in addressing
cyber security.
As with development of security
metrics, EPRI collaborated with the
U.S. DOE and with the utility trade
associations NRECA, EEI, APPA, and
individual member utilities to create the
risk management in practice guidance.
3002003333, 3002004712
A framework is provided for utilities
to practice navigating the existing
diverse cyber security guidance that is
applicable to the electricity sector.

14

Security Metrics for Energy

Delivery Systems

Metrics are needed to help prioritize cyber

security systems and their underlying
requirements. In addition, metrics aid in
identifying and implementing cyber security
mitigation strategies. Metrics can be used
to determine the effectiveness of security
controls within energy delivery systems and
the environments in which they reside.
The goal of the project is to focus
on applying the Electricity Subsector
Cybersecurity Capability Maturity Model
(ES-C2M2) methodology to IT and OT
systems. Initially, the ES-C2M2 was
intended for organizations to determine
their maturity levels in the ten domains.
As with development of the risk
management in practice guidance, EPRI
collaborated with multiple organizations
to create the security metrics document,
including U.S. DOE, Carnegie-Mellon
University, individual member utilities, and
utility trade associations such as NRECA,
EEI, and APPA.
Having security posture metrics allow
the utility to determine the current status,
define the target posture, identify gaps
between the two, and develop mitigation
strategies. 3002003332
A utility may use the results of the
ES-C2M2 system assessments to
determine the current security posture
of utility systems.

Security Design and Architectures

Cyber assets deployed by utilities must

be developed in a manner that ensures
security and they must be installed
with necessary cyber security controls.
Securing devices after they are deployed
in a production environment is a difficult
undertaking and may result in significant
performance impacts and cost. This
project was created to establish a security
requirement specification that is tailored
for power delivery procurements.
A workshop for members was held
in the last quarter of the year to review
the mapping document and provide an
update on the project results.
3002003331
Utilities need a crosswalk of
corresponding cyber security
requirements from different
documents to more effectively develop
their procurement specifications.

For more information: alee@epri.com

 Looking Ahead to 2015

Supplemental Projects Updates

NERC CIP

Information assurance is afforded through a variety of activities. These include

designing security into products, ensuring that unnecessary or ineffective cyber
security controls are not implemented, addressing current and emerging cyber
security vulnerabilities and threats, and identifying and prioritizing cyber security
risk.
This project set will focus on developing an integrated grid platform security
architecture, creating security metrics for the electricity sector, and developing risk
assessment methodologies that are designed for power systems.

Project Set Offers:

Continuous monitoring metrics

to measure the effectiveness of
security controls
Risk assessment process flow
supporting U.S. Department of
Energy cyber security maturity
model
S ecurity architecture to support
resiliency and optimize the value of
distributed and centralized energy
resources

Value to Members:

Reduce risk of investments in cyber

security solutions and resources
Better assessment of security
posture of power delivery systems
Consistent cyber security risk
management process

Reach the EPRI Cyber Security team at: CyberSecurity@epri.com

Cyber security standards have been

developed as a result of continual threats
to business and process control networks.
In recent years, electric utilities that are
part of the bulk electric system (BES)
have established cyber security programs
to ensure compliance with the critical
infrastructure protection (CIP) standards
of the North American Electric Reliability
Corporation (NERC).
Compliance with NERC CIP
requirements is non-trivial and requires
IT staff and control engineers to work
together to implement and maintain
a cyber security program for control
systems. Version 5 of the NERC CIP
Standards has been approved by the
Federal Energy Regulatory Commission
(FERC) with some required revisions.
Although compliance with the currently
mandatory Version 3 of NERC CIP has
been difficult for utilities, the upcoming
Version 5 requirements will increase
the scope of cyber assets that must be
compliant. This will create significant
challenges as new devices and systems
come under the purview of NERC CIP
Version 5. Some of these challenges
include:
Legacy devices that cannot meet current
and future requirements
Lack of compliance trained staff
Ten standards instead of the eight in the
previous four versions
Total of fifteen newly defined terms
All policy and procedure documentation
must be updated with new terminology
and impact levels.

The objective of this project is to provide

techniques for transitioning to the
upcoming NERC CIP Version 5 Standards.
This will assist utilities in identifying gaps in
current tools that have been employed to
address the CIP requirements. This project
includes the following:
Strategies and tools for transitioning
existing cyber security programs from
the current Version 3 to Version 5
Identification of gaps in current tools
Concentration on tools in the following
areas: configuration and patch
management, applying NERC CIP v5 to
substations, and information/physical
protection of information.

For more information: alee@epri.com

15

Supplemental Projects Updates

Secure Remote Substation Access
The Secure Remote Substation Access
supplemental project is focused on
exploring specific architectures and
solutions that will facilitate remote
engineering access and provide strong
access control. With the continuing
pressures on utilities to do more with
less, many have adopted a centralized
system management and maintenance
philosophy that allows authorized users
to remotely interact with field devices.
This access allows utilities to respond
rapidly to dynamic conditions on the grid
and enables the creation of centralized
teams of experts that focus on targeted
components or technologies instead of
the geographically dispersed support
model. As the grid monitoring and control
systems become increasingly complex
and interrelated, it becomes difficult for
these distributed maintenance personnel
to support the same wide range of
technologies locally.
In addition to the utilities who are
driven by efficiency or system complexity,
there are others who are participating
in this project solely for security or
compliance reasons. These participants
recognize the need to maintain strong
access controls, and understand that
even recently designed control systems
may not provide these services natively.
To effectively protect and manage
access to these critical devices, external
appliances and applications must be
integrated in to the control infrastructure.
The most effective security measures
in this case minimize the opportunity
to circumvent the access controls by
controlling all of the credentials required
for access. This allows the end user to
authenticate to a single tightly controlled
16

entity that facilitates access to any

number of devices. While this appears
fairly straightforward in principle, the
existing population of devices with
proprietary interfaces for both credential
management and engineering access
complicate the situation significantly. The
ultimate desire to find a single system
that can enable only authorized access to
the entire population of capable devices
is currently unrealizable. Since many
utilities are attempting to find solutions for
a similar set of devices and systems, the
collaborative research approach is ideal
for solving this problem.
At a 2014 workshop held in Atlanta,
Georgia, the upcoming years focus
and priorities were discussed. To better
understand the requirements associated
with deploying a remote access or
access control system, the IntelliGrid
methodology was applied to develop
scenarios that will be expanded into
use cases. As these requirements are

extracted from the use case process, the

team will determine how best to perform
testing in the EPRI Smart Grid & Cyber
Security Research Lab. The testing will be
iterative with continuous collaboration
with system vendors to identify and
resolve gaps if possible. One particularly
valuable outcome of this process will be
documentation of industry-wide gaps that
will require entirely new solutions.
Ancillary systems required for secure
remote access and access control will
also be included in the project to ensure
that all aspects of a secure solution are
addressed. Some related topics that have
been discussed with the membership
include the following:
Active Directory or LDAP (Lightweight
Directory Access Protocol) deployment
guidelines
Vendor software hosting requirements
Integration with an enterprise password
vault
Technician laptop or test equipment
integration.
At the conclusion of this project, the
participants should be prepared to
improve an existing remote access or
access control solution or effectively
design and requisition a new system that
takes advantage of the current state of
technology. Additionally, participants
will be well aware of existing technology
gaps that will require mitigation through
manual processes until comprehensive
industry solutions are achieved. This
process of gap resolution should be
accelerated by the ongoing involvement
of system vendors and the collaborative
pressure that will be applied by all
participating utilities.

For more information: jstewart@epri.com

Electric Sub-Sector Cyber Risk

Assessment and Failure Scenarios
Assessments
In the development of the Electric
Sector Failure Scenarios and Impact
Analysis v.1 document, a total of 106
scenarios with seven domains were
identified. The NESCOR teams did
not develop failure scenarios for bulk
electric system (BES) generation. BES
generation includes conventional,
nuclear, and renewable power sources
that provide power to the bulk electric
system. The failure scenarios will
include developing threat models,
ranking the scenarios, and identifying
common mitigation for these new
failure scenarios. The generation failure
scenarios will be added to the existing
Electric Sector Failure Scenarios and
Impact Analyses document. In addition,
the common mitigation and common
vulnerabilities analysis document will
be updated.

U.S. Department of Energy (DOE) Projects

National Electric Sector Cyber Security
Organization Resource (NESCOR)
The National Electric Sector Cybersecurity
Organization Resource (NESCOR) is a
U.S. Department of Energy (DOE) funded
public-private partnership that is led by
EPRI.
The NESCOR project focused on cyber
security for control systems in the electric
sector with an emphasis on system
availability and integrity. Also, the electric
sector has performance requirements that
must not be degraded and contains legacy
equipment with minimal or no cyber
security controls. All of these differences
in the electric sector require research
to develop appropriate cyber security
strategies, requirements, and technologies.
The NESCOR project had several subrecipients but also relied on contributions
from volunteers from utilities, academia,
and the research and vendor communities.

The NESCOR project concentrated on:
Assessing existing cyber security
standards for domains of the electricity
sector, e.g., distributed energy resources
(DER), and wide area monitoring,
protection, and control (WAMPAC), and
cryptography standards;
Developing guidance on penetration
testing, vulnerability assessments, risk
assessment, and design principles for
the electricity sector. This guidance built
upon the guidance that was developed
for IT and telecommunications sectors;
Developing failure scenarios that are
intended to be useful to utilities for risk
assessment, planning, procurement,
training, tabletop exercises, and security
testing. A cyber security failure scenario
is a realistic event in which the failure to
maintain confidentiality, integrity, and/or
For more information: alee@epri.com

availability of sector cyber assets creates

a negative impact on the generation,
transmission, and/or delivery of power.
Finally, one of the goals was to ensure
the sustainability of NESCOR. EPRI
implemented several cost share projects
that augmented and complemented the
NESCOR projects. These projects will
continue over the next several years. In
addition, EPRI has established a NESCOR
SharePoint site that includes all of the
deliverables produced throughout the
term of the project. This SharePoint site is
available to current NESCOR participants.
Secure Policy-Based Configuration
Framework (PBCONF)
PBCONF is a DOE funded Cybersecurity
for Energy Delivery Systems (CEDS)
research project. The CEDS projects are
funded through the Office of Electricity
Delivery and Energy Reliability research
development program, which aims to
enhance the reliability and resilience
of the nations energy infrastructure by
reducing the risk of energy disruptions due
to cyber attacks. EPRI partners include
the University of Illinois, Ameren, and
Schweitzer Engineering Laboratories.
PBCONF is an interoperable, open-source
framework for secure remote configuration
of modern and legacy devices.
A s todays cyber threats continue to
advance, ensuring the security and
resiliency of energy digital devices
is critical to ensuring the continuous
delivery of power to consumers.
Incorrect or inconsistent configuration of
these devices in the field could present
a potential attack vector. However,

this attack vector can be mitigated by

applying a uniform security policy across
devices, providing consistency and
visibility.
Both utilities and vendors have indicated
an increased need for configuration
through remote access methods. While
some vendors have standardized their
device configurations to address this
issue, those solutions are typically
only for that vendors devices. A
vendor-neutral framework for secure
configuration and remote access is
needed to solve these problems for the
energy industry.
The PBCONF project is developing an
extensible, open-source, policy-based
configuration framework to support the
secure configuration and remote access
of modern and legacy devices from a

variety of vendors. The open-source

framework will combine a policy engine
with a translation engine to address
the interoperability challenges of
various remote access control methods
and provide utilities with a single
organization-wide view of the security
configuration of their power delivery
devices.
By building this framework in a modular
way and starting from an ontology
that represents the concepts and
relationships of the configuration policy,
the framework will have the necessary
flexibility and adaptability for both
legacy and new devices. The system
will leverage distributed architecture
concepts to enable both centralized and
peer-based configuration of the devices
to support scalability and resiliency.

(E1) End
Device

Master
PBCONF
(1)

Control
Center

(E2) End
Device

Slave
PBCONF
(2)

Operations
Center

Substation

Slave
PBCONF
(3)

(E3a) End
Device

(E3b) End
Device

Slave
PBCONF
(4)

Substation

(E4) End
Device
17

Cyber Security and Privacy Team Members

Galen Rasche is a Senior

Program Manager in the Power
Delivery and Utilization (PDU)
Sector at EPRI and the program
manager for the PDU Cyber
Security and Privacy Program.
Additionally, he is responsible for
coordinating the cyber security
research across the PDU Sector,
Generation Sector, and Nuclear
Sector. He is experienced in the
areas of cyber security, smart
grid security and the penetration
testing of embedded systems. He
is also the CIGRE U.S. National
Committee Study Committee D2
representative.
grasche@epri.com

Annabelle Lee is a Senior

Ralph King is a Principal

Glen Chason is a Senior

Technical LeaderCyber Security
& Privacy in Power Delivery
and Utilization at EPRI. He is
providing technical leadership for
a number of projects including
Penetration Testing, the PolicyBased Configuration Framework
(PBCONF), Incident Management,
and the FAN Demonstration.
Glens role at EPRI includes
managing the Cyber Security
lab located in Knoxville. He also
participates in working groups
and technical committees on cyber
security for the electric sector.
gchason@epri.com

Matt Wakefield is Director of

Information and Communication
Technologies (ICT) at the Electric
Power Research Institute (EPRI).
With over 25 years of energy
industry experience, his research
area responsibilities include
furthering the development of a
modernized grid with a strong
focus on leveraging emerging
information and communication
technologies that can be applied to
the electric grid infrastructure.
He received his Bachelor of
Science degree in Technology
Management from the University of
Maryland University College.
mwakefield@epri.com

Jeff Stevenson is a
Research Portfolio Manager for
Information and Communication
Technology (ICT). Jeff joined
EPRI in June of 2013. Prior to
joining EPRI, Jeff was the Research
and Development Officer for
a regional bank in Tennessee,
Marketing Specialist and Budget
Coordinator for Knoxville Utilities
Board, and Regional Director of
Marketing for Boeing Commercial
Airplane Group. Jeff holds a
B.S. in Civil Engineering from the
University of Arizona and an MBA
in Management/Marketing from
Seattle Pacific University.
jstevenson@epri.com

Ashley Eldredge is a

Scott Sternfeld serves as

an EPRI Technical Advisor. In this
role, he establishes and maintains
the interface with utilities for
research performed in EPRIs ICT
and Cyber Security programs.
Scott previously worked as a
Project Manager in both of
these program areas and was
previously responsible for the
Smart Grid Substation and Cyber
Security Research Labs. He has
a BSME from the University of
Illinois and is a member of IEEE
and CIGRE.
ssternfeld@epri.com

18

Technical Executive in the Power

Delivery and Utilization Sector at
EPRI. She provides cyber security
support to many of the projects
within EPRI, leads the information
assurance project set, and is
the program manager for two
Department of Energy projects on
cyber security. She is experienced
in cyber security design, applied
cryptography, and cyber security
risk management. Lees
experience comprises over
20 years of cyber security
specification development and
testing.
alee@epri.com

Technical Leader for Cyber

Security in the Power Delivery and
Utilization Sector (PDU) at the
Electric Power Research Institute
(EPRI) where he is responsible for
technical security projects with a
focus on cyber security incident
management. Prior to joining EPRI,
he spent over thirty-years in the
electric power industry where he
served in various technical and
leadership roles. His academic
background is in Computer
Science, Mathematics, and
Business.
reking@epri.com

Technical Assistant with EPRI.

She has supported ICT and
Cyber Security Programs within
EPRIs Power Delivery and
Utilization group for 6 years.
Ashley is responsible for member
communications, tracking
deliverables, contracts, event
coordination, government projects
and providing administrative
support.
aeldredge@epri.com

John Stewart is a Senior

Technical Leader. Prior to joining
EPRI, John was the Senior Program
Manager for Grid Information and
Communications Technologies at
the Tennessee Valley Authority
(TVA). Prior work involved leading
several network and control
systems infrastructure projects,
and serving as the subject matter
expert for substations in a NERC
CIP audit. He holds a Bachelor
of Science degree in Electrical
Engineering with an emphasis
on Communications Networks
from Tennessee Technological
University.
jstewart@epri.com

Summary of Deliverables
Cyber Landscape, Collaboration,
and Technology Transfer (183A)
For more information: grasche@epri.com

2014
The Cyber Security and Privacy Industry Tracking Newsletter
October 2014, Product ID 3002003327
July 2014, Product ID 3002003325
April 2014, Product ID 3002003319
December 2014, Product ID 3002003328

Cyber Security Technologies (183B)

Information Assurance (183D)

For more information: reking@epri.com

For more information: alee@epri.com

2014

2014

A DNP3 Secure Authentication Version 5 Implementation and

Migration Guide
Product ID 3002003736

Cyber Security Requirements Mapping for Power Delivery Systems

Product ID 3002003331

Network System Management: Analysis of IEC 62351-7

Implementations and Applications
Product ID 3002003738

Electric Sector Security Posture based on Electricity Subsector

Cybersecurity Capability Maturity Model (ES-C2M2)
Product ID 3002003332
Risk Management in Practice A Guide for the Electric Sector
Product ID 3002003333

Guidelines for Justifying Risk-Based Cyber-Security Controls for

Utility Business Units, Product ID 3002000391

Guidelines for Integrating Control Center Systems into an

Integrated Security Operations Center, Product ID 3002003739

2013

2013

AMI Cyber Security Risks

Product ID 3002000389

Intelligent Electronic Devices Password Management Strategies

Product ID 3002000372

Securing Smart Grid Cell Relay Networks

Product ID 3002000390

Lemnos Implementation Guide for IPSEC

Product ID 3002000375

Cyber Security and Privacy Industry Tracking Newsletter,

April 2013, Product ID 3002000346

Network System Management: End System related IEC 62351-7

object definitions, Product ID 3002000373

Integrating Electricity Subsector Failure Scenarios into a Risk

Assessment Methodology
Product ID 3002001181

Cyber Security and Privacy Industry Tracking Newsletter,

July 2013, Product ID 3002000377

Guidelines for Planning an Integrated Security Operations Center

Product ID 3002000374

Security Resiliency Testing Report

Product ID 3002001187

Cyber Security and Privacy Industry Tracking Newsletter,

October 2013, Product ID 3002000378

2012

Framework for Evaluating Cyber Security Posture

Product ID 3002001205

Cyber Security and Privacy Industry Tracking Newsletter,

December 2013, Product ID 3002000379

2012
Cyber Security and Privacy Landscape of the Electric Sector
April 2012, Product ID 1024410
July 2012, Product ID 1024411
October 2012, Product ID 1024412
December 2012, Product ID 1024413
The Cyber Security and Privacy Industry Tracking Newsletter
April 2012, Product ID 1024414
July 2012, Product ID 1024415
October 2012, Product ID 1024416
December 2012, Product ID 1024417

Network and System Management for Reliability and Cyber

Security, Product ID 1024418
Secure ICCP Implementation Guide
Product ID 1024420
Standardizing Lemnos Interoperability Configuration Profiles
(ICPs), Product ID 1025449
Substation Security and Remote Access Implementation Strategies
Product ID 1024424
Draft Risk Assessment Processes, Product ID 1024422
Risk Mitigation Strategies, Product ID 1024423
Guidelines for Security Architectures for DER integration into
the Grid
Product ID 1024425
Network Security Management for Transmission Systems
Product ID 1024421

Risk Management in Practice - Comparative Analyses Tables

Product ID 3002004712

2013
Framework for Grading Procurement Requirements
Product ID 3002001041

Security and Privacy for End-Use

Technology (183C)
2012
Assessment of Technology Used to Protect the Privacy of Energy
Usage Data, Product ID 1024426
Cryptographic Key Management (CKM) Design Principles for the
Advanced Metering Infrastructure (AMI), Product ID 1024431
Advanced Metering Infrastructure Security Objects
Product ID 1024427
Security Testing Techniques for End-User Devices
Product ID 1024428
Security Testing Tool for End-User Devices (PT2) Version 1.0
Product ID 1024429
19

Glossary of Abbreviations
APPA
BES
CCS
CEDS
CIGRE
DER
DNP3 SAv5
DOE
DR
EEI
EMS
ENISA
EPRI
ES-C2M2
ESP
FERC
IED
IEC
IEEE
ISOC
NERC CIP

American Public Power Association

Bulk electric system
Critical cyber asset
Cybersecurity for Energy Delivery Systems
International Council on Large Electric Systems
Distributed energy resources
Distributed Network Protocol 3 Secure Authentication Version 5
United States Department of Energy
Demand response
Edison Electric Institute
Energy management system
European Network and Information Security Agency
Electric Power Research Institute
Electricity Subsector Cybersecurity Capability Maturity Model
Electronic security perimeter
Federal Energy Regulatory Commission (United States)
Intelligent electronic device
International Electrotechnical Commission
Institute of Electrical and Electronics Engineers (IEEE)
Integrated security operations center
North American Electric Reliability Corporation Critical Infrastructure
Protection
NESCOR
National Electric Sector Cybersecurity Organization Resource
NISTIR
National Institute of Standards and Technology Interagency Report
NOC
Network operations centers
NRECA
National Rural Electric Cooperative Association (United States)
NSM
Network and system management
OT
Operations technology
PBCONF
Secure Policy-Based Configuration Framework
PUC
Public Utility Commission
SCADA
Supervisory control and data acquisition
T&D
Transmission and distribution
WAMPAC Wide area monitoring, protection, and control

The Electric Power Research Institute, Inc.

(EPRI, www.epri.com) conducts research and development
relating to the generation, delivery and use of electricity
for the benefit of the public. An independent, nonprofit
organization, EPRI brings together its scientists and
engineers as well as experts from academia and industry
to help address challenges in electricity, including reliability,
efficiency, affordability, health, safety and the environment.
EPRI also provides technology, policy and economic
analyses to drive long-range research and development
planning, and supports research in emerging technologies.
EPRIs members represent approximately 90 percent of the
electricity generated and delivered in the United States,
and international participation extends to more than
30 countries. EPRIs principal offices and laboratories are
located in Palo Alto, CA; Charlotte, NC; Knoxville, TN; and
Lenox, MA.

2014 Electric Power Research Institute (EPRI), Inc. All rights reserved. Electric
Power Research Institute, EPRI, and Together...Shaping the future of
electricity are registered service marks of the Electric Power Research Institute.
3002004939

3420 Hillview Avenue, Palo Alto, California 94304-1338

PO Box 10412, Palo Alto, California 94303-0813, USA
800.313.3774 650.855.2121
askepri@epri.com www.epri.com

For more information/How to join: TechnicalAdvisor-ICCS@epri.com