AMI System Security Requirements - v1_01

Introduction

Purpose

The AMI Security Specification aims to establish essential security requirements for the utility industry and its supporting vendors, ensuring high levels of information assurance, availability, and security for reliable AMI implementations While primarily focused on Advanced Metering Infrastructure (AMI), the security guidelines outlined in this document can also be applied to other network-centric Smart Grid solutions, fostering consumer confidence and system reliability.

Utility companies of the future will deliver energy and information to customers through a

The Smart Grid represents a modern energy supply chain that integrates electric, communication, and information technologies, allowing for high levels of automation to adapt to evolving environmental conditions, electricity demands, and customer preferences Key components of this Smart Grid include Advanced Metering Infrastructure (AMI), advanced automation in transmission and distribution, distributed generation, electric vehicle refueling infrastructure, and contemporary renewable energy generation projects.

The new class of Smart Grid systems presents significant opportunities for innovation and the implementation of advanced technologies, processes, and policies By integrating various independent systems, the Smart Grid aims to enhance value through effective information delivery to customers, grid operators, utility companies, and other stakeholders A dependable and secure Smart Grid can facilitate automated demand response, offering customers diverse options to manage energy costs through technology-driven programs, while also minimizing outages with a self-healing, resilient transmission and distribution network.

Providing a reliable and secure Advanced Metering Infrastructure (AMI) solution is challenging due to the variety of technologies and processes involved To effectively manage the complexities of these diverse solutions, a robust systems integration process is essential This necessitates adherence to established standards, best practices, and a strong architectural discipline This document outlines the platform-independent security requirements, services, and guidance needed to implement secure and resilient AMI solutions.

As the utility industry enhances its ability to meet the demands of an expanding information society, the complexity and scope of threats faced by Smart Grid solutions also escalate These systems connect diverse networks that facilitate data exchange, highlighting the need for robust security measures to protect against evolving risks.

The transition from outdated proprietary and manual methods of securing utility services to open, automated, and networked solutions will enhance the flow of information across the Advanced Metering Infrastructure (AMI) However, the advantages of this increased connectivity hinge on the implementation of strong security measures, which are essential to reduce disruptions in essential services and to bolster the reliability, manageability, and resilience of the electric grid.

Understanding the distinct challenges associated with Advanced Metering Infrastructure (AMI) in Smart Grid solutions is crucial for ensuring a secure and dependable implementation AMI projects possess unique features that differentiate them from other utility initiatives, highlighting the need for tailored strategies in their deployment.

 AMI is a command and control system

 AMI has millions of nodes

 AMI touches almost every enterprise system

 Many current AMI solutions are narrowband solutions

The development of this document is primarily driven by the network-centric characteristics of Advanced Metering Infrastructure (AMI) and the absence of a comprehensive set of cross-industry security requirements and implementation guidance Although the challenges associated with AMI implementations are relatively new to the utility sector, there are established precedents in industries such as defense, cable, and telecommunications that provide valuable examples of requirements, standards, and best practices that can be effectively applied to AMI systems.

The challenge is to secure AMI in a holistic manner, noting that such an approach requires the buy-in of many stakeholders Stakeholders can be viewed in three groups:

 Stakeholders within the enterprise who have an interest in generating value from technology investments:

– Those who make investment decisions

– Those who decide about requirements

– Those who use technology services

 Internal and external stakeholders who provide technology services:

– Those who manage the technology organization and processes

– Those who operate the services

 Internal and external stakeholders who have a control/risk responsibility:

– Those with security, privacy and/or risk responsibilities

– Those requiring or providing assurance services

To meet the requirements of the stakeholder community, a security framework for AMI technology governance and control should:

 Provide a business focus to enable alignment between business and technology objectives

 Establish a process orientation to define the scope and extent of coverage, with a defined structure enabling easy navigation of content

 Be generally acceptable by being consistent with accepted technology good practices and standards and independent of specific technologies

 Supply a common language with a set of terms and definitions that are generally understandable by all stakeholders

 Help meet regulatory requirements by being consistent with generally accepted corporate governance standards (e.g., Committee of Sponsoring Organizations of the Treadway

Commission) and technology controls expected by regulators and external auditors.

This document outlines security requirements essential for procurement, design input, validation, and certification It does not aim to define AMI architecture Meeting the specified requirements necessitates a coherent architecture, along with relevant policies and procedures, though these elements are not detailed within the document.

AMI security necessitates a comprehensive approach that includes collaboration among various stakeholders beyond the electric utility While individual utilities may not bear full responsibility for all security requirements, ensuring that interconnected systems adhere to these requirements is crucial for achieving AMI security objectives Additionally, the interdependencies between the power grid, communication networks, and information systems present significant challenges in designing a secure and resilient AMI framework.

This document targets utility companies looking for guidance on Advanced Metering Infrastructure (AMI) implementation and policies, as well as vendors in need of product design insights It also serves policymakers aiming to grasp the essentials of reliable and secure AMI solutions and anyone interested in AMI security requirements Although primarily designed for security professionals, solution architects, and product designers, the content is accessible to a wider audience interested in understanding AMI security challenges and solutions Ultimately, this specification lays the groundwork for establishing security requirements in the procurement and implementation of AMI solutions.

This document serves as a dynamic specification aimed at evolving with industry advancements, specifically targeting AMI security functionality It establishes a baseline for the utility sector by outlining essential AMI security requirements and highlighting discrepancies between existing standards and available market capabilities The goal is for the AMI security specification to be widely referenced and utilized across the utility industry, fostering a common understanding that supports the development and implementation of effective and dependable AMI solutions.

Scope

AMI Security is simply defined as those means and measures concerned with securing an AMI system For the purpose of this document, the definition of AMI is:

Advanced Metering Infrastructure (AMI) comprises the communication hardware, software, and data management systems that establish a network connecting advanced meters with utility business systems This infrastructure facilitates the collection and distribution of information to customers and competitive retail providers, as well as providing essential data to the utility itself AMI encompasses both the necessary hardware and software components for efficient utility operations.

The utility or its legal proxies are primarily responsible for the proper operation of 306 software located at or near the customer premises Additionally, the utility or its legal proxies own and operate hardware and software specifically designed to facilitate Advanced Metering.

This document presents security requirements for AMI systems This document does not address business functional or other non-security related requirements.

To fully grasp the scope of utility business systems, one must understand their functionalities and services, as outlined in Section 2.1 of this document This specification serves as a versatile tool applicable not only to utility systems but also to peripheral systems utilizing AMI communication services Each utility is responsible for determining its own boundaries, which include considerations of system security maturity, organizational responsibilities, and procurement scope.

The AMI-SEC Task Force evaluated Home Area Network (HAN) use cases while developing this document, suggesting that utility edge application requirements may also be relevant to consumer applications However, implementing these requirements for HAN necessitates further considerations regarding control and ownership, which are not addressed in this document.

Document Overview

This section describes how this document relates to the Architectural Description, Risk

Assessment, Component Catalog and Implementation Guide.

The process a utility undertakes through essential documents such as Risk Assessment, System Security Requirements, Architectural Description, Component Catalog, and Implementation Guide is influenced by the resources allocated to the effort This allocation is reflected in the "Entry Points" illustrated on the right side of the accompanying figure In this context, the utility will specify its Architectural Elements, which include both hardware and software components.

Maximum Level of Resources For a utility with the ability to apply the maximum level of resources, the process to take is the following:

Step 1 The utility will tailor the AMI-SEC Risk Assessment to their particular environment, constraints, and risk acceptance limits

Step 2 The utility selects which requirements apply to their potential solution architecture by combing through the AMI-SEC System Security Requirements document and assigning priority to the requirements they need in order to adequately mitigate risks Step 3 The utility maps the significant Architectural Elements of potential solutions against the defined Security Domains and places selected and prioritized requirements on Architectural Elements according to the elements’ placement within the Security Domains

Medium Level of Resources For a utility with a moderate (“medium”) level of resources, the process to undertake is the following:

Step 1 The utility will review the System Security Requirements document and select which requirements apply to their potential solution architecture.

Step 2 The utility maps the significant Architectural Elements of potential solutions against the defined Security Domains.

Step 3 The utility accepts the AMI-SEC Risk Assessment without any modification or customization, but bears the responsibility for combing through the AMI-SEC System Security Requirements document

Step 4 The utility assigns priority to the requirements they need to adequately mitigate risks. Step 5 Once the utility has selected and prioritized requirements, the requirements are placed on Architectural Elements according to the elements’ placement within the Security Domains.

Minimum Level of Resources For a utility looking to utilize the minimal level of resources, the process to undertake is the following:

Step 1 The utility will review the Architectural Description document and map the significant

Architectural Elements of potential solutions against the defined Security Domains Step 2 The utility accepts the AMI-SEC Risk Assessment without any modification or customization

Step 3 The utility accepts the AMI-SEC System Security Requirements as a whole without selecting any particular subset as applicable to their environment.

Step 4 Requirements are placed on Architectural Elements according to the elements’ placement within the Security Domains In this scenario, the utility pushes the entire set of requirements on to the vendor The onus lies with the vendor to push back and indicate where requirements are applicable and where they are not.

Definitions, acronyms, and abbreviations

Instead of providing a comprehensive list of AMI and security terminology, this document offers links to widely recognized and frequently used definitions, acronyms, and abbreviations Additional terms will be discussed as they arise within the text.

SmartGridipedia http://www.smartgridipedia.org

NIST IR 7298 - Glossary of Key

Information Security Terms http://csrc.nist.gov/publications/nistir/NISTIR- 7298_Glossary_Key_Infor_Security_Terms.pdf

Terms http://std.iec.ch/terms/terms.nsf/ByPub?OpenView&Count=- 1&RestrictToCategory=IEC%2062351-2

Electropedia http://www.electropedia.org/

References

Advanced Metering Infrastructure (AMI) Program – AMI Use Case (Draft) 2006 Southern

California Edison Retrieved from http://www.sce.com/PowerandEnvironment/smartconnect/open-innovation/ usecasechart.htm

Clements, P.; Bachmann, F.; Bass, L.; Garlan, D.; Ivers, J.; Little, R.; Nord, R.; & Stafford, J

Documenting Software Architectures: Views and Beyond 2002 Boston, MA: Addison-

Department of Homeland Security, National Cyber Security Division 2008, January Catalog of

Control Systems Security: Recommendations for Standards Developers Retrieved from http://www.us-cert.gov/control_systems/

Federal Information Processing Standard (FIPS) 140-2 2004, March 24 National Institute of

Standards and Technology Information Technology Library – Computer Security

Division – Computer Security Resource Center Cryptographic Module Validation

Program (CMVP) Retrieved from http://csrc.nist.gov/groups/STM/cmvp/

Houseman, Doug and Frances Cleveland 2008 Scope of Security Requirements for Business

Processes Retrieved from http://osgug.ucaiug.org/utilisec/amisec/Reference

IEEE Standard 1471-2000 2000 IEEE Recommended Practice for Architectural Description of

Software-Intensive Systems, by IEEE Computer Society.

National Institute of Standards and Technology 2007, December NIST SP 800-53 Rev 2 -

Recommended Security Controls for Federal Information Systems NIST Information Technology Library – Computer Security Division – Computer Security Resource Center Special Publications Retrieved from http://csrc.nist.gov/publications/PubsSPs.html

National Institute of Standards and Technology 2007, September 28 NIST SP 800-82 - Guide to

Industrial Control Systems (ICS) Security is a critical focus area outlined in the NIST Special Publications The Computer Security Division of the NIST Information Technology Library emphasizes the importance of safeguarding ICS against cyber threats For comprehensive guidelines and resources, visit the NIST Computer Security Resource Center at http://csrc.nist.gov/publications/PubsSPs.html.

North American Electric Reliability Corporation 2006, June 1 NERC Critical Infrastructure

Protection (CIP) Retrieved from http://www.nerc.com/page.php?cid=2|20

The Common Criteria 2007, September Common Criteria v3.1 – Part 2: Security Functional

Requirements Release 2 The Common Criteria Retrieved from http://www.commoncriteriaportal.org/thecc.html

The Common Criteria 2007, September Common Criteria v3.1 – Part 3: Security Assurance

Requirements Release 2 The Common Criteria Retrieved from http://www.commoncriteriaportal.org/thecc.html

General system description

Use Cases

AMI Use Cases have been organized into five different categories consistent with the primary value streams they support These five categories/value streams are:

Reference 2.A - Business Functions as Stakeholders in AMI Systems provides additional extensions to the use cases presented here, as well as describing business functions and scenarios.

There are four primary use cases in the Billing category

1 Multiple Clients Read Demand and Energy Data Automatically from Customer Premises

2 Utility remotely limits usage and/or connects and disconnects customer

3 Utility detects tampering or theft at customer site

4 Contract Meter Reading (or Meter Reading for other Utilities)

The electronic capture and processing of time-based energy and demand data from customer meters is essential for the core billing processes of electric utilities, as well as gas and water utilities on a contractual basis Additionally, the implementation of Advanced Metering Infrastructure (AMI) meters enables various functionalities, such as remote connect/disconnect capabilities and the detection of energy theft, enhancing the overall efficiency and effectiveness of utility operations.

The billing process in utilities is significantly enhanced through the automation of time-based energy usage and demand collection By replacing traditional manual meter reading methods with fully automated electronic capture, utilities can efficiently gather energy data at regular intervals, typically every 15 minutes This advancement allows for the implementation of time-based billing rates that fluctuate throughout the day, reflecting the dynamic balance between energy supply and demand While electric utilities have primarily adopted Advanced Metering Infrastructure (AMI), there is considerable potential to extend this infrastructure to capture gas and water meter data, either for the utility providing these services or through contractual agreements with other utilities.

AMI meters offer significant business value through their remote connect and disconnect capabilities, enabling utilities to manage service initiation and termination without sending field technicians This functionality streamlines Move-In/Move-Out processes and enhances credit and collections operations by allowing remote disconnections for non-payment and subsequent reconnections Additionally, AMI meters are equipped to help utilities detect potential meter tampering and energy theft, further improving operational efficiency and security.

Finally, AMI provides a wealth of data that various entities within the utility to use to create additional business value These areas include the following:

 Distribution system design – granular data on actual customer energy usage can be utilized for more optimal design of distribution system components

Effective distribution planning is essential for utilities, as they possess extensive usage and demand data by circuit Analyzing this data allows for strategic investments in new distribution facilities, ensuring that growth in demand is met efficiently.

 Distribution operations and maintenance – the Distribution organization has a wealth of data for improved state estimation, contingency planning, and asset management

 Marketing – AMI data can be analyzed to develop energy services/products to meet customer needs

The following table summarizes the major business processes supported by the Billing Use Cases and the key areas of business value that they enable.

Use Case 1: Auto-Capture Customer Energy and Demand Data

Major Processes Supported Business Value Security Concerns

 Eliminate meter reader labor cost and meter reading infrastructure cost

 Enable improved o Distribution system design o Distribution planning o Distribution operations and maintenance o Marketing

Confidentiality (privacy) of customer data

Integrity of meter data Availability of meter data (for remote read)

Use Case 2: Remote Connect/Disconnect

 Reduce field service truck rolls o Labor o Transportation

Integrity of signal (correct message and location) Confidentiality (privacy) of signal

Availability of connect/disconnect service

 Protect revenue; reduce energy theft  Reduce lost revenue

Confidentiality (privacy) of location data

Use Case 4: Meter Reading for Other Utilities

 Eliminate meter reader labor cost and meter reading

 Transfer meter reading data to other utility infrastructure cost

 Create additional source of revenue

Integrity of meter data Availability of meter data (for remote read)

Availability of meter data to contracting utility through B2B infrastructure

Four Use Cases have also been defined under the category of Customer:

1 Customer reduces their usage in response to pricing or voluntary load reduction events

2 Customer has access to recent energy usage and cost at their site

3 Customer prepays for electric services

4 External clients use the AMI to interact with devices at customer site

The AMI system fosters collaboration with customers to develop mutually beneficial programs for managing energy demand and consumption It provides customers with access to their energy costs and usage information while notifying them of upcoming peak energy events that may require load reductions Additionally, it facilitates the sharing of energy consumption data with third-party service providers, allowing customers to outsource their energy management Furthermore, the AMI functionality supports pre-payment options for energy, enhancing customer control over their energy expenses.

The primary business value of Customer Use Cases lies in improved management of peak load on the distribution network By providing customers with pricing signals and notifications of upcoming peak load events, they can adjust their energy consumption to lower costs This not only helps utilities minimize the risk of outages caused by system overload but also allows them to defer costly capital investments for increased capacity Additionally, Use Case 3 (Customer Prepayment) offers unique value by reducing bad debt and enhancing cash flow for the utility.

The following table summarizes the major business processes supported by the Customer Use Cases and the key areas of business value that they enable.

Use Case 1: Demand Response / Load Reduction

 Reduce peak load o Defer new construction o Green benefits o Reduce outages

Confidentiality (access control) of customer equipment Integrity of control messaging and message information Availability of customer devices

Use Case 2: Customer Access to Energy Data

 Provide Energy  Customer energy awareness Confidentiality (access control)

Information to Customers and Third Parties  Reduce peak load of customer equipment via price signals and messages Integrity of control messaging and message information Availability of customer devices

Confidentiality (privacy) of customer data and payments Integrity of control messaging and message information containing prepayment data Availability of customer payment data and usage balances

Use Case 4: Third Party Energy Management

Integrity of usage data, rate information

Availability of usage data, rate information

Four Use Cases have been defined for the Distribution System category:

1 Distribution Operations curtails customer load for grid management

2 Distribution Engineering or Operations optimize network based on data collected by the AMI system

4 Distribution Operator locates Outage Using AMI Data and Restores Service

Distribution System Use Case 1 parallels Customer Use Case 1, focusing on the process of sending signals to customers to reduce system load during peak times While Customer Use Case 1 involves voluntary participation through price or load control signals, Distribution System Use Case 1 entails non-voluntary demand response events using load control signals or meter disconnection commands Distribution Use Case 2 examines the application of data from the AMI system to enhance power quality and distribution network performance, whether online or offline Distribution Use Case 3 highlights the AMI system's ability to interface with distributed generation, aiding in network operations and minimizing off-system energy purchases Finally, Use Case 4 explores how the AMI system can identify outages and streamline power restoration efforts.

The key business benefits of Distribution System Use Cases focus on enhancing network operations, which leads to decreased energy losses, fewer outages, and higher customer satisfaction through improved power quality.

In addition, Use Case 4 explicitly describes processes to reduce outage duration and, therefore, customer satisfaction.

The following table summarizes the major business processes supported by the Distribution System Use Cases and the key areas of business value that they enable.

Use Case 1: Emergency Demand Response

 Reduce peak load o Defer new construction o Reduce outages

Confidentiality (access control) of customer equipment (including remote service switch and HAN devices)

Integrity of control messaging and message information

Use Case 2: Distribution Network Optimization

Integrity of system data Availability of system data Confidentiality of system data

 Reduced Off-System Energy Purchases

Use Case 4: Outage Location and Restoration

 Manage outages  Reduced outage duration

Availability of system data Integrity of system data Confidentiality of system data

Three Use Cases have been defined for the Installation category:

1 Utility installs, provisions, and configures the AMI system

2 Utility Manages End-to-End Lifecycle of the Meter System

3 Utility upgrades AMI to address future requirements.

This article outlines three key use cases for an Advanced Metering Infrastructure (AMI) system Use Case 1 details the deployment process, covering the initial planning, forecasting, procurement, logistical support, and field installation/testing/configuration Use Case 2 emphasizes the management of AMI system components throughout their lifecycle, focusing on maintenance and asset retirement Lastly, Use Case 3 investigates potential upgrades to the AMI system's functionality and performance, with a specific focus on the future deployment and integration of customer Home Area Networks (HAN).

The primary business value in Installation Use Cases revolves around optimizing deployment costs and schedules for AMI system implementation, reducing operations and maintenance expenses, ensuring billing accuracy, mitigating risks, and facilitating future growth and development within the AMI infrastructure.

The following table summarizes the major business processes supported by the Distribution System Use Cases and the key areas of business value that they enable.

Use Case 1: AMI System Deployment

 Deploy AMI system  Optimize deployment costs/schedule

Integrity of system data for registration

Availability of system data supporting deployment and registration

Use Case 2: AMI System Maintenance

 Maintain AMI system  Minimize AMI O&M costs

Integrity of system data for remote diagnostics

Availability of system data supporting maintenance and work orders

Use Case 3: AMI System Upgrade

 Upgrade/enhance AMI system functionality/performance

 Accommodate growth and future functionality

Integrity of system data for registration of new devices and remote firmware upgrades

Availability of system data supporting deployment and remote upgrades

Confidentiality of system data and customer data

The final Use Case category is System Only one Use Case has been defined for this category:

1 AMI system recovers after outage, communications or equipment failure.

System Use Case 1 examines the AMI system's ability to respond to and recover from individual component failures, communication breakdowns, and larger outages or disasters The key business advantage of this use case lies in preserving the integrity of the AMI system during unforeseen equipment failures or distribution system interruptions.

Use Case 1: AMI System Recovery

 Recover from AMI component and telecommunications failures

 Recover from major area outages/disasters

Table 6 - AMI System Use Cases

System Context

AMI represents the integration of the power grid, communication networks, and supporting information systems Ensuring AMI security is crucial in a complex environment involving multiple stakeholders, diverse interests, and overlapping responsibilities.

An Advanced Metering Infrastructure (AMI) solution consists of individual systems that integrate software, hardware, personnel, and information Collectively, these systems form a comprehensive network, known as a system of systems, which operates hierarchically by breaking down into its constituent parts.

Logical decomposition offers significant value by allowing the examination of complex systems across various abstraction levels while ensuring traceability in both directions This method can be aligned with physical decomposition to link model components effectively The security domain model illustrated in Figure 2 was created to simplify the complexities involved in defining the necessary security measures for a robust and secure Advanced Metering Infrastructure (AMI) solution, and it serves as a guiding tool for utilities to apply the outlined security requirements in their AMI implementations.

Figure 2 – AMI Security Domain Model

The following “services” are a description of each of the six security domains shown in the model above.

Utility Edge Services All field services applications including monitoring, measurement and control controlled by the Utility

Premise Edge Services All field services applications including monitoring, measurement and control controlled by the Customer (Customer has control to delegate to third party)

Services are applications that relay, route, and field aggregation, field communication aggregation, field communication management information

Management Services attended support services for automated and communication services (includes device management)

Automated Services unattended collection, transmission of data and performs the necessary translation, transformation, response, and data staging

Business Services core business applications (includes asset management)

Table 7 - AMI Security Domain Descriptions

The implementation of Advanced Metering Infrastructure (AMI) by each utility company differs according to their chosen technologies, internal policies, and deployment conditions It is essential that the security requirements inform the capabilities of the AMI system.

The implementation of Advanced Metering Infrastructure (AMI) systems can be categorized according to relevant security domains, which are determined by the capabilities that facilitate AMI usage This document outlines security requirements that align with specific security domains, corresponding to the location of enabling capabilities for the AMI system's various applications For each AMI application, it is essential to apply the appropriate security requirements based on the associated enabling capability within that domain.

When utilizing the AMI system for "Remote Service Switch Operation" during customer "move-in" or "move-out" events, it is essential to analyze the relevant security requirements This involves mapping the sequence of capabilities to specific domains to ensure proper security measures are in place.

(Note: there are a number of intermediate steps related to account updates, customer verification, policy enforcements and validations as well as error conditions not shown in this example.)

Triggering event – Move-out request received from customer for a particular time and date

Request received via call center or via web (IVR or Company Website)

Switch operation scheduled and validated

Customers Information System (CIS) or Meter Data Management Systems (MDMS)

Command messages generated at scheduled time CIS or MDMS Utility Enterprise Services

Command received by head- end system

Network Management System (aka DCA or head-end)

Grid protection module validates command against rules (i.e how many total service switch commands are pending in the next 10 min.)

Network Management System Automated Network Services

Command routed to the customer’s meter

Wide-Area Network, Neighborhood Area Network (aka LAN)

Command received by meter Meter Utility Edge Services

Service Switch “opened” Meter Utility Edge Services

Wide-Area Network, Neighborhood Area Network (aka LAN)

Acknowledgement message Network Management System Automated Network Services

Account status updated CIS and or MDMS Utility Enterprise Services

Table 8 - Mapping of AMI Security Domain Services to Utility Processes

This specification outlines a method for mapping security requirements to specific domains based on usage, which is applicable throughout the entire lifecycle of the system It is important to recognize that certain activities, such as key placement in devices, may occur before the system officially begins operations.

System Constraints

When addressing security requirements outlined in this document, it is essential to consider various system constraints The specified requirements do not dictate the best solution, whether narrow- or wide-band communication technologies, for any particular situation Instead, decisions should be made through careful trade-offs among competing factors, ensuring a balanced approach to meeting security needs.

When considering business or non-functional requirements, several key factors must be addressed to ensure optimal performance and usability These include performance metrics such as response time, and usability aspects like the complexity of user interactions Upgradability and adaptability are crucial for the ease of component replacement and reconfiguration for different applications Effectiveness is measured by the relevance and timely delivery of information pertinent to business processes, while efficiency focuses on utilizing resources productively and economically Additionally, confidentiality is vital for protecting sensitive information from unauthorized access, and integrity ensures the accuracy and completeness of data in line with business values Availability guarantees that information is accessible when needed, compliance ensures adherence to laws and regulations, and reliability provides management with the necessary information to fulfill fiduciary and governance responsibilities.

When developing security requirements, it is crucial to consider system constraints, as these requirements do not address the trade-offs inherent in the design phase of Advanced Metering Infrastructure (AMI) Therefore, meeting these security requirements should be integrated with the overall design process rather than treated as a separate task.

 Constraints o Computational (e.g., available computing power in remote devices) o Networking (e.g., bandwidth, throughput, or latency) o Storage (e.g., required capacity for firmware or audit logs)

The effectiveness of information systems relies on various interconnected factors, including available power in remote devices, personnel efficiency impacting maintenance time, and financial considerations such as the cost of bulk devices Additionally, temporal limitations, technological maturity, and the integration of legacy systems play crucial roles The lifecycle and interconnectedness of infrastructure, encompassing hardware, operating systems, and database management systems, are essential for supporting applications and processing information Furthermore, the personnel involved in planning, implementing, and evaluating these systems—whether internal, outsourced, or contracted—are vital to their success Other critical aspects include operational, cultural, ethical, environmental, and legal factors, alongside the overall ease of use of the systems.

 Regulatory requirements o Scope / sphere of influence o Acceptance vs transference

Security States and Modes

This section explores the various states and modes applicable to both the entire system and its individual components, which can include sub-systems or specific elements.

Security modes and states play a crucial role in assessing security requirements, as they introduce unique conditions that can alter these requirements Understanding these specific circumstances is essential, as the risk levels associated with a system or its components can fluctuate in different states or modes, necessitating adjustments in the security requirements—either increasing or decreasing them accordingly.

 State – a temporal condition of a system or component; implies a “snapshot”. o Typically within a time-based consideration o Sometimes overlap

 Mode – describes operational intent (implies action taken).

The term state for the purposes of this document implies a snapshot of the system The goal is to identify the state as they relate to security.

The System State Flow Diagram is essential for comprehending state transitions and the permissible directions of these changes within the AMI system It plays a crucial role in defining system transitions, ensuring that state flow is controlled to avoid unintended system states Additionally, the transitions of security components must be clearly defined and understood to establish precise requirements.

Sanitation State is also a shown as a path where high assurance is required.

Figure 3 - Example of a System State Flow Diagram

Operational Includes all functionality supportive of on-going operations (set by policy)

Non-operational Not performing functionality indicative of on-going operations

Initialization Used to configure system prior to operation

Sanitization Removal and/or storing of information representative or residual of any running condition (e.g., sensitive data)

State.1 Activities allowed during non-operational state shall be limited to system activities needed to enter initialization (Excludes interactions w/stakeholders, execution of business functions, etc.)

State.2 Activities allowed during initialization state shall be limited to system activities needed to enter operations (Excludes interactions w/stakeholders, execution of business functions, etc.)

State.3 Activities allowed during initialization state shall include management functions necessary for element configuration.

State.4 Activities allowed during the initialization state shall include policy establishment

State.5 Activities allowed during the initialization state shall include security domain establishment.

State.6 A system shall transition into the operational state only upon completion of the critical initialization activities.

State.7 An operational system shall perform only those activities conformant to policy.

A system must be able to function in a degraded mode while still operational, meaning it can continue to operate even with certain non-operational or impaired components In this degraded state, while some services may be unavailable to certain elements, the critical functions and security features remain active for the other components.

State.9 A system shall transition into the non-operational state upon detection of a critical failure.

Support activities essential for system health, such as diagnostics, maintenance, and training, are permitted exclusively during the operational state While these activities can occur in other system states, they must be conducted by external systems rather than the SUD itself.

In the development of a Protection Profile, it is essential to establish operational modes, categorizing a system or component into "normal" or "limited" modes Clear criteria for transitioning between these modes must be defined, with careful consideration of the risks involved in mode changes Prior to leaving the current mode, the target mode should be clearly specified to ensure a secure transition For a deeper analysis, additional refinements may be explored.

 On-Line/Off-Line – system or element is accessible (or non-accessible) from a communication point of view

 Lock – certain functions are not accessible / intentionally disabled

 Diagnostics – monitoring for purposes of problem resolution (i.e., debugging)

 Commissioning/Decommissioning – initialization/establishment of functionality or service (decommissioning is reverse)

 Learning – acquiring new parameters and/or functionality for purposes of optimization

 Training – utilizing system functions for purposes of familiarization and simulation (“Real” outputs are not engaged.)

 Sleep/Power saving – certain functions are temporarily disabled or degraded for decreased energy consumption.

 Special/Emergency – configurations based on criticality of function and preferential and/or prioritized treatment of certain operations (Example needed, i.e., impending natural disaster.)

Security Objectives

Smart Grid services are set to revolutionize the electric power system by offering advanced automation, enhanced situational awareness, and precise control over the generation, transmission, distribution, and consumption of electricity By fully implementing these services, the effectiveness, efficiency, and reliability of power systems will improve, leading to lower operational costs and reducing the need for labor-intensive processes Customers will have the ability to manage their energy usage through demand-response policies based on market pricing signals or allow suppliers to directly control their energy consumption to alleviate peak demand or address emergencies This collaborative approach will optimize the use of generating capacity while promoting conservation and supporting environmental initiatives.

Smart Grid services rely on complex distributed applications and advanced communication across extensive information networks that utilize various Internet technologies To achieve the Smart Grid vision, it is crucial to maintain high levels of system security throughout the entire Systems Development Life Cycle (SDLC) This includes addressing security concerns during all phases of systems engineering—architecture, acquisition, implementation, integration, deployment, operations, maintenance, and decommissioning Security solutions must be comprehensive and adaptable, evolving in response to emerging threats and technological advancements, as vulnerabilities can undermine the entire system.

The Smart Grid's primary (cyber) security objectives are as follows:

 Protect all Smart Grid services from malicious attack 1 and unintended adverse cyber and physical events that threaten the mission of the service (i.e., security events).

1 Includes cyber and physical attacks, such as attempts to physically tamper with a meter, and disruption of the supporting communications infrastructure.

To effectively protect the mission of Smart Grid services, it is essential to ensure that comprehensive information about security events is readily available for decision-making This involves the real-time collection and delivery of data for situational awareness, as well as safeguarding forensic data for post-event analysis, which enhances future security and system resilience Additionally, maintaining the integrity, availability, and confidentiality of information related to security and survivability services is crucial These mechanisms must be designed to prevent becoming an attack vector and must respond appropriately to both malicious and benign stimuli, thereby avoiding the escalation of security incidents.

To ensure the safety and security of personnel, stakeholders, and the electrical system, it is crucial to prevent security incidents related to Smart Grid services from exacerbating risks Smart Grid technologies, including communication networks and gateways, must not be exploited as pathways for attacks that could impact other Smart Grid services, end users, or external service providers Additionally, these services should not worsen the consequences of accidents, natural disasters, or human errors.

To foster public trust in Smart Grid services, it is essential to present robust evidence that assures the integrity, confidentiality, and availability of these services This includes demonstrating the accuracy of billing statements, ensuring the safety and reliability of electricity services, and promoting fairness in energy markets By providing clear and verifiable information, stakeholders can enhance consumer confidence and support the overall effectiveness of Smart Grid implementations.

Smart Grid security necessitates a comprehensive approach in engineering design and operations, extending security responsibilities beyond individual utilities While a single utility may not encompass all security requirements for the broader Smart Grid, enforcing these requirements through agreements and regulatory mandates on interconnected systems can effectively support Smart Grid security objectives Additionally, the interdependencies between the power grid, communications infrastructure, and information systems present significant challenges in creating a secure and resilient Smart Grid.

AMI system security is crucial for safeguarding the operations of all AMI business functions and must not serve as a gateway for grid control attacks Responsibility for this security does not rest solely with AMI architects; instead, it should be viewed from a systems of systems (SoS) perspective This approach ensures that the potential impacts of AMI on the broader grid are thoroughly analyzed, anticipated, and defended against within the overall SoS architecture and implementation.

Here are a few examples of what the Smart Grid security objectives are meant to prevent:

 Reputational Loss - Attacks or accidents that destroy trust in Smart Grid services, including their technical and economic integrity

 Business Attack - Theft of money or services or falsifying business records

 Gaming the system - Ability to collect, delay, modify, or delete information to gain an unfair competitive advantage (e.g., in energy markets)

 Safety - Attack on safety of the grid, its personnel or users

 Assets - Damaging physical assets of the grid or assets of its users

 Short-term Denial or Disruption of Service

 Long-term Denial or Disruption of Service (including significant physical damage to the grid)

 Hijacking control of neighbor's equipment

 Subverting situational awareness so that operators take fatal actions that disrupt the system

 Cause automated system to waste resources on false alarms

 Using Smart Grid services or the supported communication mechanisms to attack end users residential or industrial networks (e.g., allowing end-users to compromise other end-users’ networked systems.)

Integrating the intricate power grid with open, distributed, and highly networked technologies presents significant challenges, particularly when navigating various organizational boundaries and facing intelligent adversaries As a result, conventional security methods are inadequate to address these complexities effectively.

The main focus is on safeguarding the business missions inherent in each Smart Grid service, emphasizing the importance of survivability over mere security enforcement Survivability refers to a system's ability to achieve its mission promptly, even in the face of attacks, accidents, or subsystem failures It combines security with business risk management, enhancing traditional security approaches through domain-specific strategies for a comprehensive view Key features of a survivable system include its capacity to prevent or withstand various stresses, recognize survivability events, assess its state under duress, and recover swiftly from negative impacts Ultimately, survivability ensures graceful degradation during stress, maintaining essential services.

User Characteristics

This document outlines security requirements that are generally applicable to various users rather than specific roles like maintenance engineers or residential customers When applying these requirements to architectural elements, it is essential to customize them based on the unique characteristics of each user type, ensuring that the requirements are relevant and effective.

Typical classes of users (at a high level) include (refer to the Contextual View for insight into these classes of users)

Some of the characteristics that distinguish these classes of users, and even different types of users within these classes, are:

When customizing requirements, it is common to create multiple variations that cater to different users, each necessitating unique responses, such as varying levels of access control for specific actions.

Assumptions and Dependencies

This document outlines an ad hoc security specification focused solely on security requirements, excluding business (functional) and quality of service (non-functional) requirements such as performance and usability It assumes that business requirements for implementing an Advanced Metering Infrastructure (AMI) solution have already been defined The security requirements presented here are derived from industry best practices and government guidelines, ensuring a robust approach to security.

This document aims to offer general guidance on security considerations for various Advanced Metering Infrastructure (AMI) systems, rather than defining specific security requirements for any single implementation It avoids making assumptions about context-specific characteristics, such as the availability of computing resources, software, or infrastructure, unless explicitly mentioned Additionally, it does not presume the presence or absence of particular business requirements.

This document outlines high-level requirements for Advanced Metering Infrastructure (AMI) systems, intentionally omitting detailed specifications such as specific interfaces, algorithms, and technology solutions The requirements serve as a foundation for developing more detailed specifications tailored to the unique context of each AMI system, including its assets, information flows, business needs, and comprehensive risk assessments.

System Security Requirements

Primary Security Services

This area uses business/mission needs to define requirements It answers the question, “What security is needed?”

This class contains confidentiality and privacy requirements These requirements provide a user, service or object protection against discovery and misuse of identity by other users/subjects.

The security function must prevent unauthorized users from identifying the actual usernames associated with specific subjects, operations, or objects.

The security function must enable authorized users, as specified in the list of trusted subjects, to identify user identities solely based on the provided alias, but only under certain designated conditions.

FCP.3 The security function shall be able to provide [assignment: number of aliases] aliases of the real identity (e.g., user name) to [assignment: list of subjects].

The security function must either determine an alias for a user or accept one provided by the user, ensuring that it meets the specified alias metric requirements.

The security function must assign an alias that matches a previously provided alias, adhering to specified conditions; if these conditions are not met, the new alias will be unrelated to any prior aliases.

The security function must guarantee that designated users or subjects cannot ascertain whether specific operations were executed by the same user or understand the relationships among those operations.

The security function must guarantee that designated users or subjects cannot monitor specific operations performed on particular objects by protected users or subjects.

The security function must distribute unobservability-related information across various components of the module, ensuring that specific conditions are maintained throughout the information's lifecycle.

FCP.9 The security function shall provide [assignment: list of services] to [assignment: list of subjects] without soliciting any reference to [assignment: privacy related information (e.g., real username)].

FCP.10 The security function shall provide [assignment: list of authorized users] with the capability to observe the usage of [assignment: list of resources and/or services].

FCP.11 The security function shall prevent unauthorized and unintended information transfer via shared system resources.

The security function must ensure recovery from failures or service interruptions by restoring the secure initial state, while adhering to specified limits for the loss of security function data or objects managed by the module's security function.

FCP.13 The security function shall protect security function data from unauthorized disclosure when it is transmitted between separate parts of the system.

FCP.14 The security function shall identify and handle error conditions in an expeditious manner without providing information that could be exploited by adversaries.

FCP.15 The authentication mechanisms in the system shall obscure feedback of authentication information during the authentication process to protect the information from possible exploitation or use by unauthorized individuals.

FCP.16 The security function shall ensure that the security attributes, when exported outside the system, are unambiguously associated with the exported user data.

Maintaining a robust control system ensures the integrity of sensitive data, preventing unauthorized modifications or deletions The security controls within the system and information integrity framework outline policies and procedures for identifying, reporting, and rectifying flaws in the control system These controls encompass malicious code detection, spam protection, and intrusion detection techniques Additionally, they facilitate the receipt of security alerts and advisories, as well as the verification of security functions Furthermore, the framework includes measures to detect and prevent unauthorized changes to software and data, restrict data input and output, and ensure the accuracy, completeness, and validity of data while effectively managing error conditions.

FIN.1 The security function shall preserve a secure state when the following types of failures occur: [List of types of failure in the module]

The security function must ensure the ability to detect any alterations to security function data during its transmission between the security function and other trusted IT products, adhering to a specific modification metric that has been defined.

The security function must ensure the integrity of all data exchanged between itself and other trusted IT products, taking appropriate action if any modifications are identified.

FIN.4 The security function shall provide the capability to correct [assignment: type of modification] of all security function data transmitted between the security function and another trusted IT product.

The security function must effectively identify various integrity errors in the data transmitted between different components of the module, including modifications, substitutions, re-ordering, deletions, and any other potential integrity issues.

FIN.6 Upon detection of a data integrity error, the security function shall take the following actions:

[assignment: specify the action to be taken].

FIN.7 The security function shall provide detection of physical tampering that might compromise the module's security function.

FIN.8 The security function shall provide the capability to determine whether physical tampering with the module's security function's devices or module's security function's elements has occurred.

The security function must actively monitor specific devices and elements for potential tampering and promptly notify a designated user or role when any physical interference with these security components is detected.

FIN.10 The security function shall resist [assignment: physical tampering scenarios] to the [assignment: list of security function devices/elements] by responding automatically such that the integrity is maintained.

FIN.11 After [assignment: list of failures/service discontinuities] the security function shall enter a

[assignment: mode (e.g., maintenance mode)] where the ability to return to a secure state is provided.

FIN.12 For [assignment: list of failures/service discontinuities], the security function shall ensure the return of the module to a secure state using automated procedures.

When automated recovery from specified failures or service interruptions is not feasible, the security function must switch to a designated mode, such as maintenance mode, ensuring that the system can revert to a secure state.

The security function must ensure the recovery from failures or service interruptions by restoring the secure initial state, while adhering to specified limits on the loss of security function data or objects managed by the module.

Supporting Security Services

Supporting Security Services requirements are essential for realizing primary security objectives Each requirement in this section corresponds to those in Section 3.1, indicating which are fully or partially met by fulfilling the identified requirements in Section 3.2 A key criterion for inclusion is that every requirement must map to at least two aspects of the CIA triad—confidentiality, integrity, and availability If a requirement fails to meet this criterion, it should be included in Section 3.1 instead.

Policy requirements can appear in this section, so long as they are relevant to a specific supporting security service area.

Detection services detect events outside of the bounds of normally anticipated or desired behavior such as attacks, intrusions, or errors.

FAS.1 Upon detection of a data integrity error, the security function shall take the following actions:

[assignment: specify the action to be taken].

FAS.2 The security function shall provide unambiguous detection of physical tampering that might compromise the module's security function.

FAS.3 mandates that for the specified security function devices and elements requiring active detection, a monitoring system must be in place to oversee these components This system is responsible for alerting a designated user or role whenever there is any physical tampering with the security function's devices or elements.

FAS.4 The security function shall take [assignment: list of actions] upon detection of a potential security violation.

FAS.5 The organization shall employ and maintain fire suppression and detection devices/systems that can be activated in the event of a fire.

FAS.6 The organization shall implement and maintain fire suppression and detection devices/systems that can be activated in the event of a fire.

FAS.7 The organization shall implement an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery.

FAS.8 The organization shall implement control system incident handling capabilities for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery.

Boundary services are essential for ensuring isolation between different system elements and external entities They define the interactions that take place at the transition points between distinct security domains, particularly during examinations or when adjusting constraints on border relationships.

Boundary requirements focus on preserving the strength and integrity of the isolation between the internal and external elements of a system A key example of these requirements can be seen in the configuration of firewalls.

FBS.1 The security function shall restrict the scope of the session security attributes [assignment: session security attributes], based on [assignment: attributes].

FBS.2 The security function shall restrict the maximum number of concurrent sessions that belong to the same user.

FBS.3 The security function shall enforce, by default, a limit of [assignment: default number] sessions per user.

The security function must limit the maximum number of concurrent sessions allowed for each user, in accordance with established rules regarding the permissible number of simultaneous sessions.

To enhance security, the interactive session will automatically lock after a designated period of user inactivity This process involves clearing or overwriting the display devices to render the current contents unreadable, as well as disabling any user data access or display activities until the session is unlocked.

FBS.6 The security function shall require the following events to occur prior to unlocking the session:

The security function must enable users to lock their own interactive sessions, which includes clearing or overwriting display devices to render the current contents unreadable and disabling any data access or display activities, except for unlocking the session.

FBS.8 The security function shall terminate an interactive session after a [assignment: time interval of user inactivity].

FBS.9 The security function shall allow user-initiated termination of the user's own interactive session.

FBS.10 Before establishing a user session, the security function shall display an advisory warning message regarding unauthorized use of the module.

FBS.11 Upon successful session establishment, the security function shall display the [selection: date, time, method, location] of the last successful session establishment to the user.

Upon successfully establishing a session, the security function will show the date, time, method, and location of the most recent unsuccessful session attempt, along with the total number of unsuccessful attempts since the last successful session.

FBS.13 The security function shall not erase the access history information from the user interface without giving the user an opportunity to review the information.

FBS.14 The security function shall be able to deny session establishment based on [assignment: attributes].

The security function must establish a dedicated communication channel with another trusted IT product, ensuring it is logically separate from other channels This setup guarantees reliable identification of endpoints and safeguards the data transmitted through the channel from unauthorized modification or disclosure.

FBS.16 The security function shall permit [selection: the module's security function, another trusted IT product] to initiate communication via the trusted channel.

FBS.17 The security function shall initiate communication via the trusted channel for [assignment: list of functions for which a trusted channel is required].

The security function must establish a dedicated communication channel for [selection: remote, local] users, ensuring it is separate from other communication paths This channel must guarantee reliable identification of its endpoints and safeguard the transmitted data against [selection: modification, disclosure, [assignment: other types of integrity or confidentiality violation]].

FBS.19 The security function shall permit [selection: the module's security function, local users, remote users] to initiate communication via the trusted path.

FBS.20 The security function shall require the use of the trusted path for [selection: initial user authentication,

[assignment: other services for which trusted path is required]].

FBS.21 The organization shall develop, implement, and periodically review and update:

1 A formal, documented, control system security policy that addresses: a The purpose of the security program as it relates to protecting the organization’s personnel and assets; b The scope of the security program as it applies to all the organizational staff and third-party contractors; c The roles, responsibilities, and management accountability structure of the security program to ensure compliance with the organization’s security policy and other regulatory commitments.

2 Formal, documented procedures to implement the security policy and associated requirements A control system security policy considers controls from each of the families contained in this document.

FBS.22 The organization shall establish policies and procedures to define roles, responsibilities, behaviors, and practices for the implementation of an overall security program.

FBS.23 mandates that the organization create a structured framework for management leadership accountability, which delineates specific roles and responsibilities for approving cybersecurity policies, assigning security roles, and coordinating the overall implementation of cybersecurity measures throughout the organization.

FBS.24 Baseline practices that organizations employ for organizational security include, but are not limited to:

1 Executive management accountability for the security program;

2 Responsibility for control system security within the organization includes sufficient authority and an appropriate level of funding to implement the organization’s security policy;

3 The organization’s security policies and procedures that provide clear direction, accountability, and oversight for the organization’s security team The security team assigns roles and responsibilities in accordance with the organization’s policies and confirms that processes are in place to protect company assets and critical information;

4 The organization’s contracts with external entities that address the organization’s security policies and procedures with business partners, third-party contractors, and outsourcing partners;

5 The organization’s security policies and procedures ensure coordination or integration with the organization’s physical security plan Organization roles and responsibilities are established that address the overlap and synergy between physical and control system security risks.

The organization's security policies and procedures must clearly outline the implementation of its emergency response plan, ensuring effective coordination with law enforcement agencies, regulators, Internet service providers, and other pertinent organizations during a security incident.

Assurance

Not all solutions are created equal Differing degrees of care and consideration can go into developing solutions that satisfy any given security requirement This section contains

976 requirements regarding the activities involved in developing smart grid system solutions Topics including:

This is about the creation of smart grid systems, not their deployment, operation, or maintenance.

ADR.1 The organization shall develop, disseminate, and periodically review/update:

1 A formal, documented, information system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

2 Formal, documented procedures to facilitate the implementation of the information system maintenance policy and associated system maintenance controls.

The organization must schedule, conduct, document, and review records of routine preventative and regular maintenance, including repairs, for the components of the information system, following either manufacturer or vendor specifications or organizational requirements.

ADR.3 The organization shall approve, control and monitor the use of information system maintenance tools and maintains the tools on an ongoing basis.

ADR.4 The organization shall authorize, monitor and control any remotely executed maintenance and diagnostic activities, if employed.

ADR.5 The organization shall allow only authorized personnel to perform maintenance on the information system.

ADR.6 The organization shall obtain maintenance support and spare parts for [Assignment: organization- defined list of key information system components] within [Assignment: organization-defined time period] of failure.

1 A formal, documented, system and services acquisition policy that includes information security considerations and that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

2 Formal, documented procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls.

ADR.8 The organization shall determine, document and allocate as part of its capital planning and investment control process, the resources required to adequately protect the information system.

ADR.9 The organization shall manage the information system using a system development life cycle methodology that includes information security considerations.

Organizations must incorporate security requirements and specifications into information system acquisition contracts, either explicitly or by reference This inclusion should be based on a thorough risk assessment and comply with relevant laws, Executive Orders, directives, policies, regulations, and standards.

ADR.11 The organization shall obtain, protect as required, and make available to authorized personnel, adequate documentation for the information system.

ADR.12 The organization shall comply with software usage restrictions.

ADR.13 The organization shall enforce explicit rules governing the installation of software by users.

ADR.14 The organization shall design and implement the information system using security engineering principles.

1 Requires that providers of external information system services employ adequate security controls in accordance with applicable laws, Executive Orders, directives, policies,

983 regulations, standards, guidance, and established service-level agreements; and

Organizations must mandate that information system developers establish and execute a configuration management plan This plan should effectively manage changes during the development process, monitor security vulnerabilities, ensure that all modifications receive proper authorization, and include thorough documentation of both the plan and its execution.

ADR.17 The organization shall require that information system developers create a security test and evaluation plan, implement the plan, and document the results.

ADR.18 The organization shall develop, disseminate and periodically review/update:

1 A formal, documented, system and services acquisition policy that addresses: a The purpose of the security program as it relates to protecting the organization’s personnel and assets; b The scope of the security program as it applies to all the organizational staff and third-party contractors; c The roles, responsibilities and management accountability structure of the security program to ensure compliance with the organization’s security policy and other regulatory commitments.

2 Formal, documented procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls.

The organization must establish a systematic approach to identify, document, and approve the resources necessary for the effective protection of its control system, integrating this process into its capital planning and investment control framework.

ADR.20 The organization shall manage the control system using a system development life-cycle methodology that includes control system security considerations.

Organizations must incorporate security requirements or specifications in their control system acquisition contracts, either explicitly or through references This inclusion should be based on a thorough risk assessment and comply with relevant laws, Executive Orders, directives, policies, regulations, and standards.

ADR.22 The organization shall ensure that adequate documentation for the control system and its constituent components are available, protected when required, and are accessible to authorized personnel.

ADR.23 The organization’s security program shall deploy policy and procedures to enforce compliance with software license usage restrictions.

ADR.24 The organization shall implement policies and procedures to enforce explicit rules and management expectations governing user installation of software.

ADR.25 The organization shall design and implement the control system using security engineering principles and best practices.

ADR.26 The organization shall ensure that third-party providers of control system services employ adequate security mechanisms in accordance with established service-level agreements and monitor compliance.

The control system vendor is required to develop and enforce a configuration management plan that restricts modifications to the control system throughout the design and installation phases This plan is essential for tracking security vulnerabilities Additionally, the vendor must secure written approval from the organization for any alterations to the plan.

The vendor shall provide documentation of the plan and its implementation.

The control system vendor is required to create a security test and evaluation plan, which must be submitted to the organization for approval Once the plan receives written approval, the vendor will implement it and document the results of the testing and evaluation, subsequently submitting these results to the organization for further approval.

The control system vendor must implement effective software development life-cycle practices to mitigate prevalent coding errors that compromise security, focusing specifically on the validation of input data and the management of buffers.

ADR.30 The organization shall develop, disseminate, and periodically review and update:

1 A formal, documented Configuration Management policy that addresses: a The purpose of the configuration management policy as it relates to protecting the organization’s personnel and assets; b The scope of the configuration management policy as it applies to all the organizational staff and third-party contractors; c The roles, responsibilities and management accountability structure contained in the configuration management policy to ensure compliance with the organization’s security policy and other regulatory commitments

2 Formal, documented procedures to facilitate the implementation of the configuration management policy and associated configuration management controls.

3 The personnel qualification levels required to make changes, the conditions under which changes are allowed, and what approvals are required for those changes.

ADR.31 The organization shall develop, document, and maintain a current baseline configuration of the control system and an inventory of the system’s constituent components.

ADR.32 The organization shall authorize, document and manage changes to the control system.

ADR.33 The organization shall implement a process to monitor changes to the control system and conducts security impact analyses to determine the effects of the changes.

1 Approves individual access privileges and enforces physical and logical access restrictions associated with configuration changes to the control system;

2 Generates, retains, and reviews records reflecting all such changes.

1 Establishes mandatory configuration settings for IT products employed within the control system;

2 Configures the security settings of control systems technology products to the most restrictive mode consistent with control system operational requirements;

3 Documents the changed configuration settings.

The organization must configure its control system to ensure that only essential capabilities are available, while explicitly prohibiting or restricting the use of certain functions, ports, protocols, and services as outlined in a designated "prohibited and/or restricted" list.

ADR.37 The organization shall create and maintains a list of all end-user configurable assets and the configurations of those assets used by the organization.

The organization must establish and enforce policies and procedures for the addition, removal, and disposal of control system equipment It is essential to document, identify, and track all control system assets and information to ensure their location and function are clearly understood.

ADR.39 The organization shall change all factory default authentication credentials on control system components and applications upon installation.

1 A formal, documented, control system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance;

2 Formal, documented procedures to facilitate the implementation of the control system maintenance policy and associated system maintenance controls.

Organizations must establish policies and procedures to enhance existing legacy control systems by integrating security measures that align with their risk tolerance and address the potential risks to the systems and processes they manage.

The organization is required to perform regular security vulnerability assessments as outlined in its risk management plan Subsequently, the control system must be updated to mitigate any identified vulnerabilities, in alignment with the organization's control system maintenance policy.

ADR.43 The organization shall make and secure backups of critical system software, applications and data for use if the control system operating system software becomes corrupted or destroyed.

ADR.44 The organization shall review and follow security requirements for a control system before undertaking any unplanned maintenance activities of control system components (including field devices) Documentation includes the following:

1 The date and time of maintenance;

2 The name of the individual(s) performing the maintenance;

3 The name of the escort, if necessary;

4 A description of the maintenance performed;

5 A list of equipment removed or replaced (including identification numbers, if applicable).

The organization must schedule, execute, and document routine preventive and regular maintenance of control system components, adhering to the specifications set by manufacturers or vendors, as well as following organizational policies and procedures.

ADR.46 The organization shall approve, manage, protect and monitor the use of control system maintenance tools and maintains the integrity of tools on an ongoing basis.

Scope

Advanced Metering Infrastructure (AMI) Security Architecture as defined by the AMI-SEC taskforce is:

Advanced Metering Infrastructure (AMI) encompasses the hardware and software that establishes a network between advanced meters and utility business systems This infrastructure enables the efficient collection and distribution of information to customers, competitive retail providers, and the utility itself AMI is characterized by two main components: 1) the hardware and software located at or near the customer premises, for which the utility or its authorized representatives are responsible, and 2) the utility-owned hardware and software specifically designed to facilitate advanced metering operations.

This document outlines a logical, platform-agnostic mitigation plan aimed at addressing the requirements identified in the Risk Assessment and System Requirements Document The design approach focuses on systematically addressing these requirements to ensure effective risk management.

 Architectural Representation of Security Systems

 System, Subsystem, and Function Boundaries

This document emphasizes security architecture specifically for Advanced Metering Infrastructure (AMI), rather than detailing the broader enterprise-level AMI architecture The goal is to break down the system into its essential views to effectively address AMI security The architecture focuses solely on the external visible properties of system elements, leaving non-visible aspects to the discretion of designers, implementers, and integrators.

The image illustrates a comprehensive overview of the AMI system, starting with the interactions between external actors and the AMI framework in section 3.1 Following this, section 3.2 offers a more detailed decomposition of the AMI system, enhancing the understanding of its components Each successive iteration of the analysis delivers increased granularity and traceability across different views of the system.

AMI-SEC is concurrently developing essential documentation to support the Architectural Description (AD), including the AMI Risk Analysis and System Security Requirements (SSR) documents The Risk Analysis guides utilities in assessing the risk-to-value of their assets, defined as the business-level value streams Additionally, the appendix of the AMI Risk Analysis features catalogs of assets, vulnerabilities, and threats The SSR document outlines AMI-SEC's methodology for requirements assessment and implementation, ensuring traceability between the AD and the SSR requirements for consistency and rationale.

This document outlines security measures for widely recognized Advanced Metering Infrastructure (AMI) use cases provided by utilities to AMI-SEC While it is anticipated that AMI will evolve to accommodate new and unforeseen applications, this document aims to categorize use cases with similar security requirements The objective is to facilitate the ongoing development of AMI by establishing a foundational security framework.

Mission

The AMI Security Architecture aims to enhance understanding of AMI security and facilitate communication among stakeholders, serving as a foundation for system analysis It is crucial to recognize that the architecture's primary objective is not to develop the complete AMI system but to ensure its security, a task that is inherently complex.

This document serves as an introductory guide to AMI Security, offering essential insights for interested parties It is designed to help newcomers grasp the fundamental elements, interfaces, and overall structure of AMI security, making it an ideal starting point for further exploration.

This document facilitates communication among stakeholders such as system designers, implementers, integrators, testers, and operators While all architecture is a form of design, not all design qualifies as architecture The goal of this communication is to provide clear guidance to stakeholders, ensuring they comprehend the architecture adequately to fulfill their respective roles effectively.

The architecture will also serve to provide information needed the support analysis performed for security objectives including availability, integrity, confidentiality, access control and accounting.

The architecture will cross-check with information contained in the Requirements document to provide reasoning for requirements selection.

Stakeholders & Concerns

Stakeholders are individuals or groups with interests related to a system, encompassing all actors involved, though not all stakeholders actively participate For instance, an investor may care about the success of the Advanced Metering Infrastructure (AMI) system without direct interaction Key stakeholders pertinent to the security architecture include those whose concerns impact the system's effectiveness and safety.

 Customer Users of the system

 Responsible Entities of the systems

Concerns that stakeholders may have from a security perspective for the entire AMI system

 The purpose or missions of the system as pertains to security

 The appropriateness of the system for use in fulfilling its missions to security

 The feasibility of constructing the system

 The risks of system development and operation to users, acquirers, and developers of the system

 Maintainability, deploy-ability, and evolve-ability of the system

Each viewpoint defined for AMI security possesses specific concerns defined with each viewpoint under the following section.

Potential examples of AMI security concerns by stakeholders:

Utility Operator Integrity of information and system control

Regulators Integrity of system and compliance with regulations

Telecom Provider Compliance with contractual obligations and regulations

Security Analysis Approach

The security analysis approach involves assessing each perspective based on key security principles, including availability, integrity, confidentiality, access control, and accountability High-level models are represented through Use Cases, with each Use Case identifying at least one security objective by evaluating it against these fundamental principles.

 Availability o Ensure the desired resource is available at the time it is needed. o Ensure the desired resource is accessible in the intended manner by the appropriate entity.

 Integrity o Ensure the desired resource contains accurate information. o Ensure the desired resource performs precisely as intended.

 Confidentiality o Ensure the desired resource is only accessible to the desired targets. o Ensure the desired resource is only accessible under the designated conditions.

 Access Control o Ensure resource access follows the designated procedure. o Ensure access mechanisms provide sufficient management capabilities to establish, modify, and remove desired criteria.

 Accountability o Ensure system activities can be reconstructed, reviewed, and examined from transaction inception to output of final results. o Ensure system controls are provably compliant with established policy and procedures.

Architecture Description Approach

Viewpoints

IEEE 1471-2000 defines a viewpoint on a system as an abstraction formed through a chosen set of architectural constructs and structuring rules, aimed at emphasizing specific concerns within the system This relationship between viewpoint and view is similar to that of a template and its instance, indicating that a viewpoint can encompass various elements.

 Specifications of each viewpoint that has been selected to organize the representation of the architecture and the rationale for those selections

 One or more architectural views

 A record of all known inconsistencies among the architectural description’s required constituents

 A rationale for selection of the architecture

Each viewpoint shall be specified by:

2 The stakeholders to be addressed by the viewpoint,

3 The concerns to be addressed by the viewpoint,

4 The language, modeling techniques, or analytical methods to be used in constructing a view based upon the viewpoint,

5 The source, for a library viewpoint (the source could include author, date, or reference to other documents, as determined by the using organization).

A viewpoint specification may include additional information on architectural practices associated with using the viewpoint, as follows:

 Formal or informal consistency and completeness tests to be applied to the models making up an associated view

 Evaluation or analysis techniques to be applied to the models

 Heuristics, patterns, or other guidelines to assist in synthesis of an associated view

Viewpoint specifications can be referenced from established practices or guidelines An architectural description must provide a justification for each selected viewpoint, detailing how well it encompasses the interests and concerns of stakeholders involved.

Views

An architectural description consists of various components known as architectural views, each tailored to address specific concerns of system stakeholders The term "view" refers to the representation of a system's architecture from a particular perspective.

The relationship between a viewpoint and a view can be compared to that of a template and its instance, where the viewpoint serves as the template and the view represents its specific instance.

Contextual View

The main objective of this perspective is to pinpoint the external interaction points, both physical and logical/data, between Advanced Metering Infrastructure (AMI) and external entities After identifying these interaction points, a security architecture is established to address stakeholder concerns Use cases are utilized to illustrate interactions between customers, third parties, and utilities with AMI in sections 2.1.2, 2.1.3, and 2.1.4.

Elaborations of the interactions in this view are unlikely to be complete; they should however provide representative examples of –

 Use cases of the outside world interacting with (stimulating) AMI

 Use cases of AMI interacting with (stimulating) the outside world

 Misuse or abuse cases in either direction; that is, specific uses that should be prevented

 Any actor sub-categories where the actor uses the system in a fashion that implies security needs that differ from major actors (e.g., leading to identification of access domains/privilege levels)

 Physical interactions (e.g., installing a meter or physical access to assets like collectors)

 Logical interactions (e.g., user monitors or modifies settings with the utility via web browser or utility initiates a demand-response interaction with a residence)

Elements of the view are the AMI system (as a black box), human actors, and connected systems Relations of the view are vague - "interacts with", with elaboration in the prose.

Top Level Model

Customer Model

The customer model focuses on the interactions between a customer and the AMI system

Customers may include sub-actors such as:

 Residential Customer (Private home owners)

 Commercial Customer (Office buildings, Apartment Complexes)

 Municipalities Customer (Street lights, traffic lights, subways)

Sub-actors can be classified based on the varying security treatments they receive according to their specific roles When all sub-actors experience similar security measures, they are treated collectively However, when there are slight differences in security treatment among them, these distinctions become significant The relationship between the customer and the Advanced Metering Infrastructure (AMI) system is illustrated in a diagram, highlighting that the customer can initiate a stimulus on the AMI system, or the AMI system can respond to the customer.

The following use cases are used to define the relationship between the customer and AMI:

Customer reduces their usage in response to pricing or voluntary load reduction event:

The utility can utilize the Advanced Metering Infrastructure (AMI) system to inform customers when demand reduction is necessary This request aims to enhance grid reliability, facilitate economic dispatch through energy trading, or postpone energy purchases.

AMI demand response systems are designed with two levels of advanced warning, as detailed in Distribution Use Case 2 The first level provides a few hours' notice for predicted energy shortages, while the second level offers urgent alerts for emergency shortages, ranging from minute to sub-minute notifications.

Security Objective: o Prevent false warnings from reaching the customer. o Ensure that only people and/or systems that are authorized by the utility can send warnings to the customer

1264 o Ensure that the system is resilient to periods of over-subscribed network utilization, especially in the case of emergency shortages.

 Customer has access to recent energy usage and cost at their site:

 Customers can view a variety of information being gathered by their meter, permitting them to make energy-efficient choices and to shift demand to off-peak periods

Customers may access this information through a variety methods.

The primary security objectives include safeguarding access methods from unauthorized individuals, ensuring the confidentiality of customer data, and protecting devices that transmit usage and cost information from tampering Additionally, it is essential to validate that the communication of usage and cost data aligns with the utility's intent by displaying only necessary information and ensuring that all presented data accurately reflects reality.

Customer prepays for electric services:

 Customers of the AMI system can prepay their accounts and read their current balance Pre-pay may be done through the internet, phone, or other method.

To achieve security objectives, utilities and financial entities must comply with PCI standards or other relevant regulations It's essential to ensure that the Advanced Metering Infrastructure (AMI) system and payment devices are fortified against various types of payment fraud Additionally, maintaining the confidentiality of payment data is crucial to safeguarding sensitive information.

External clients use the AMI system to interact with devices at customer site:

The Advanced Meter Infrastructure (AMI) will serve as a vital communication gateway, allowing third parties, including energy management companies, to monitor and control customer equipment at their premises This infrastructure is essential for facilitating on-demand requests while ensuring a secure environment for transmitting confidential customer information.

To enhance data security, it is essential that all third-parties adhere to a standardized data confidentiality agreement Additionally, these parties must comply with established protocols for granting access to systems that enable the monitoring and control of customer equipment on-site.

To ensure the security and integrity of customer interactions with equipment, all communications leading to actions at customer premises must be authorized, authenticated, non-repudiated, and logged Additionally, it is crucial to secure the communication pathways that enable control of equipment, making them tamper-proof Customers should also be required to consent to specific third-party access to their premise gateway.

Third Party Model

The third-party model illustrates the relationship between external entities and the Advanced Metering Infrastructure (AMI) system These third parties can encompass utility-contracted organizations, such as telecom providers and other utility companies Additionally, they may involve organizations that have contractual agreements with customers to manage their in-home devices, such as energy management systems, within the home area network.

The following are use cases describing the relationships between potential third parties and the AMI system.

Multiple Clients Read Demand and Energy Data Automatically from Customer Premises:

The AMI system enables gas and water utilities, contracted meter readers, aggregators, and other third parties to access and read electrical, gas, and water meters, as well as manage third-party equipment located on customer premises.

The primary security objective is to safeguard customer information, ensuring that customers have control over the dissemination of their data Additionally, it is essential to maintain the integrity of meter data, protecting it from any unauthorized manipulation or deletion Furthermore, the goal is to ensure that meter data is readily available to clients for both scheduled and unscheduled readings in a timely manner.

Utility Model

The utility model describes interactions between the Utility stakeholder and the AMI system in order to describe the security treatments that need to be applied.

Utility stakeholder security concerns about AMI:

The following are use cases describing the relationships between the Utility and AMI.

The AMI system enables utilities to remotely collect meter data at regular intervals, allowing for billing based on customers' actual time of use This capability facilitates the shifting of energy demand from peak to off-peak periods, ultimately enhancing energy efficiency.

The primary security objective is to ensure the privacy of customer information both during transit and in temporary or permanent memory storage Additionally, it is crucial to safeguard meter data from any unauthorized manipulation or deletion Furthermore, ensuring the timely availability of meter data is essential for maintaining operational efficiency and customer trust.

 The AMI system permits customers' electrical service to be remotely connected or disconnected for a variety of reasons, eliminating the need for utility personnel to visit the customer premises.

Security Objective: o To protect integrity of connect/disconnect control messages; avoiding fake messages, fake senders, unintended receivers, manipulated messages o To establish a secure connection in transporting connect/disconnect control messages

1354 o To establish timely connectivity to connect/disconnect service

 It should also provide an efficient way in which to initiate/terminate a service agreement between customer and utility via remote switching service(on/off)

Security Objective: o To establish timely connectivity to connect/disconnect service

 Posses the ability to remotely limit customer usage as a response to constrained supply as well as the customer’s inability to pay the cost for the service

The primary security objective is to safeguard the integrity of connect, disconnect, and limit control messages by preventing counterfeit messages, impersonation of senders, unintended recipients, and message manipulation Additionally, it aims to establish a secure connection for the transmission of these critical control messages.

Customers and utilities should have access to essential business transactions, including routine service shut-offs for move-outs, routine service turn-ons for move-ins, and the termination of credit and collections services Additionally, local or on-site service shut-offs and turn-ons, as well as credit and collection service limitations, must also be made available.

Security Objective: o To establish timely connectivity to connect/disconnect/limit service o To produce historical, non-reputable record of event

 The AMI system can be used to report when customers are stealing energy or tampering with their meter.

Security Objective: o To produce reliable tamper indication o To successfully transmit and receive a tamper signal o To securely transmit tamper signal from a non-reputable source

 The AMI system can be used to report outages with greater precision than other sources, or verify outage reports from other sources.

The AMI system effectively analyzes electrical power quality by providing critical data on harmonics, RMS variations, voltage, and VARs Additionally, it enhances power quality and reduces fault recovery times through direct communication with distribution automation networks.

The primary security objectives include ensuring the integrity of meter data to prevent manipulation and deletion, safeguarding the transmission of meter data to protect customers' private information from being released or intercepted, and maintaining the availability of high-quality analysis information.

 The AMI system can be used to dispatch, measure, regulate and detect distributed generation by customers.

Security Objective: o To maintain integrity of AMI data being transmitted and stored to avoid manipulation and deletion o To provide timely availability to system data

The implementation of load management programs offers several significant benefits, including enhanced customer engagement and participation, improved communication between utilities and load management devices, and reduced installation costs for advanced metering infrastructure (AMI) components By minimizing out-of-pocket expenses for customers, utilities can foster greater willingness to engage in distributed generation initiatives Additionally, this approach allows utilities to effectively dispatch and monitor participants involved in distributed generation, further optimizing energy management and resource allocation.

Security Objective: o To protect confidentiality of customer’s data and maintain customer trust

The emergence of advanced communication technologies, including wireless communication systems, Power Line Communication (PLC), and Broadband over Power Line (BPL), enables Advanced Metering Infrastructure (AMI) devices to effectively interact with essential physical infrastructure, such as Intelligent Electronic Devices (IEDs) like Capacitor Bank Controllers (CBC) This interaction enhances circuit efficiency, reduces losses, and promotes energy savings, ultimately optimizing the lifespan of critical infrastructure.

To ensure the integrity of data both stored and transmitted between AMI and Smart Grid devices, it is essential to deliver device information promptly Additionally, safeguarding AMI and Smart Grid communications from manipulation, deletion, and interception is crucial for maintaining secure and reliable operations.

Management of the End-to-End Lifecycle of the Metering System

An essential feature of an Advanced Metering Infrastructure (AMI) system is its self-diagnostic capability This system must efficiently gather data on the status and health of various devices, perform remote diagnostics, and optimize operational parameters from a distance.

The primary security objectives include safeguarding diagnostic data from manipulation, deletion, or impersonation, ensuring the authenticity of transmitted diagnostic messages, guaranteeing timely access to diagnostic information, and protecting the data from eavesdropping or interception.

The system must be designed to effectively adapt to potential changes, including emerging physical communication methods, innovative features from equipment vendors, and new tariffs that may impose restrictions like rate limits or timing Additionally, it should accommodate connections to various types of load control equipment, support new communication protocols, adjust to changes in operating parameters, and integrate with new computing applications.

 The aforementioned should be accomplishable with minimal incremental cost in stark contrast to a wholesale system replacement

Security Objective: o Objectives to be determined and prioritized based on technology implemented

 Utilities use the AMI system to enforce disconnection when the prepayment balance reaches zero.

To ensure customer confidentiality, it is essential to protect payment information from eavesdropping and unauthorized data collection, whether stored temporarily or permanently Additionally, maintaining the integrity of transmitted data is crucial, which includes ensuring non-repudiation and validating customer information Furthermore, customers must have reliable access to their accounts within payment services.

Security Domains View

Utility Edge Services Domain

The Utility Edge Services Domain allows the utility to interact with non-customer-owned edge assets, such a meter (electric, gas, or water) or other end-point device.

The Utility Edge Services Domain assumes a singular service endpoint (point of service). Ownership and Control Concerns

The utility possesses certain assets within the Utility Edge Services Domain, while any assets not owned by the utility are held by a peer entity, typically another utility.

The utility controls all assets within the Utility Edge Services Domain Assets owned by another entity are controlled by the utility as a proxy for the owner.

Premise Edge Services Domain

The Premise Edge Services Domain allows the utility to interact with customer-owned edge assets, such as Home Area Network (HAN) devices.

The Premise Edge Services Domain assumes a singular customer.

The assets within the Premise Edge Services Domain may be owned by the utility, the customer, or a third-party service provider.

The utility manages all assets within the Premise Edge Services Domain, while control over assets owned by other entities is delegated to the utility upon their admission to this domain.

Communication Services Domain

The Communication Services Domain facilitates communication between assets in adjacent service domains (Utility Edge, Premise Edge, Managed Network, and

Automated Network) and may facilitate communication between assets within the same domain.

The Communication Services Domain assumes interfaces to multiple Utility Edge and Premise Edge Services Domains, and may include interfaces to multiple Managed

Network and Automated Network Services Domains.

The utility may own the assets within the Communication Services Domain

Alternatively, assets in the Communication Services Domain may be owned by a

The utility has the authority to manage assets within the Communication Services Domain, or these assets may be overseen by a Communication Services Provider When a Communication Services Provider controls these assets, they may be incorporated into a contractual services agreement with the utility.

Managed Network Services Domain

The Managed Network Services Domain allows the utility to manage communication configuration, settings, capabilities, and resources in each of the other service domains. Assumptions

The utility primarily uses assets in the Managed Network Services Domain to manipulate configurations and settings in the Automated Network Services Domain (i.e., human interface).

The utility may own the assets within the Managed Network Services Domain

Alternatively, assets in the Managed Network Services Domain may be owned by a Communication Services Provider.

The utility oversees all assets within the Managed Network Services Domain, with authority over assets owned by other entities granted to the utility upon their admission to this domain.

Automated Network Services Domain

The Automated Network Services Domain allows the utility to implement the communication parameters specified using assets in the Managed Network Services Domain.

The utility primarily uses assets in the Automated Network Services Domain to perform routine and/or repetitive operations at high speed without manual intervention.

The utility may own the assets within the Automated Network Services Domain

Alternatively, assets in the Automated Network Services Domain may be owned by a Communication Services Provider.

The utility manages all assets within the Automated Network Services Domain, with the authority to oversee assets owned by other entities as part of their integration into the domain.

Utility Enterprise Services Domain

The Utility Enterprise Services Domain allows the utility to perform the business functions required by enterprise applications.

The assets in the Utility Enterprise Services Domain provide the interface to AMI systems and data for the remainder of the enterprise.

The utility owns all assets within the Utility Enterprise Services Domain

The utility controls all assets within the Utility Enterprise Services Domain.

Appendix B – Supplemental Material: Business Functions as Stakeholders in AMI Systems

Introduction

Scope of AMI Systems

The evolution of Smart Grid technologies is transforming various business functions into key stakeholders, particularly through the implementation of Advanced Metering Infrastructure (AMI) systems While AMI systems offer clear advantages for certain business functions, they remain a work in progress, showing potential benefits for others that are not yet fully realized Furthermore, unforeseen business functions may emerge as viable stakeholders in the future, highlighting the dynamic nature of Smart Grid development.

AMI systems integrate hardware, software, and data management applications to establish a communication network between customer premises and various utility and third-party operational systems These systems facilitate the exchange of information between customer end devices, such as meters and gateways, and the broader utility ecosystem To safeguard this vital infrastructure, comprehensive end-to-end security measures must be implemented across all components of the AMI systems, ensuring protection for both customer and utility interfaces.

Included in the Security Architecture of the AMI System

Figure 9 - Scope of AMI Systems

Overview of Business Functions Utilizing AMI Systems

Identifying and describing business functions is crucial for understanding the information exchange requirements within an organization The various business functions that utilize Advanced Metering Infrastructure (AMI) systems play a significant role in this process.

Business Processes Utilizing the AMI/Enterprise Bus Interface

Smart Meters, Distribution Automation, and Distributed Energy Resources

Figure 10 - Business Functions Utilizing the AMI/Enterprise Bus Interface

The following sections expand on these Business Functions.

AMI Metering Business Functions

Metering Services

Metering services are essential for accurately reading meters and generating customer bills These services vary based on customer types, including residential, small commercial, large commercial, small industrial, and large industrial, as well as the corresponding customer tariff.

Traditionally, residential and smaller commercial customers receive monthly meter reading services conducted by meter readers using handheld or mobile tools These readings capture the current meter index for billing and other purposes For Time-of-Use (TOU) data, intervals are established for "on-peak" and "off-peak" periods as defined by utility tariffs In some cases, actual meter readings occur less frequently, leading to estimated bills that are later adjusted.

AMI systems facilitate periodic meter readings that capture interval data, typically on an hourly basis, though they can also record data every 15 or 5 minutes The data retrieval frequency from the meter can range from every 5 minutes to hourly, daily, or monthly, depending on the system's configuration.

AMI offers significant advantages for periodic meter readings, including enhanced accuracy through reduced estimated readings and precise recording of reading dates and times Additionally, it provides access to up-to-date meter readings throughout the billing cycle.

On-demand meter reading traditionally involves dispatching a meter reader to the meter site at the requested time Common reasons for requesting on-demand meter readings include ensuring accurate billing, verifying discrepancies, and monitoring energy usage.

 Billing questions by the customer

AMI systems will permit on-demand reads to take place almost immediately or more precisely at the scheduled date and time.

Net metering allows customers to generate, store, and consume power while accurately measuring the flow of electricity in both directions This system tracks when net power flows occur, often utilizing Time of Use (TOU) tariffs to optimize energy usage and costs.

An increasing number of commercial and industrial (C&I) customers, along with residential users, are adopting net metering for their photovoltaic systems, wind turbines, combined heat and power (CHP) systems, and other distributed energy resources (DER) As plug-in hybrid electric vehicles (PHEVs) gain popularity, the implementation of net metering is expected to expand further into homes, small businesses, and even parking lots.

AMI systems can facilitate the management of net metering, particularly if pricing becomes more dynamic and/or more fine-grained than currently used for TOU rates.

Utility bills are typically issued based on meter reading schedules rather than customer preferences, which can lead to late payments for those living on the financial edge Small-scale trials indicate that aligning bill due dates with customers' paychecks significantly decreases late payments, lowers collection costs, and ultimately benefits all customers by reducing overall expenses.

AMI systems provide the flexibility to provide customers with bills when the customers prefer to receive them.

Pre-Paid Metering

Customers seeking lower rates or those with a history of late payments can take advantage of power prepayment options The implementation of smart metering enhances the delivery of innovative prepayment solutions, offering customers improved visibility of their remaining power hours and allowing prepayment customers to benefit from time-of-use rates.

AMI systems can also trigger notifications when the pre-payment limits are close to being reached and/or have been exceeded.

With the advent of Advanced Metering Infrastructure (AMI) systems, customers utilizing pre-payment tariffs no longer need to rely on utility representatives for information regarding their energy usage or to extend their limits Instead, they can conveniently monitor their current usage and limits in real-time, and may have the option to automatically extend their energy limits online, streamlining the process and enhancing user experience.

Commercial and industrial (C&I) customers may face tariffs that restrict their energy demand, with some rates based on peak demand measured over 15-minute intervals Additionally, certain customers utilize current limiting equipment to manage and ensure their energy consumption remains within specified limits.

AMI systems can provide the customer with the information necessary to manage their demand limits more precisely and effectively.

Revenue Protection

Non-technical losses, often referred to as power theft, represent a persistent challenge for utilities and some customers Traditional meters allow meter readers to identify visible signs of tampering, like broken seals or incorrectly installed meters Additionally, data analysis can reveal less obvious tampering through indicators such as unusually low usage patterns.

AMI systems enable smart meters to promptly generate "tampering" alerts triggered by various sensors and routines These alerts can be activated by actions such as meter removal, tilting, or unauthorized access attempts, as smart meters are designed to prevent upside-down installation.

Anomalous meter readings can initiate warning events that warrant immediate investigation to ascertain their legitimacy, such as verifying if individuals are on vacation or if a factory has halted an assembly line Additionally, these readings may indicate potential tampering, including alterations to the wiring around the meter.

Recent incidents of power theft have been reported, involving the bypassing of meters during the interval between scheduled readings Advanced Metering Infrastructure (AMI) systems enable real-time verification of meter statuses throughout the reading cycle, enhancing monitoring and reducing unauthorized power usage.

Power theft can occur when a certified meter is replaced with a "slow run" meter However, Advanced Metering Infrastructure (AMI) systems equipped with smart meters ensure that each meter is registered with a unique identity, making it nearly impossible to tamper with them without leaving clear evidence of such tampering.

Remote Connect / Disconnect

B.3.4.1 Remote Connect for Move-In

A customer can request to activate electric service at a location where the meter is currently disconnected This request can be made for immediate connection or scheduled for a specific date and time.

Traditionally, utility companies dispatched a metering service technician to connect meters However, with the implementation of Advanced Metering Infrastructure (AMI), this process can now be conducted remotely by utilizing the remote connect/disconnect (RCD) switch.

 At the appropriate date and time, read the meter to get the latest reading and to verify that the meter is functional.

 Determine there is no backfeed current detected by the meter

 Issue the connect command to the meter

 Verify that the meter is connected

B.3.4.2 Remote Connect for Reinstatement on Payment

To reconnect a customer's meter after disconnection due to non-payment or an agreed-upon arrangement, the remote connect/disconnect (RCD) switch must be closed, following the same procedure used for a move-in.

B.3.4.3 Remote Disconnect for Move-Out

Traditionally, move-outs involve a special meter reading known as a "soft" disconnect, which occurs around the time of the move-out However, since the power remains connected, this method can result in unauthorized power usage between the move-out and the subsequent move-in.

With an AMI system, a move-out can have a “hard” disconnect that opens the RCD switch, typically using the following steps:

 Verify that the meter can be disconnected remotely

 Issue the disconnect command at the appropriate date and time

 Verify that the meter is disconnected

 Read the meter for the final billing

In conjunction with the next meter reading during a move-in connection, any delta between the readings can be detected as a possible tampering or illegal usage of power.

B.3.4.4 Remote Disconnect for Non-Payment

The high cost of collections is often overshadowed by the even greater expense of disconnecting a customer, which includes lost revenue and the need for two separate trips to the location—one to turn off the power and another to restore it Although remote disconnects remain costly, they provide a more affordable solution for shutting off power Once customers realize that disconnections can be executed immediately, the overall costs associated with collections tend to decrease.

B.3.4.5 Remote Disconnect for Emergency Load Control

Customers may qualify for special rates by agreeing to temporarily suspend their electric service to support emergency load shedding efforts This initiative serves as an alternative to extensive rolling blackouts and circuit-level interruptions Participants in this program may experience power cuts during critical periods.

Selective black-outs help to decrease overall power demands on the grid while ensuring that essential services, such as traffic lights and medical facilities, continue to receive electricity.

Unsolicited connect/disconnect events can be caused by a number of activities, covered in the following Business Functions:

 Meter manually switched off by utility employee, including both valid and invalid switching

 Meter manually switched off by unknown party, including both valid and invalid switching

 Software/hardware failure switches meter off/on (also includes unauthorized command causing switch)

 Miscellaneous event causes meter to switch off/on

 Meter manually switched on by utility employee, including both valid and invalid switching

 Meter manually switched on by unknown party, including both valid and invalid switching

Meter Maintenance

Ensuring accurate customer grid connectivity is crucial, as many utilities currently lack essential phase and circuit information for single-phase connections Incomplete or incorrect data can hinder effective engineering studies and data analysis Validation of this information is vital for improving the accuracy and reliability of utility assessments.

Many asset databases currently contain meters that are inaccurately represented, often miles or kilometers away from their actual physical locations Utilizing GPS or other geo-location techniques during meter installation can ensure precise information regarding the meter's true location Accurate meter location is essential for effective asset management and operational efficiency.

In 1794, an accidental change in the database highlighted a potential issue that can be flagged for resolution Knowing the exact location of the circuit allows for the identification and elimination of long-term problems within electric, gas, and water networks.

Smart meters are essential for effective battery management, as their absence would eliminate the need for such oversight In operational settings, these meters frequently communicate, which can deplete batteries more quickly Therefore, implementing robust battery management is crucial to avoid escalating maintenance costs Additionally, integrating remote battery monitoring into regular communications can facilitate better battery replacement planning and extend battery life.

Distribution Operations Business Functions

Distribution Automation (DA)

B.4.1.1 DA Equipment Monitoring and Control

Utilities are increasingly considering the implementation of Advanced Metering Infrastructure (AMI) systems for enhanced distribution automation This approach allows for direct monitoring and sophisticated control of capacitor banks and voltage regulators on feeders, moving away from traditional local actions based on time, current, or voltage levels Additionally, some utilities aim to extend monitoring and control capabilities to automated switches and fault indicators, provided the AMI network can remain operational during grid power outages, potentially supported by battery backup for critical nodes.

B.4.1.2 Use of Smart Meters for Power System Information

Enhancing the distribution network with additional sensors enables the implementation of distribution SCADA systems By deploying smart meters and establishing a near real-time communication network, utilities can select specific smart meters as bellwether devices to facilitate SCADA-like capabilities Furthermore, some utilities are replacing traditional Remote Terminal Units (RTUs) with smart meters, thereby extending their existing SCADA systems deeper into the grid.

As disruptions to the distribution grid increase, continuous monitoring of its integrity is essential Smart meters provide regular updates, acting as a "heartbeat" for the entire system, ensuring its security and functionality This technology helps confirm that the grid remains intact and is not compromised by vandalism or theft.

In the past, devices could easily handle overloads, operating at two to three times their rated capacity for extended periods However, modern devices are designed to function much closer to their rated limits, making prolonged overloads detrimental to their performance By implementing load monitoring and utilizing direct load control or disconnect switches, it's possible to manage device loads effectively, ensuring they remain operational until they can be replaced or upgraded This approach also applies to other physical assets that may be de-rated, helping to maintain functionality and keep essential services running.

Tag out procedures are designed to ensure that a section of the network is safe for maintenance; however, the rise of true distributed generation introduces the risk of islanding failures, where a line may still be live despite expectations of it being de-energized Implementing an advanced smart metering system, along with proper connectivity mapping, can help determine if power is still flowing through the lines As the sales of plug-in hybrids are projected to increase significantly in the coming decade, the absence of adequate protection schemes could exacerbate this issue.

In the event of a fire, the fire department typically disconnects power and utilities from affected buildings, often using a fire axe However, with the introduction of remote disconnects in utility meters, it is now possible to quickly cut off electricity, gas, and other services, facilitating faster restoration of service after minor issues and swiftly eliminating potential hazards from the structure.

Operators can utilize enhanced power system data obtained from the AMI system to dynamically assess feeder ratings This capability allows them to determine optimal times to operate feeders beyond their standard ratings and to implement multi-level feeder reconfigurations, ensuring balanced loads and preventing overloads.

Outage Detection and Restoration

Currently, most real-time customer information is obtained through direct communication, as customers call utility companies to report issues like outages However, with the advent of smart meters, future updates will enable utilities to access real-time data about customers and their service status automatically.

Smart metering plays a crucial role in managing both scheduled and unscheduled power outages For scheduled outages, in-home displays can directly inform affected customers about outage times and durations, enhancing security by limiting information access to those impacted This system reduces the need for numerous phone calls to notify customers about maintenance, while connectivity verification allows for precise tracking of outages In cases of unscheduled outages, smart meters can alert customers in advance about power disruptions, enabling them to make alternative arrangements and avoid unexpected surprises upon returning home.

Effective street lighting is essential for ensuring safety and preventing crime, yet the current method of tracking malfunctioning lights relies on inconsistent reporting from civil servants and citizens Implementing Advanced Metering Infrastructure (AMI) systems could provide a more efficient solution for monitoring street lights.

Restoration verification enhances the metering system by reporting the power restored to the meters, a feature integrated into many modern smart meters This functionality includes a timestamp for when power is restored, which can improve IEEE indices for some utilities, as it allows for quicker reporting compared to waiting for crews to finish other tasks Additionally, this feature aids in isolating nested outages, enabling field crews to identify the underlying causes more efficiently before departing the site.

Planned outages should be scheduled during periods of minimal customer impact Currently, we rely on general guidelines for timing these outages; however, with comprehensive data in the future, we can optimize outage scheduling to align with times of lowest power demand This approach will significantly reduce the inconvenience to customers.

To ensure efficient completion of work orders, it's essential to confirm that all affected customers have power and that no outstanding issues remain before the crew departs Utilizing the capability to "ping" every meter in the impacted area helps identify any customers who may not be reporting power restoration, thereby minimizing the need for return trips to address individual customer issues.

B.4.2.7 Calculation of IEEE Outage Indices

Currently, most utilities manually calculate IEEE indices, leading to outdated information due to reliance on field reports and documents that lack a centralized system This absence of comprehensive tracking for outages makes it challenging to accurately assess these indices However, many utilities have become adept at developing indices that closely reflect the experiences of their customers, despite the limitations of the available data.

Relying on customer calls to report outages is a common practice that influences call center sizing and staffing However, implementing smart metering effectively allows utilities to identify outages automatically and proactively notify customers with outage updates and estimated repair times This advancement can significantly alleviate call center congestion during high outage periods, enhancing overall customer service efficiency.

Load Management

Direct Load Control enables utilities to actively manage customer appliances, such as air conditioners, water heaters, and pool pumps, along with specific commercial and industrial systems like plenum pre-cooling and heat storage management This system acts as a callable and schedulable resource, effectively serving as an alternative to operational reserves in generation scheduling Customers appreciate this service, particularly when it operates seamlessly in the background; they simply sign up, permit the installation, and can then forget about it.

AMI systems empower utilities to expand customer participation in direct load control programs by increasing the number of appliances available for involvement Additionally, these systems enhance near-real-time monitoring of load control outcomes, leading to more effective management of energy resources.

Effective energy management is crucial for various reasons Demand Side Management (DSM) goes beyond simple tariff-based load reduction by empowering customers to implement equipment that reduces energy load in response to signals sent to their location Ultimately, customers play a key role in making decisions regarding their energy consumption through demand side management.

By enabling customers to shift their energy usage upon request, and utilizing bottom-up simulation techniques, businesses can effectively collaborate with those capable of adjusting their load to various times throughout the day or week This load scheduling capability has the potential to significantly influence transmission costs and other capital expenditures.

Effective load reduction, whether for de-rated equipment, planned outages, or managing load growth, requires accurate data on current loads and potential curtailments In California, this process has often resulted in rolling blackouts due to a lack of precise demand control Implementing curtailment planning allows for advanced notice to affected customers, giving them the opportunity to respond if their contracts permit them to maintain power.

B.4.3.5 Selective Load Management through Home Area Networks

The implementation of home area networks enables utilities to effectively manage grid load, address peak demand, and optimize customer billing This technology allows for the resolution of generation or transmission issues and can significantly reduce the need for reserve margins and rolling reserves With appropriate equipment, selective load management can transform into a virtual power plant, serving as a callable and schedulable asset for enhanced energy efficiency.

Power Quality Management

Today, we can monitor power quality indicators such as harmonics, waveforms, and phase angles for select larger customers and locations on the grid The demand for this monitoring is rising due to the increasing use of large screen televisions and other consumer electronics that contribute harmonics to the system New metering technology is incorporating power quality monitoring features directly into the meters, with more advancements anticipated Although not every household requires power quality monitoring, a significant percentage of deployed meters should ideally include this advanced capability.

Connectivity Verification and Geo-Location information enable the organization of devices into a tree structure that accurately depicts connection points within the grid By analyzing meter intervals, operators can visualize the load on each asset, such as transformers and conductors This insight allows for the monitoring of heavily loaded assets and the identification of opportunities to redistribute demand Additionally, it assists maintenance planners in prioritizing maintenance tasks to enhance grid reliability, aligning with a reliability-centered maintenance program.

Single-phase load imbalances in the distribution grid are a significant yet often overlooked issue, leading to inefficiencies and losses Despite their impact, these losses are rarely measured, and there has been limited research on the extent of phase imbalance in current grid systems Early studies indicate that chronic phase imbalances across monitored circuits averaged significantly, highlighting the need for further investigation into this critical aspect of grid performance.

In many instances, correcting a chronic phase imbalance in a circuit operated as single-phase laterals can be challenging; however, if there is sufficient load on the feeder portion, it is possible to rebalance the circuit effectively, potentially eliminating over half of the imbalance.

The lack of adequate instrumentation often hinders the proactive management of load distribution across circuits, leading to reactive measures instead As automated feeder switches and segmentation devices become increasingly prevalent in the grid, leveraging metering data is essential for enhancing their operational effectiveness Currently, with information limited to substations, accurately identifying load distribution along the circuit poses challenges for operators when determining optimal segmentation points and activation timing Consequently, many operators rely on trial and error to navigate these complexities.

Distributed Energy Resource (DER) Management

As the future unfolds, an increasing number of resources will connect to the distribution network, complicating grid operations Failing to integrate these resources and comprehend their impact will jeopardize grid reliability and efficiency Addressing distributed resources is now imperative, making it essential to adapt and innovate for a sustainable energy future.

1980 refusing to allow them has passed The only choice is to either embrace them and manage their impact or ignore them and suffer the consequences.

B.4.5.1 Direct Monitoring and Control of DER

Certain Distributed Energy Resources (DER) at customer locations can be monitored and potentially controlled in near-real-time by utilities or third parties, such as aggregators, through the Advanced Metering Infrastructure (AMI) system, similar to how load control is managed.

B.4.5.2 Shut-Down or Islanding Verification for DER

When outages impact the power grid involving Distributed Energy Resources (DER), these systems must either shut down or isolate themselves to supply only the connected microgrid Unfortunately, many smaller installations have inadequately installed or maintained shut-down and islanding equipment, resulting in power leakage into the larger grid and posing risks for field crews.

When outages occur, properly installed meters that monitor net power can verify if islanding happened correctly, enhancing crew safety and enabling utilities to inform customers about necessary maintenance on their Distributed Energy Resource (DER) systems Often, when islanding fails, additional issues arise that compromise the efficiency of the DER system, resulting in a loss of expected power for the customer.

B.4.5.3 Plug-in Hybrid Vehicle (PHEV) Management

The future impact of plug-in hybrids hinges on their sales and consumer adoption; they could either emerge as significant power sources or fail to make an impact A key concern is the assumption among planners that these vehicles will function as mobile generation plants, where drivers utilize fuel to charge batteries for peak-time energy use while parked Conversely, some experts predict that plug-in hybrids may become the largest consumers of electricity in already overstressed downtown grids.

The management of plug-ins and their usage by consumers represents a social experiment, highlighting their capability to draw and store significant amounts of power An intriguing aspect will be how power companies measure and bill for the megawatt hours consumed or supplied by electric vehicles The implementation of smart meters, alongside appropriate standards for communication between the vehicles and the meters, could facilitate this process effectively.

B.4.5.4 Net and Gross DER Monitoring

Distributed generation results in two key outputs: the gross output of the device and the net input to the grid after the owner consumes their required energy These outputs can vary significantly; at times, the device may generate a high amount of power while the owner draws heavily, leading to a negative net result for the grid Conversely, there are instances when the owner's energy demand is lower than the device's output, even if that output is below the device's design capacity.

Utilities have adopted varying approaches to compensate renewable energy generation owners, with some opting to reward based on gross output and others focusing on net output, potentially incorporating Time-of-Use (TOU) rates However, for effective utility management and grid reliability, it is essential to understand both the net and gross outputs of renewable energy devices for accurate simulations, load forecasting, and engineering design.

When managing distributed storage systems, determining the optimal times for topping off and discharging storage is crucial Utilizing timers or phone-based triggers is often recommended However, a utility's experience with electric thermal storage for winter heating and time-of-use tariffs highlighted the risks; encouraging users to charge at specific times led to equipment failures on the grid due to demand surpassing local supply capabilities This effort to enhance the grid's load factor inadvertently resulted in demand that exceeded all projections.

Smart metering equipped with home area network capabilities can activate individual storage devices according to the overall load in a given area This technology helps to smooth out peak demand periods and optimizes the utilization of generation resources, which may fluctuate.

Distributed Energy Resources (DER) are likely to have a high percentage of renewable generation, which often comes with a strong variable component To mitigate the impact of variable supply, a supply-following tariff could be implemented, potentially reducing the need for fossil fuel-based rolling reserves However, this approach would require a highly advanced system, featuring ultra-fast forecasting, precise weather information, and near-instant communication with devices in homes and businesses Although this may seem like a daunting task, the success of real-time broadcasting to millions of devices by cable companies suggests that such a system is feasible.

Smart meters on the right communications network and with the right in home gateway could provide a piece of this supply following tariff system.

Many customer sites rely on installed diesel generators to address grid outages Recently, companies have emerged to manage these resources, focusing on peak power production and bidding small amounts of power into the market While leveraging these resources is beneficial, the involvement of private companies cannot match the potential effectiveness of utilities collaborating with customers to equip most of this generation with advanced controls and monitoring systems.

Smart metering significantly lowers the costs and complexities associated with managing energy resources, regardless of whether a utility or third parties oversee them In California, over 2,000 Megawatts of generation capacity are already in place, which is sufficient to eliminate most rolling blackouts, provided these resources are strategically located.

Distribution Planning

As vegetation regrows, momentary outages often rise, posing risks to overhead power lines Smart metering technology facilitates the collection of momentary outage data, which can be integrated into a GIS system This integration enables planners to effectively direct vegetation management efforts to the most affected areas Additionally, in underground systems, early detection of cable and splice failures can prevent complete outages.

B.4.6.2 Regional and Local Load Forecasting

With the capability to extract comprehensive data from the field, we can now accurately predict regional and local energy loads and generation This information is essential for effectively preparing for energy demands and setting competitive prices for both supply and demand.

B.4.6.3 Simulations of Responses to Pricing and Direct Control Actions

With the enhanced data provided by Advanced Metering Infrastructure (AMI) systems on regional and local electricity loads and generation, it becomes feasible to evaluate customer and power system responses to price-related and direct control actions This capability to simulate market conditions one or more days ahead will facilitate improved planning, enabling the power system to operate with reduced rolling reserves and ancillary services.

By leveraging a comprehensive load history for specific assets and employing bottom-up forecasting techniques, planners can effectively analyze assets within the connection tree This proactive approach enables the identification of potential problem areas before they arise, enhancing overall planning and decision-making processes.

Modern design standards for transmission and distribution grids incorporate safety factors, acknowledging that complete data may not always be available However, the advent of smart meters enhances load and demand data accuracy, enabling designers to move beyond traditional rules of thumb and tailor solutions to meet the actual needs of customers throughout the grid's operational lifespan.

Maintenance often relies on incomplete information, leading to varying levels of service; while maintenance standards aim for optimal planning based on this limited data, the system's reliability remains superior to other services like telecommunications and cable TV However, the industry faces challenges due to the impending retirement of experienced technicians, which could impact the quality of judgment calls in the field Enhancing maintenance standards through improved information will ensure that new field workers are consistently directed to the highest priority tasks, ultimately benefiting overall service quality.

Determining the optimal time to rebuild a circuit and the extent of necessary upgrades is crucial for grid efficiency By utilizing advanced data collection methods, such as recorders over several weeks or months, we can analyze specific locations to identify which sections of the grid require rebuilding and the appropriate level of reinforcement needed This enhanced data set, combined with improved standards, enables more accurate decision-making for infrastructure improvements.

Equipment replacement often relies on load studies conducted with imperfect data, leading engineering teams to adopt a conservative approach and frequently oversize replacement equipment However, the implementation of smart metering provides enhanced data, enabling more accurate sizing decisions for equipment replacement.

Work Management

Currently, maintenance decisions are guided by manufacturers' recommendations, models, estimates, and visual inspections, leading to varying levels of maintenance across different utilities This approach often results in unnecessary maintenance tasks that do not align with reliability-centered maintenance strategies However, by leveraging smart metering information for asset loading analysis and data analysis, utilities can enhance the accuracy of work dispatching to field crews, ultimately improving system reliability while maintaining the same workload.

Utilities have varying procedures regarding job completion, with some requiring field crews to log their work before packing up, while others prefer them to be ready to leave once the order is fulfilled Additionally, some utilities ask crews to inspect the area before departing, while others allow customers to report any remaining issues post-visit The implementation of smart metering technology enables automated job completion logging and paperwork processing as restoration alerts are received, allowing crews to spend more time in the field and reduce administrative tasks.

Today, line workers have limited access to real-time information about the grid's status, relying on power flow measurements, meters, or dispatch calls However, with the implementation of smart metering and appropriate software configurations, field workers may gain access to near real-time maps displaying customer statuses in their vicinity This advancement could significantly reduce the need for dispatch communication, allowing workers to efficiently determine their next steps and enhance operational productivity.

Experienced field workers excel at identifying potential root causes of outages in their work areas By analyzing outage information, they significantly reduce the time needed to locate issues and initiate repair efforts.

B.4.7.4 Reliability Centered Maintenance (RCM) Planning

In today's maintenance strategies, we utilize models to estimate device loading, which informs our reliability-centered maintenance (RCM) plans By leveraging accurate load monitoring and forecasting, we can schedule preseason maintenance based on system-generated data, ensuring a reliable power supply for users Although it cannot eliminate all system failures, implementing a well-structured RCM plan can significantly reduce outages caused by non-natural disasters.

Customer Interactions Business Functions

Customer Services

Utilizing near real-time data from smart meters can significantly enhance customer service interactions by enabling representatives to better understand and address customer issues This technology allows customer service representatives (CSRs) to provide more accurate information and guidance, minimizing the need for extensive questioning or unnecessary truck dispatches As a result, it effectively reduces both call volume and handling times, leading to improved customer satisfaction.

High bills are the most common customer complaint, often attributed to incorrect meter readings While meter reading errors do occur, the ability for customer service representatives (CSRs) to verify the current meter reading during the call significantly enhances dispute resolution This real-time validation allows for immediate recalculation of the bill, reducing the overall time spent on complaints and minimizing future disputes Although the initial call duration may increase as CSRs guide customers through the verification process, this method has proven effective in decreasing monthly disputes from chronic callers over a span of 3 to 6 months in many utilities.

Customers can receive proactive notifications about issues such as outages or equipment tampering, which can lead to significant improvements in their home safety and energy efficiency For instance, when a customer reported low voltage, a review revealed a loose wire in their breaker panel, prompting them to hire an electrician who subsequently fixed multiple electrical issues This illustrates the importance of proactive customer engagement in ensuring safety and optimizing energy consumption Similarly, a water company identified leaks beyond the meter by analyzing nighttime readings from homes with high water bills, demonstrating the value of thorough monitoring and customer communication.

Several utility companies now offer energy consumption advisory services, enabling customers to report their energy-consuming devices and home details In exchange, these utilities compare their energy usage to that of similar households and offer insights on which appliances are responsible for high energy consumption.

This advisory provides recommendations for replacements and estimates the payback period based on energy usage, enabling customers to compare their energy consumption with similar users This comparison has proven effective in encouraging customers to be more mindful of their energy habits.

To make informed decisions about energy and water usage, customers must understand the associated costs Despite a significant increase in gasoline prices, global consumption has only slightly decreased, indicating that actual usage remains largely unaffected For most families and many businesses, the costs of electricity, gas, and water often rank low among overall expenses, making it easier to decide on consumption.

Some businesses and a small segment of residential customers are highly motivated to conserve energy due to critical peak pricing and rising utility costs As energy and water prices consume a larger portion of the average family's income, awareness of these costs will encourage conservation efforts Customers will increasingly seek specific pricing information, such as the cost of washing a load of laundry, rather than just the price per kilowatt-hour.

Tariffs and Pricing Schemes

Currently, customer profiles are often based on broad classifications that overlook the diverse ways individuals consume power For instance, a young, educated single male living in an apartment may have significantly lower energy usage compared to a young family in the same building, yet both may pay the same rate per kilowatt-hour This highlights the need for a more nuanced approach to customer profiling and pricing in the energy sector.

Young males may incur higher utility costs due to lower load factors compared to young families By utilizing accurate data, utilities can create more effective tariffs and improve segmentation, ultimately leading to fairer power pricing.

In today's regulatory environment, any adjustments to customer charges or the rate base necessitate a formal rate case, often resulting in extensive documentation that can occupy entire rooms This complexity arises because many issues can be addressed in a straightforward manner, requiring expert analysis and detailed submissions.

In the ongoing rate case, testimony from 2218 is essential, as the utility lacks a complete data set to address various questions Although expert analysis will continue and estimations will be necessary, it's crucial to acknowledge that smart meters generate substantial data that can significantly aid in the rate case proceedings.

Critical peak tariffs are designed to elicit specific responses from customers, but their effectiveness varies across different segments Some customer groups may experience more significant impacts than others By leveraging smart meter data, we can gain valuable insights into customer reactions to these tariffs and identify opportunities to refine them, ensuring they align more closely with societal needs.

Cross subsidization among customers is a recurring concern, where one group, such as young families, may subsidize another, like young males Regulators seek to understand the extent of this subsidization, recognizing that it is not always detrimental; for instance, long-distance telephone rates historically supported universal access to phone services With comprehensive data on each customer, discussions about subsidization shift from subjective opinions to concrete evidence, enabling regulators to identify and manage intended subsidies effectively.

Customer segmentation has typically focused on industry, business segment, or customer type, rather than the actual needs and profiles of customers Regulators have lacked sufficient data to effectively classify customers based on their power consumption patterns and quality needs However, smart metering technology now offers the necessary data to enable more meaningful and accurate segmentation decisions, allowing utilities to better address customer requirements and power quality issues.

Demand Response

Demand response is a versatile capability that enables customers to adjust their energy consumption based on pricing information for current or future time periods This adjustment can involve reducing overall load or shifting energy use to lower-priced periods, allowing customers to manage their demand effectively during higher-priced times Pricing structures can be based on real-time data or fixed tariffs, with operationally-based or fixed prices available Real-time pricing necessitates automated, computer-based responses, while fixed time-of-use pricing can often be managed manually once customers are informed of the relevant time periods and associated costs.

Sub functions for demand response, which may or may not involve the AMI system directly, could include:

 Update Firmware in HAN Device

 Charge/Discharge PHEV – storage device

 HAN Network attachment verification (e.g which device belongs to which HAN)

 Third Party enroll customer in program (similar to, but not the same as the customer enrolling directly)

 Manage in home DG (e.g MicroCHP)

 Test operational status of device

Real-time pricing for electricity is increasingly utilized by large customers, enabling them to optimize power usage and significantly reduce energy costs; for instance, one aluminum company achieved over a 70% reduction in power expenses through this approach The potential for extending real-time pricing to smaller and residential customers is enhanced by smart metering and in-home displays While many residential customers may find managing their power consumption individually too complex, they may be more inclined to participate if their energy usage is coordinated by an aggregator or energy service provider within a community framework.

B.5.3.2 Time of Use (TOU) Pricing

Time-of-use pricing establishes specific time blocks and seasonal variations, enabling smaller customers with limited capacity to manage their energy consumption to enjoy benefits similar to real-time pricing This approach is widely recognized as the preferred regulatory strategy globally for addressing global warming.

Real Time Pricing offers greater flexibility compared to Time of Use rates; however, many customers may still find that Time of Use provides them with all the benefits they can effectively utilize or manage.

Critical Peak Pricing enhances Time of Use Pricing by identifying specific days each year when the electric delivery system faces significant stress On these selected days, peak and sometimes shoulder peak prices can rise by as much as 10 times the standard rates, aiming to alleviate system strain during high-demand periods.

California currently leads the way in advocating for a tariff program, although many utilities in the state favor an incentive program to promote similar consumer behavior There are ongoing discussions regarding whether retailers in unregulated markets are required to pass on Critical Peak Pricing to their customers or if they have the option to provide a flat rate while managing the associated risks of critical peak pricing.

External Parties Business Functions

Gas and Water Metering

In the gas and water sectors, monitoring non-revenue water and detecting leaking gas pipes are crucial Utilizing pressure transducers on smart meters has effectively identified unexpected pressure drops during minimum night flow assessments in the water industry Typically, one pressure transducer meter is required for every 500 to 1,000 customers in urban areas.

A water meter disconnect can be triggered by a sudden increase in flow and an unusual, sustained drop in pressure, helping to prevent flooding However, significant improvements in control software algorithms are necessary to ensure this feature is beneficial, avoiding unintended shutoffs when both the sprinkler system and shower are in use.

Similar to flood prevention, again the software needs to get much better or their needs to be a gas leak sensor in the structure that communicates with the meter.

In a home area network, devices can be connected to specific water taps and gas meters to optimize consumption rates By integrating these devices with thermostats and water heater controls, homeowners can effectively manage resource usage and maintain pressure levels during critical periods.

Third Party Access

B.6.2.1 Third Party Access for Outsourced Utility Functions

Many utilities rely on third-party providers to handle various business functions instead of managing them in-house In these cases, communication and messaging will be facilitated through the external service providers.

External party access necessitates a shift from internally-driven messaging, leading to fundamentally similar business processes but with differing security requirements This often entails the need for enhanced authentication measures at each system handoff to ensure robust security.

Some of the business functions provided by third parties could include:

B.6.2.2 Third Party Security Management of HAN Applications

Customers must access their HAN application accounts via a secure web portal to upload device and software security keys These keys are essential for communication through the AMI network to the meter, enabling HAN devices to provision and connect with the meter effectively.

Future advancements may enable the extraction of security keys from utility meters for secure storage in the utility's database This capability will facilitate the seamless download of keys back to the meter if it needs to be replaced, thereby eliminating the necessity to reconfigure all Home Area Network (HAN) devices in the household during a meter replacement.

Home appliances typically have a shorter lifespan in residential settings compared to laboratory conditions, primarily due to inadequate maintenance by homeowners and the tendency to overlook minor issues until they escalate into costly repairs Implementing smart meters plays a crucial role in monitoring appliance performance, even for older models, helping to prevent small problems from becoming significant expenses.

The modern security monitoring industry relies on phone lines and various communication methods to oversee residential safety By integrating security devices with home area networks and utilizing smart metering systems for alerts and alarms, the cost of home security monitoring could be significantly reduced, making it more accessible for individuals in high-risk areas.

Homeowners can choose to manage their smart devices independently or opt for third-party control In both scenarios, a smart metering system serves as an effective home area network gateway, facilitating seamless management of these devices.

The rising costs of nursing homes and hospitals have led to an increase in medical equipment installations in homes, particularly for elderly individuals who can live independently with some assistance Currently, specialized companies primarily monitor this equipment, but such oversight is infrequent As the demand for home-based medical support grows, utilities may hesitate to take on this responsibility; however, the existing smart metering infrastructure offers a viable solution for authorized third parties to provide the necessary monitoring services.

External Party Information

Regulators must assess utility performance and fairness towards customers, and smart metering plays a crucial role in supplying the necessary data to support these evaluations.

When a utility seeks approval from the regulator for significant capital expenditures, it must provide evidence justifying the necessity of the expense Similar to other interactions with regulators, the supporting data is usually compiled to demonstrate the requirement for the proposed investment.

2376 sampled data and expert opinions With smart metering the complete data set is available to support the decisions.

Education

Today, utility customers primarily contact call centers to inquire about their bills, with less than 40% engaging with their utility providers on an annual basis The predominant reasons for call volume are related to outages and power quality concerns, followed closely by billing issues For the industry to effectively alter consumer habits and promote reduced energy consumption, it is essential to enhance customer interactions—not only regarding billing and power quality but also focusing on energy usage and appliance efficiency.

AMI systems enhance customer interaction by offering valuable capabilities, provided that customers are well-informed about these features and feel reassured that the systems are not intrusive or overly monitoring.

Utility workers must undergo extensive training to understand their responsibilities within an Advanced Metering Infrastructure (AMI) system, as well as the heightened security and privacy concerns that accompany the broader implementation of these technologies.

Tiêu đề	AMI System Security Requirements
Tác giả	Bobby Brown, Brad Singletary, Bradford Willke, Coalton Bennett, Darren Highfill, Doug Houseman, Frances Cleveland, Howard Lipson, James Ivers, Jeff Gooding, Jeremy McDonald, Neil Greenfield, Sharon Li
Trường học	Carnegie Mellon University
Chuyên ngành	Advanced Metering Infrastructure
Thể loại	document
Năm xuất bản	2008
Thành phố	Pittsburgh

Định dạng
Số trang	112
Dung lượng	1,11 MB