Abstract
When electricity demand is peak, utilities and other electric Independent Systems Operators (ISOs) keep electric generators on-line in order to meet the high demand. In some cases, new power plants have to be built. This solution increases costs, wastes energy and creates air pollution. To overcome this, many utilities, government, and others have been developing Demand Response (DR) programs to manage growth in peak electricity demands, and to provide more reliable and more economic energy. The primary focus of the Demand Response (DR) is to provide two-way communications to customers so that the energy-management and control system (EMCS) at the customer’s sites can take action based on the demands for electricity and electricity prices. As a result, when the grid supply becomes strained or when the electricity prices reach a certain point, demand response programs are intended to lower the energy use in return for reducing total system costs and electric loads on the grid. DR systems are expected to be eventually utilized in most of California’s residential and commercial energy customers. The breach in security goals – confidentiality, integrity, availability and accountability – could adversely affect the system and large number of customers. The impacts vary from the reliability of the grid itself to the customers’ electric bills and to the privacy loss of the customers. In some cases, it could affect health and safety of customers. This project discusses security risks of DR systems, addresses information security best practices to mitigate those risks and identifies potential Research and Development (R&D) issues existing in DR systems with the hope of increasing awareness of security issues existing in DR systems. The results show that although DR systems have a number of potential security risks and vulnerabilities that must be addressed, information security best practices can be used to mitigate some of them. In some situations (e.g., ensuring non-repudiation), where the best practices could not be directly used, further research will be required to address security issues and appropriate R&D issues are identified for those unique cases as well.