DERTF: Process for Sharing MDMA Information (MSC-2019-2) (20240111)

Cybersecurity care must be taken when a distribution utility serves as a meter data management agent (MDMA) for distributed energy resource aggregators (DERAs). The Illinois Commerce Commission (ICC) staff recognizes the importance of protecting the privacy of consumer data and personally identifiable information, as well as the need to protect the system from any cyber security threats. More detailed comments from the Illinois Commerce Commission on MISO’s Order 2222 filing is found in the Comments of the Illinois Commerce Commission[1] .  MISO must include cybersecurity standards due to the likely increase in data transmission between meter data management agents (MDMA), MISO and DERAs. Following a national or international standard similar to the National Institutes for Science and Technology Cybersecurity Framework (NIST CSF), the International Organization for Standards and International Electrotechnical Commission 27000 series (ISO/IEC 27000),   or the forthcoming publication from a National Association of Regulatory Utility Commissioners (NARUC) project, funded by the Department of Energy (DOE), to develop Cybersecurity Baselines for Electric Distribution Utilities and Distributed Energy Resources (DER), should be required in order to ensure that the confidentiality, integrity and availability of the data are ensured throughout the life cycle of the transactions.

               Although MISO holds that aggregated distributed energy resources DERs would follow the same cybersecurity standards prescribed by Relevant Electric Retail Regulatory Authorities (RERRAs), the majority of RERRAs do not have substantive cybersecurity requirements. MISO should coordinate with RERRAs on implementing at minimum, the Cybersecurity Performance Goals promulgated by the Cybersecurity and Infrastructure Security Agency (CISA) or the forthcoming guidelines from a NARUC project, funded by the Department of Energy, to develop Cybersecurity Baselines for Electric Distribution Utilities and Distributed Energy Resources (DER). This would be a good first step toward the goal of ensuring a secure data transmission between entities.[2] MISO should also continue investigating the Collaborative Utility Solutions (CUS) DER Registry, which is a centralized and secure way to share DER information. It is possible that CUS’s DER Registry could meet concerns over data privacy while also easing data sharing and communication requirements.   

[1] Comments of the Illinois Commerce Commission, Docket No. ER22-1640-000, filed June 6, 2022, Accession No. 20220606-5116

[2] This feedback response is limited in scope and is for discussion purposes only.  Any lack of response to other issues or feedback requests should not be interpreted as an indication of support or opposition to any other particular issue or position.

WPPI offers the following feedback re the sharing of meter data and the distribution utility as Meter Data Management Agent as discussed at the DERTF on 1/11/2024, Item 04a Meter Data Management Agent:

• (1) s. 3, “MISO will add attestation language in current MDMA document stating the MP [Market Participant] is in compliance with all privacy and cybersecurity requirements of the applicable RERRA.”
  • (a.) This seems to presume the meter data for the Distributed Energy Aggregated Resource are from distribution utility meter(s). If an Aggregator uses their own meter(s), it seems RERRA requirements would not be applicable and “relevant” should be added: “…all RELEVANT privacy and cybersecurity…”
  • (b.) The attestation needs to be in a document that applies to the Aggregator even if they are their own MDMA. It’s not clear to WPPI what the “current MDMA document” is; so, we’re not sure that’s the right place for the proposed attestation.
• (2) s. 4, proposed addition to BPM-001: “A DERA may designate its distribution utility as the MDMA as long as the distribution utility has agreed to serve as the MDMA.”
  • Suggest change “its” to “a.” As “its distribution utility” seems more applicable to a Distributed Energy Resource than the Aggregator (DERA).
• (3) Questions included in this feedback request, “What are the current processes in place today for sharing of information between distribution utilities and Relevant Electric Retail Regulatory Authorities (RERRAs)?” and “How are concerns on data privacy, cybersecurity, costs, and burdens addressed between distribution utilities and RERRAs?”
  • (a.) When WPPI provides retail customer meter data to a RERRA, we provide customer identifying information confidentially. Other than to the RERRA, WPPI would expect to provide meter data that includes the identity of a retail customer only with the permission of the retail customer. (To date, WPPI has not provided telemetry data to a RERRA.)
  • (b.) To date, when we provide retail customer meter data to a RERRA, we do not encrypt it.
  • (c.) We expect costs and burdens of using the distribution utility’s meter and/or the distribution utility as the MDMA to inform the Aggregator’s meter and MDMA choices.

Memorandum

The Entergy Operating Companies ("EOCs")^[1] appreciate the opportunity to provide feedback on MISO’s process of sharing MDMA information. The EOCs comments below relate to the current processes in place for sharing of information between distribution utilities and RERRAs along with comments and concerns on Data privacy, cybersecurity, and costs and burdens.

As a general matter, we note that any data exchange concerns applicable to the MDMA function would also apply to DER-related data generally, and discussions relating to these concerns should not be limited to the MDMA function, but should be considered more globally.

What are the current processes in place today for sharing of information between distribution utilities and RERRAs? 

Data privacy and protection concerns relating to information requested by RERRAs are addressed by Entergy’s overall Regulatory Legal Services process for responding to data and other information requests (RFIs) issued in retail regulatory proceedings either initiated by the RERRA or by the Utility or ongoing dockets like filing riders, formula rate plans, reporting on Retail Programs established by RERRAs, etc. This policy sets forth the standards for safeguarding different kinds of data relevant to Entergy, particularly customer data. It encompasses all forms of information – whether written, spoken, or electronic. . We invite MISO to discuss with our SMEs directly to answer specific questions on specific data streams or consider creating a stakeholder survey to gather more specific information.  

Regarding data exchange practices relating to MDMA functions and services, the EOCs currently have processes in place to validate meters and meter data, and use the established MDMA agreement as a basis of operations to conduct business. Without knowing the level of interest in becoming a DERA, there remains a high degree of uncertainty around what the future processes would be for metering validation. 

How are concerns on data privacy, cybersecurity, costs, and burdens addressed between distribution utilities and RERRAs?  

Entergy’s concerns about data privacy, cybersecurity, cost, and burdens in the relationship between distribution utilities and electric retail regulatory authorities can be summarized as follows:  

1. Data Privacy: The Entergy Operating Companies (EOCs) primary concern is always ensuring customer data protection and confidentiality. Entergy has clear guidelines and protocols on how customer and other sensitive data is handled and shared between utilities and regulatory bodies.
2. Cybersecurity: The growing threat of global/industry cyber-attacks necessitates robust cybersecurity measures, particularly in light of the anticipated increase in data to be exchanged as the distribution grid becomes more “intelligent”. This involves developing and implementing stringent security protocols to safeguard the grid and data infrastructure from potential breaches. The EOCs are continuously working with our internal data security department to ensure we protect our infrastructure against these threats, and in turn, they stay abreast of evolving threats and data breach risk mitigation practices.
3. Cost: Managing the financial implications, including the allocation of costs related to data management, cybersecurity, and compliance with regulations, is crucial, while understanding how the magnitude of data exchanged will evolve is not clear, creating challenges for planning for this future. Both utilities and regulatory authorities need to address who will bear these costs and how they impact ratepayers. With respect to the question posed, Entergy anticipates that costs relating to the handling of distribution-side market data will increase due to the need for additional staff to handle the expanded role of being the MDMA not only for the current group of assets, but also for the projected growth of renewable generation in the future and the related growth in DEARs and DERAs. In addition, we will have to develop more formalized internal processes and software to handle the growth needs in this new DER environment.
4. Burdens: Should the level of interest lead to a significant number of DERAs entering the market and operating as a Market Participant and subsequently requiring MDMA services/submissions, this could lead to a significant challenge on current MDMA providers.  Additional specific concerns would include: 

• • Many smaller BTM/distribution level facilities provide single source metering 
  • Single source metering does not allow for timely data validation processes  
  • Single source metering presents challenges when data streams become compromised 
  • Challenges related to data acquisition from retail level metering in a timely  efficient manner 
  • Will DERAs be required to install/maintain metering capable of providing multiple data sources to facilitate data validation processes 
  • Network and Commercial modeling/registration requires time and resources

In summary, addressing these concerns requires a collaborative approach between distribution utilities and regulatory authorities, focusing on developing comprehensive, clear policies and frameworks that cover privacy, security, cost allocation, and manageability. 

[1] The Entergy Operating Companies are Entergy Arkansas, LLC, Entergy Louisiana, LLC, Entergy Mississippi, LLC, Entergy New Orleans, LLC, and Entergy Texas, Inc.

The OMS Distributed Energy Resources Work Group (DERWG) provides this feedback to MISO on the Process for sharing MDMA information (MSC-2019-2). This feedback is from an OMS work group and does not represent a position of the OMS Board of Directors.

Currently, the majority of RERRA-EDC information exchange across the footprint is not automated. When RERRA representatives require information from their EDCs, these requests are typically transmitted via email and kept confidential in-house. Data privacy and cybersecurity concerns are typically governed by each individual utility’s policy (subject to applicable RERRA regulations).

Since investments in software related to information or data sharing systems need to be weighed against the needs of the ratepayer, most states have not approved this added expense for their utilities at this time. Given that there is a significant time burden to utilities and state regulators under current Demand Response aggregation processes, there may be an opportunity to pursue a more streamlined and secure system that is also cost effective.

The following example illustrates the Michigan PSC's current processes:

The Michigan PSC relies on a manual process to access distribution utility information. Data requests are managed through an email to EDC representatives, who reply with the necessary information, typically as an Excel file. Any customer data is kept strictly confidential. In a more formal setting, data is able to be posted to MPSC dockets (either publicly or filed under confidential seal). Each utility typically has its own customer data privacy policy (subject to RERRA regulations) that details the who, what, where, and why of data access. Generally, aggregate-level information is able to be shared, but customer-specific information cannot be released without customer consent. This holds true for any information shared with regards to DR aggregation today, which is also a manual process involving MISO emailing Excel spreadsheets.

In the context of Order 2222, the OMS DERWG foresees a need for an automated, secure, and accessible centralized information and data-sharing platform. The OMS DERWG formally requests that MISO pursue such a platform to address existing information and data-exchange issues within the context of DR aggregation and registration, which are expected to increase under DER aggregation. Using the current DR registration process as an example, manually sharing Excel spreadsheets is no longer an acceptable option. This process creates data privacy and cybersecurity risks as well as increases the workload on the RTO, EDC, aggregator, and RERRA alike. A secure, automated, and easy-to-use platform would ease the regulatory burden on each of these entities while respecting customer data privacy and security.

The OMS DERWG also notes that solutions to this problem already exist today, namely the Collaborative Utility Solutions (CUS) DER Registry. Utilizing such a preexisting platform has the potential to save ratepayers time and money because the DER Registry could be swiftly adopted to handle all of the data and information streams envisioned by FERC under Order 2222 with minimal effort on behalf of MISO and EDCs. The alternative is that each utility (and MISO) would need to build its own automated data-sharing platform, paid for by its ratepayers, to be able to handle greater levels of DER aggregation. The OMS DERWG asks MISO to examine the pros and cons of using the CUS DER Registry and present its findings at an upcoming DERTF meeting and/or stakeholder workshop. The time to make this decision is now, before further investment is made in other types of retail and wholesale platforms. 

Duke appreciates the opportunity to submit feedback on the following request:

In the January 11, 2024, meeting of the Distributed Energy Resources Task Force (DERTF) stakeholders were invited to review and submit feedback on the Process for Sharing MDMA Information (MSC-2019-2).

• What are the current processes in place today for sharing of information between distribution utilities and Relevant Electric Retail Regulatory Authorities (RERRAs)?
• Duke Response: EDI is used to share distribution/retail level data with others today.   

• How are concerns on data privacy, cybersecurity, costs, and burdens addressed between distribution utilities and RERRAs?
  • Duke Response:
    • Electronic/Signed permission forms/templates are used for the authorization of sharing confidential customer data between the utility and retail inquiries today. 
    • Costs and burdens are shared via rate riders and/or contractual O&M agreements between distribution utilities and retail providers today.   

Xcel Energy appreciates the opportunity to provide feedback regarding the Process for Sharing MDMA Information as presented at the DERTF on 1/11/24.

The sharing of information between the LSEs, EDCs, RERRAs, DERAs and MISO needs to incorporate a standardized protocol and process across all MISO states that moves beyond emailing information between parties.  We agree with FERC that MISO should coordinate with the distribution utilities and RERRAs to establish protocols and processes for the sharing of metering and telemetry data.  Electronic Data Interchange or "EDI" may be a potential solution as it uses standardized protocols to securely exchange information from computer to computer.   Illinois uses EDI for transferring retail choice information between parties and we believe that many utilities already utilize EDI functionality.  Another option may be the Customer Data Access (“CDA”) initiative in California to develop a platform to provide authorized and secure energy data access to customers and customer-authorized / registered  third parties.  The CDA project was in direct response to the California PUC Decision 11-07-056 Rules for Data Privacy and Security. 

In addition, we agree with MISO's clarification in the BPMs that a DERA can designate the EDC as the MDMA but recommend that the attestation language in the MDMA document incorporate additional language stating that the MP is in compliance with the EDC MDMA requirements.

MISO DERTF – MDMA Feedback Request

COMMENTS OF COLLABORATIVE UTILITY SOLUTIONS

Collaborative Utility Solutions (“CUS”) thanks MISO for the opportunity to provide comments regarding MDMA solutions to support DER enablement as part of the FERC 2222 implementation process.  CUS is a non-profit entity formed to address key needs common to the electric industry in a manner that will save the entire industry significant costs while rapidly advancing the enablement of distributed energy resources (DERs) for grid and market purposes. CUS’s goal is to develop and support those industry processes and systems that can be collaborative and shared from utility to utility or market to market and, therefore, implemented at a dramatically reduced cost to create a much more efficient shared ecosystem of use by all the stakeholders in the energy value chain. CUS’s objective is to partner with electric industry stakeholders and find the opportunities to collaborate and provide effective tools that can be used by everyone. Our initial focus is to provide a pre-competitive collaborative DER Registry for the industry to enable DERs to more efficiently and effectively support and interact with the grid and markets.

MDMA represents another significant collaboration opportunity for our electric industry moving forward.  CUS would like to make MISO aware of the MDMA solution from the Ontario ISO.  Per the diagram, the province of Ontario has implemented MDMA so that the utilities create/operated/maintain the meter infrastructure, but all utility head end systems push their data to a centralized data repository.  This repository has consistent structures and policies, like EM&V for all utility data.  This repository is utilized for everything from real-time operations and billing to premise validation for consideration for a program.  It has created significant efficiencies for meter data management and use. 

As FERC Order 2222 continues to move forward, the ISOs are going to require access to meter data for a variety of purposes to support market products and settlement.  As such, this collaborative approach could save all utilities, states, and ISOs millions of dollars if we begin the process of creating “Central Meter Authorities”.  For the U.S., and for ISOs that cover multiple states, it is likely that each state would desire to have their own common authority as this is retail data.  If this is the case, it would limit any ISOs ‘data interface’ requirement to a handful of communication points versus hundreds.  This would also be the time to mandate Common Information Model (CIM) inspired data exchange to eliminate all further software interface costs and, instead, have fully implemented data layer exchange through know CIM structures. 

It is clear that this is a significant effort in any state or ISO, fraught with the challenges of data ownership, security and privacy that many will utilize to create arguments against this type of collaborative solution.  However, all of these issues have been effectively addressed by the vendors in this market space and should not be deciding factors in this discussion.  FERC Order 2222 is an opportunity to significantly lower the cost burden to consumers through collaborative solutions that can also serve to further enable the effective use of DERs in the future.  We hope that MISO and its member utilities and state commissions can create a constructive dialogue on the potential of this type of solution going forward.  We would also offer to coordinate with the Ontario ISO for a presentation to DERTF on this solution and their lessons learned over the past decade.

Respectfully submitted,

__________________________________

Chris Hickman

Chief Executive Officer

Collaborative Utility Solutions

8404 Lakewood Ridge Cove

Austin, TX 78738

Telephone: (970) 237-0990

Chris.Hickman@cusln.org