Experts offer utility regulators advice on how to protect grid from cyber, other threats
SCOTTSDALE, Ariz. — Regulators must take a holistic view of safety and security to effectively protect the increasingly complex power grid, a panelist said at a session held this week here at the National Association of Regulatory Utility Commissioners (NARUC) Summer Policy Summit.
“I like to think of things in terms of all hazards,” Scott Aaronson, vice president of security and preparedness at the Edison Electric Institute (EEI), said. “How do we approach this holistically? What are the things we can be doing that can make us better prepared for all of these threats?”
While the growth of “smarter” technologies designed to improve energy efficiency as well as the expansion of distributed energy resources connected to the grid serve to strengthen reliability, they also open up the grid to potential disruptions from cyber attacks.
While cyber security is important, Aaronson noted, there are also many other threats to the grid, including extreme storms, physical attacks and others.
He also encouraged regulators and utilities to look across sectors and establish partnerships to facilitate information sharing and other forms of cooperation. This is crucial because various sectors are connected. Because the electric industry relies on the water industry for cooling, for example, it is possible to indirectly impact the electric grid by attacking water infrastructure.
The electric sector also depends on the telecommunications sector to operate both under typical conditions and in emergency circumstances. Aaronson suggested using as inspiration the PACE model used by the military for creating communications plans. PACE stands for primary, alternate, contingency and emergency means of communications. Utilities, he advised, need to invest in all four parts of the plan.
“Resilience investments: it’s not about protecting everything all the time,” Aaronson said. “It is about doing that and having a reliable system but also planning for the worst.”
Cameron Brooks, CEO of E9 Insights, which tracks regulatory proceedings related to clean and distributed energy at state public utility commissions, noted cybersecurity is a relatively new topic for commissioners, which can create challenges.
“Cybersecurity is really new terrain for most commissions and commissioners, and I think that’s largely because the technology has advanced both in its capabilities and its complexity but also in just its functionality and how its changing operations on the grid,” Brooks said.
Brooks also discussed a recent report conducted by E9 in collaboration with EnergySec that examined public utility commissions’ actions related to cybersecurity across the United States. Most actions, the report found, appeared in the context of broader proceedings, rather than proceedings specific to cybersecurity.
Brooks also highlighted four areas that commissions should be focusing on: providing guidance for cost recovery of utilities’ cybersecurity expenses, ensuring that they have people with cyber knowledge on their staff, facilitating coordination among state agencies, and supporting transparency regarding threats and strategies for addressing those threats.
