NARUC’s cybersecurity tools help regulators, electric utilities stay vigilant against threats

As cyber threats against critical infrastructure continue to increase, the National Association of Regulatory Utility Commissioners (NARUC) has developed a Cybersecurity Manual to help state public utility commissions and utilities evaluate information and mitigate risk by ensuring that effective cybersecurity practices are in place.

“The threat posed by cybersecurity incidents is very real, and it is essential that regulators have a clear understanding of the work being done by our utilities to safeguard vital systems and address current and future cyber threats,” said Gladys Brown Dutrieuille with the Pennsylvania PUC and chair of the NARUC Critical Infrastructure Committee. “The more our PUCs are educated on these issues, the better we are able to evaluate current issues and target future enhancements.”

Protecting the nation’s grid from cyber and physical attacks and ensuring a reliable supply of energy is a top priority for regulators and the electric utility industry.

In July, James B. Robb, chief executive officer of the North American Electric Reliability Corporation (NERC) testified before the U.S. House Energy and Commerce Subcommittee on Energy on cyber threats to the grid. “To date, there has not been any loss of load in North America that can be attributed to a cyber attack. At the same time, the security landscape is dynamic, requiring constant vigilance and agility,” Robb testified.

NERC collaborates with the Edison Electric Institute’s investor-owned electric company members, the National Institute of Standards and Technology, and the federal government to protect the energy grid from threats.

With a goal being to help PUCs identify cybersecurity gaps and to support utilities in making improvements, NARUC’s Cybersecurity Manual is made up of five resources, with two of them released in July.

The newest release is a tool called, “Understanding Cybersecurity Preparedness: Questions for Utilities,” meant to help PUCs ask questions to utilities to help them better understand their current cybersecurity risk management programs and practices.

The report identifies issues that PUCs should look at before meeting with a utility, provides questions that would be reasonable to ask a utility to create an ongoing conversation about cybersecurity programs, and explains next steps after discussing the issues with a utility.

The first step asks PUCs to take into account staffing, location, and confidentiality, among other considerations, when meeting with a utility because of the sensitive nature of cybersecurity. The second step helps PUCs develop plans for each part of a cybersecurity program, including identifying a risk, protecting a utility, detecting a risk, responding to a risk, and recovering from a risk.

The guide lays out plans for PUCs to meet with utilities after the initial assessment of their cybersecurity risk and programs because NARUC said commissions benefit from regular discussions with utilities about their cybersecurity programs.

The second tool released by NARUC, the “Cybersecurity Preparedness Evaluation Tool (CPET),” helps PUCs examine a utility’s cybersecurity risk management programs and their capability improvements over time.

The CPET looks at best practices in the utility industry and outlines six maturity levels of a utility’s cybersecurity programs. The CPET uses the same five core functions of a cybersecurity plan as the Questions for Utility report: Identify, Protect, Detect, Respond, and Recover.

The two new tools are meant to be used together to help find any gaps in a utility’s cybersecurity program, as well as recommending new mitigation strategies.

The other three tools included in NARUC’s Cybersecurity Manual include: the Cybersecurity Strategy Development Guide, the Cybersecurity Tabletop Exercise Guide an the Cybersecurity Glossary.

“Together, these tools will help state commissioners evaluate utility cyber preparedness more quickly and effectively. As regulators, we must assess utilities’ decisions to invest in risk-management tools and other protections for business and customer information, but we are not cybersecurity experts,” said commissioner Ann Rendahl, Washington Utilities and Transportation Commission. “CPET will help us dive into risk-management and cybersecurity topics without each commission reinventing the wheel.”