Utility Regulators Advance Cybersecurity Baselines
U.S. electricity providers now have cybersecurity guidelines to follow. The National Association of Regulatory Utility Commissioners (NARUC), in partnership with the Department of Energy, provided a set of cybersecurity baselines for electric, water and telecommunication providers. The guidelines cover a variety of cybersecurity measures, such as asset inventory preparation, cyber leadership within the companies, mitigating known vulnerabilities, third-party validation of cybersecurity control effectiveness and supply chain incident reporting.
NARUC, a national organization based in Washington, D.C., is host to the state public utility commissions and agencies that regulate telecommunications, energy and water utilities. The association, which also represents the interests of utility commissions before the three branches of the federal government, released the cybersecurity guidelines as part of its biannual meetings held in February.
The baselines are also for distributed energy resources companies, a new set of energy providers that have more dispersed microgeneration facilities designed to bring in nontraditional energy sources and meet power demand more locally.
“The National Cybersecurity Strategy, issued in 2023, directed the U.S. Department of Energy (DOE) to ‘promote cybersecurity for electric distribution and distributed energy resources in partnership with industry, states, federal regulators, Congress, and other agencies,’” NARUC explained in the baseline document. “This NARUC/Department of Energy initiative complements industry and government efforts by providing cybersecurity baselines, tailored for electric distribution systems and the distributed energy resource companies that connect to them, creating a common starting point for cyber risk reduction activities.”
NARUC created the guidelines based on the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency’s Cybersecurity Performance Goals, which are risk-based and tailored to different industry sectors.
At the federal level, it is the responsibility of the Federal Energy Regulatory Commission to regulate wholesale power production. The commission enforces cybersecurity compliance to maintain U.S. national grid reliability, mandating cyber measures for companies providing power to the grid. Meanwhile, at the state level, state governments and legislators hold utility regulatory authorities, with each state’s public utility commission responsible for regulating the individual utility company rates and practices.
As such, each state’s cybersecurity regulations differ and can range from no cyber measures in place to some legislated cybersecurity measures—depending on the effectiveness of the state legislators. Utility companies also differ in their level of cybersecurity. Many have robust cybersecurity practices.
While the NARUC guidelines are voluntary, they are meant to provide consistency in the face of the widely varying cybersecurity regulations. NARUC also arms state regulators and their staffs with cybersecurity training and resources to broaden their knowledge as they regulate public utility practices and cybersecurity.
“These baselines, coupled with the forthcoming implementation guidance, are intended to be a resource for state Public Utility Commissions, electric distribution utilities, and distributed energy resource operators and aggregators,” NARUC explained. “They encourage alignment across states that choose to adopt the baselines to mitigate cybersecurity risk and enhance grid security.”
Cybersecurity expert Jason Keirstead, vice president of collective threat defense at CyWare, sees the baselines as an important resource for the different regulatory authority bodies that exist across the states, especially as they handle distributed energy resource companies. “Because these smaller utilities are set up to do things like store solar power and operate small wind farms, they’re not federally regulated,” he noted. “They’re regulated at the state level. And the DOE is unable to push down mandatory guidelines to them. So instead, they have created this baseline document to send out voluntary recommendations to the regulatory bodies in the various states in hopes of achieving a common national baseline.”
NARUC plans to release its Phase 2 Implementation Guidance, which should help regulators consider the scope, necessary priorities and sequencing needed to promulgate effective cyber protections. The staggered release also allows public utility commissioners and their staffs to speak with various stakeholders in their jurisdictions on how best to address the cyber risks, given the complexities of their local electricity distribution systems and differing distribution participant architectures, components, power control mechanisms and corporate size.
“What is really nice is that they have taken the initiative and steps to create this companion document that they call the informative references, where they map all of the various aspects of these baselines to already existing cybersecurity standards like National Institute of Standards and Technology’s Cybersecurity Framework and the North American Electric Reliability Corporation’s Critical Infrastructure Protection guidelines,” Keirstead explained. “So that if you already implemented some of these other standards, you will find it easier to go and attest to meeting these baselines as well.”
To start, the NARUC baselines suggest that utility companies complete and maintain an inventory of their critical information technology and digital operational technology assets, classified by how essential the technology is to the delivery of energy.
Power companies should, if they have not already, designate specific senior-level personnel who have “explicit accountability” for planning, resourcing, executing and managing cybersecurity for information and operational technology at the utility.
In addition, utilities should conduct independent validation of their cybersecurity controls in a “timely, risk-informed manner.” When acquiring equipment or services, the companies should include contract language that includes cybersecurity stipulations such as security incident notification and identification of vulnerabilities, again, in a risk-informed time frame, NARUC specified. Any future hardware and software additions should be on an approval basis with cybersecurity measures in mind.
The guidelines also include identity, credentialing and access management provisions, as well as basic cybersecurity training for all employees and contractors and specialized operational technology-related cybersecurity training for those in critical operations.
Keirstead advised a clear understanding of the cyber risks of the various utility systems. “One of the key aspects to cybersecurity is doing it with a risk-informed approach,” he stressed. “Because there is no such thing as perfect when it comes to cybersecurity. It’s actually all about balancing risks,” he said, emphasizing the importance of sufficient controls that are commensurate with the risk an organization is under, as different-sized organizations will have different levels of risk across the different sectors. “With this, we are talking about energy, which is part of our critical infrastructure, and it is a high-risk area of attack. Cyber attacks have been doubling in the energy sector every year since 2020. When we look at things with that lens, it is a very high-risk proposition.”
Also commenting on the NARUC baselines, Mark Cooper, president and founder of PKI Solutions, warned that “the evolving threats facing critical infrastructure, especially electric distribution systems, continue to increase while there’s a lack of proper tools that increase resilience.” He urged utility commissions and utilities, regardless of which technologies are implemented to shift to a more proactive strategy and mindset “that includes real-time monitoring to identify issues proactively so that remediations can be performed before they become security threats.
“It’s good to see the DOE’s initiative offering a framework for these stakeholders to defend against cyber threats and promote cyber-resilience with a uniform approach, but success of the program will be dependent on implementation of enhanced identity management and encryption standards and tools in order to defend against unauthorized access and threats in the energy sector,” Cooper noted.
“Cybersecurity is an integral underpinning of power system resilience, and this initiative builds on work that states have undertaken over the last decade to mitigate cybersecurity risk across their critical infrastructures,” NARUC stated. “Electric distribution system stakeholders recognize the importance of enhancing grid reliability, resilience, and security. Indeed, addressing cybersecurity risk is essential as electric distribution systems continue to evolve, spurred by new technologies and operational models as well as the ever-increasing threat of cyber attacks.”