Congress has been grappling with cyber security for
months, and the executive branch is circulating an order
calling for greater coordination among agencies.
At the National Association of Regulatory Utility
Commissioners, we’re making our views known in a
coalition that is monitoring the legislation. We want to
ensure that any key coordinating agency doesn’t usurp
the statutory roles of the Federal Energy Regulatory
Commission and the North American Electric Reliability
Corp. in setting the grid’s rules and standards.
The federal government will play the primary role in
ensuring effective cyber defenses, but states will also
have a key role. State agencies are closest to the
situation; we know our geography; we know our utilities
and their infrastructure; and we know how our utilities
have responded to natural disasters.
At the state level, we are ultimately responsible for
ensuring that our utilities manage risks well. Many of
the risks our utilities face are well known — aging
infrastructure, Mother Nature, legislative uncertainty.
But cyber security is an emerging and dynamic risk that
all stakeholders, from the federal government to the
regulators and the utilities themselves, are grappling
with.
One thing is certain: Cyber security will require
capital investments and recovery in retail rates. We
don’t yet know what those amounts will be. But in order
to make sound decisions, we must have the foundational
knowledge and tools to measure risks.
For utility regulators, our most prudent course of
action is to act decisively now to increase our
knowledge base, educate our staffs, coordinate with
federal and state agencies, and encourage best
practices.
Traditional Strategies
NERC, through its Critical Infrastructure Protection
program, offers a detailed compliance-based approach.
But the “hactivists” are smart and nimble in creating
viruses that infect computers, servers and supervisory
control and data acquisition systems. As the risks
evolve, we must be able to adapt quickly to new threats
and circumstances. We should recognize that the
utilities we regulate are partners in our common goal of
providing safe and reliable service, but we must also
guard against ove-rinvestment.
As we prepare at the state commissions to address cyber
security, we must realize our traditional strategies for
assessing risks are no longer adequate. We need to
broaden our scope of risks, re-orient our methods and
adopt a more long-term view of risk assessment.
For example, the NERC approach relies heavily on
developing rules, due process, a published standard,
required annual audits and substantial documentation.
NERC’s rules are good and have evolved over time, but in
general, they can be characterized as transparent,
static and audit-driven.
Cyber risks have the opposite characteristics. They are
hidden, dormant, increasingly sophisticated, dynamic and
impervious to audits. And cyber risks can’t be
characterized by the traditional distinction between
distribution— less than 100 kilovolts regulated by
states — and bulk wholesale power regulated by FERC.
How exactly does a utility perform a useful risk
assessment, and how do you oversee such measures?
You start by assessing vulnerabilities — including
wireless technologies and thumb drives. Assess the
threats and outline possible consequences. Evaluate your
entire organizational structure in order to address
those vulnerabilities and threats.
Next, reorganize to align traditional security with
cyber defenses and establish clear lines of
accountability. Then prioritize your resources,
budgetary, of course, but even more importantly, human
resources.
Read the NARUC primer, “Cyber Security for State
Regulators,” that was published in June. Acquire basic
knowledge by sending questions to your utilities,
meeting with them and building your team at the state
level.
Ultimately, the additional costs of counter measures
will come before state utility regulators. So it’s time
to engage with industry and learn up-front about the
potential risks and costs.
This story first appeared in
EnergyBiz magazine
Copyright © 1996-2013 by
CyberTech,
Inc.
All rights reserved.
To subscribe or visit go to:
http://www.energycentral.com
To subscribe or visit go to:
http://www.energybiz.com