State Regulators Monitoring Cyber Security Proposals

Philip B Jones | Mar 12, 2013




Congress has been grappling with cyber security for months, and the executive branch is circulating an order calling for greater coordination among agencies.

At the National Association of Regulatory Utility Commissioners, we’re making our views known in a coalition that is monitoring the legislation. We want to ensure that any key coordinating agency doesn’t usurp the statutory roles of the Federal Energy Regulatory Commission and the North American Electric Reliability Corp. in setting the grid’s rules and standards.

The federal government will play the primary role in ensuring effective cyber defenses, but states will also have a key role. State agencies are closest to the situation; we know our geography; we know our utilities and their infrastructure; and we know how our utilities have responded to natural disasters. 


At the state level, we are ultimately responsible for ensuring that our utilities manage risks well. Many of the risks our utilities face are well known — aging infrastructure, Mother Nature, legislative uncertainty. But cyber security is an emerging and dynamic risk that all stakeholders, from the federal government to the regulators and the utilities themselves, are grappling with.

One thing is certain: Cyber security will require capital investments and recovery in retail rates. We don’t yet know what those amounts will be. But in order to make sound decisions, we must have the foundational knowledge and tools to measure risks.

For utility regulators, our most prudent course of action is to act decisively now to increase our knowledge base, educate our staffs, coordinate with federal and state agencies, and encourage best practices.

Traditional Strategies

NERC, through its Critical Infrastructure Protection  program, offers a detailed compliance-based approach. But the “hactivists” are smart and nimble in creating viruses that infect computers, servers and supervisory control and data acquisition systems. As the risks evolve, we must be able to adapt quickly to new threats and circumstances. We should recognize that the utilities we regulate are partners in our common goal of providing safe and reliable service, but we must also guard against ove-rinvestment.

As we prepare at the state commissions to address cyber security, we must realize our traditional strategies for assessing risks are no longer adequate. We need to broaden our scope of risks, re-orient our methods and adopt a more long-term view of risk assessment.

For example, the NERC approach relies heavily on developing rules, due process, a published standard, required annual audits and substantial documentation. NERC’s rules are good and have evolved over time, but in general, they can be characterized as transparent, static and audit-driven.

Cyber risks have the opposite characteristics. They are hidden, dormant, increasingly sophisticated, dynamic and impervious to audits. And cyber risks can’t be characterized by the traditional distinction between distribution— less than 100 kilovolts regulated by states — and bulk wholesale power regulated by FERC.

How exactly does a utility perform a useful risk assessment, and how do you oversee such measures?

You start by assessing vulnerabilities — including wireless technologies and thumb drives. Assess the threats and outline possible consequences. Evaluate your entire organizational structure in order to address those vulnerabilities and threats.

Next, reorganize to align traditional security with cyber defenses and establish clear lines of accountability. Then prioritize your resources, budgetary, of course, but even more importantly, human resources.
Read the NARUC primer, “Cyber Security for State Regulators,” that was published in June. Acquire basic knowledge by sending questions to your utilities, meeting with them and building your team at the state level.

Ultimately, the additional costs of counter measures will come before state utility regulators. So it’s time to engage with industry and learn up-front about the potential risks and costs.

This story first appeared in EnergyBiz magazine

Energy Central

Copyright © 1996-2013 by CyberTech, Inc. All rights reserved.

To subscribe or visit go to:  http://www.energycentral.com

To subscribe or visit go to:  http://www.energybiz.com