With the electric-utility sector focusing on cybersecurity protections, State public service commissioners must remain vigilant and ask effective questions as regulated utilities make critical investments, a new paper from the National Association of Regulatory Utility Commissioners concludes.
Although a cyber attack has never interrupted utility services in the U.S., State commissioners will need to work with regulated utilities and ensure they are taking prudent steps and making sound investments for installing cybersecurity protections, the primer said. While not directly responsible for installing these protections, State regulators should continue being proactive in monitoring utility progress.
“It may fall to regulators to ask questions of utilities to determine if there are [cybersecurity] gaps and facilitate action,” the NARUC primer said.
“This may be the key role for commissions in cybersecurity. Commissioners do not need to become cyber industry authorities or enforcers, but asking a utility a question may motivate the development of a well-founded answer.”
NARUC’s Grants and Research Department authored the Cybersecurity for State Regulators primer as part of its mission to inform and educate State utility commissioners on utility trends and best practices. The primer was developed through the State Electricity Regulators Capacity Assessment and Training program funded by the U.S. Department of Energy’s Office of Electricity Delivery and Energy Reliability.
The paper includes a sample list of questions commissions should consider asking regulated utilities. These questions deal with ensuring utilities are planning cybersecurity investments with sound procurement strategies and implementing policies and personnel to deal with potential challenges.
But just asking questions isn’t enough. Armed with the right information, regulators then have the difficult job of determining whether utility expenditures earmarked for cybersecurity protections are prudent and in the public interest, the primer said.
“Regulators have to determine whether the amount being invested is insufficient or excessive and whether it is allocated appropriately,” the primer said.
“Regulators must then help prioritize these investments along with all the other proposed spending that a utility proposes in a rate case. Regulators must keep the cost of electricity affordable for customers while asking utilities to spend more on cybersecurity in the face of increasing media attention on stories of cybersecurity threats and vulnerabilities.”
Doing so requires a risk-based approach, the primer concludes.
“Understanding risk means understanding the relationship between vulnerability (such as a system with a known but unaddressed weakness), threat (such as a bad actor propagating viruses or worms) and consequence (such as physical damage and loss of public safety),” the primer notes.
“Simply understanding risks is just the first step: a risk-based approach prioritizes components for protection, as well as the threats and vulnerabilities that require attention.”
The primer does not offer recommendations or endorsements of any cybersecurity legislation being debated in Congress.
NARUC is a non-profit organization founded in 1889 whose members include the governmental agencies that are engaged in the regulation of utilities and carriers in the fifty States, the District of Columbia, Puerto Rico and the Virgin Islands. NARUC's member agencies regulate telecommunications, energy, and water utilities. NARUC represents the interests of State public utility commissions before the three branches of the Federal government.