CybersecurityStates may join feds in regulating infrastructure cybersecurity

Published 16 October 2012

Dealing with cybersecurity issues relating to U.S. inmfrastructure has largely been a federal responsibility, carried out through the North American Electric Reliability Corporation Critical Infrastructure Requirements (NERC-CIP)’ the limitations of these requirements have led state regulators to consider increasing state role in infrastructure protection

Dealing with cybersecurity issues relating to U.S. inmfrastructure has largely been a federal responsibility, carried out through the North American Electric Reliability Corporation Critical Infrastructure Requirements (NERC-CIP). The limitations of these requirements have led state regulators to consider increasing state role in infrastructure protection.

Smart Grid News reports that the NERC-CIP covers generation and transmission assets that qualify as “critical,” but estimates put 80-90 percent of grid assets outside the NERC-CIP responsibility. The NERC-CIP is primarily compliance-based, which is important but is not enough to ensure that evolving risks are being assessed and taken care of.

Utilities often have no incentive to spend on cybersecurity beyond the minimal standards. Even if some utilities did comply fully; it does not guarantee a one hundred percent secure system.

Now California and other states are developing their own cybersecurity policies, and the National Association of Regulatory Utility Commissioners (NARUC) passed a 2010 resolution encouraging regulators to open a dialogue with their regulated utilities to promote cost-effective protection and preparedness.

Smart Grid News notes that California has already instituted an explicit safety and security risk assessment which includes cybersecurity as a cornerstone to its approach to reliability and safety. It has also required utilities to report on cybersecurity activities in their Smart Grid Deployment Plans.

There are some potential issues and questions that should be answered when it comes to state regulation of cybersecurity. What actions can regulators take to address cyber security to ensure public safety and reliability? What is their position whether and how NERC-CIP cyber security requirements should be applied to the distribution grid? What are the proper regulatory mechanisms to ensure cyber security, including both compliance-based and risk assessment-based approaches? How can regulators ensure that utilities and technology providers are properly incentivized to adequately address cyber security? What requirements should be developed to ensure that the electric system is designed to be resilient to cyber-attack?   What are the metrics to track the effectiveness of cyberseucirty policies and investments?  How do confidentiality rules apply to cyber security reporting? Should regulators consider safe harbor protections to encourage utilities to share cyber security information?

 If these issues can be addressed and resolved, the regulation of cybersecurity would be much easier and could lead to federal and state combining their efforts in order to make infrastructure safer.