Grid securityStates lack expertise, staff to deal with cyberthreats to utilities

Published 8 May 2014

The vulnerability of national electric grids to cyberattacks has caught the attention of federal utility regulators and industry safety groups, but state commissions tasked with regulating local distribution utilities are slow to respond to emerging cybersecurity risks. The annual membership directory of state utility regulators lists hundreds of key staff members of state commissions throughout the country, but not a single staff position had “cybersecurity” in the title.

The vulnerability of national electric grids to cyberattacks has caught the attention of federal utility regulators and industry safety groups, but state commissions tasked with regulating local distribution utilities are slow to respond to emerging cybersecurity risks. The annual membership directory of state utility regulators lists hundreds of key staff members of state commissions throughout the country, but not a single staff position had “cybersecurity” in the title. With a few exceptions, state commissions and utilities lack the depth of expertise to determine whether utility systems are secure and able to fight off cyberattacks.

Miles Keogh, director of grants and research for the National Association of Regulatory Utility Commissioners (NARUC), and head of the group’s security briefings program, believes that states are taking cybersecurity seriously. The NARUC has conducted cybersecurity training programs for commissions in thirty-seven states since 2012, but Keogh agrees that there is room for improvement. A primer on cyber threat, “Cybersecurity for State Regulators,” created by Keogh and colleague Christina Cody, declares the challenge: “Given that there are very little or no cybersecurity standards specified at this point by state regulatory authorities in regard to the distribution portion of the electrical grid, what are you doing to get in front of this?”

Mark Weatherford, a principal with the Chertoff Group sees a gap in cyber capabilities at the state commission level. “There is no state, as far as I can tell, that has created a position for a security specialist responsible for cyber and physical security oversight,” Weatherford said. “The number of state commissions that actually have any competence at all — anyone on the staff with any degree of cybersecurity background — is probably two or three,” he added. “Very few states have changed anything. They don’t have money in their budget to add staff and couldn’t get it through state legislatures.”

Environment & Energy Publishing reports that some states assign cybersecurity policy responsibility to the chief information security officers (CISOs) on governors’ staffs, but many of the individuals who hold CISO positions lack the experience in cybersecurity for the electric power sector. “The state [public utility commissions] have no intelligence capacity. They don’t have security clearances or vaults to store secure information,” said Arthur House, chairman of the Connecticut Public Utilities Regulatory Authority. “This is an extremely demanding job. Commissioners need to understand engineering, economics, law, public policy, management. Nobody is fully qualified to do all the things you need to do. Last thing in the world a PUC needs is to have cybersecurity thrown on top of that.”

To improve their cyber defense capabilities, a group of New England states pooled resources together to hire an outside cyber consultant, Steven Parker, president of EnergySec, a nonprofit consulting firm. “What is going on in New England is a good example of what should be happening,” Parker said. However, states should understand their unique security threats before designing a cybersecurity strategy. Commissions find it difficult to determine how well utilities are secured from cyberattacks, Keogh said, because companies that have been attacked are not likely to be aware of the attack or how their systems became penetrated.

Instead of advising utilities to purchase specific cybersecurity products or solutions, Keogh  recommends commissions to ask themselves, “what kind of regulator do they want to be, and can they be, given their environment?” “The second question is, what actions are called for? This step calls for commissions to figure out what they want to do, and then set expectations.” Then commissions must ask whether utilities are making good risk management decisions.

The NARUC primer by Keogh and Cody lists forty-eight questions that commissions could ask the utilities they regulate, keeping in mind that each question should be tailored to the commission’s unique circumstances. Questions include, whether a utility has a cybersecurity policy along with a chief security officer with cybersecurity responsibilities. Another question asks whether a utility’s vendors provide control systems that “are beyond the ability of your organization to monitor, understand, or assure? Has your organization explored whether these may create cybersecurity vulnerabilities to your operations?”

Your utilities may not be particularly forthcoming with some of their answers, but their answers create a dialogue of understanding and responsibility in the event of a cyber attack,” Keogh and Cody said in their report.