An Arizona regulator said Tuesday a standard method is needed to assess the cybersecurity preparedness of utilities.
“How in the world is a commission like this, that doesn’t have any IT background, supposed to judge the preparedness of a company?” asked Nick Myers, a member of the Arizona Corporation Commission. “There needs to be a standardized method that is less subjective, that can give us a good indication of where these utilities stand.”
The ACC discussed at a workshop how regulators can better review cybersecurity preparedness while ensuring the state’s critical service providers have access to a pipeline of skilled technology workers.
Myers, who has about 20 years experience in the software engineering industry, said he understands the challenges involved in balancing caution alongside the need to evaluate confidential security information. Most of the information that's needed to make determinations on preparedness is private or confidential and shouldn't be shared in the public, he said.
The need for better security evaluations led the ACC to invite representatives from Idaho National Laboratory to present at Wednesday’s hearing.
Researchers at INL have developed a Cybersecurity Competency Health and Maturity Progression framework, or Cyber-CHAMP, to assist organizations establish security targets and training plans. And its Cyber Security Evaluation Tool “provides a systematic, disciplined, and repeatable approach for evaluating an organization’s security posture,” according to the U.S. Cybsersecurity and Infrastructure Security Agency.
Arizona regulators should have “standardized, objective ways of measuring cyber readiness” of critical entities, said Myers. Such a program could include regulated utilities, municipal providers and others, he said. “Maybe we include third parties. Maybe it's just a statewide program. I don't know what may come of this, but that's what we're here to discuss today,” he said.
States, organizations and municipalities that use INL’s assessment tools may be subsequently faced with a difficult realization, said Ralph Ley, INL’s department manager of workforce development and training: The number of qualified security professionals to help guard their systems is limited, particularly in operational technology environments,
“We have colleges, universities, the K-12 system, doing as best they can to start educating and incorporating cyber into their curriculum. However, cyber is fairly new. And it's changing faster than the content that needs to be taught,” Ley said.
A system of apprenticeships or residencies could help to strengthen the cybersecurity workforce, Ley said. And INL’s free assessment tools can be of particular use to small and medium-sized utilities which may not have the resources of larger providers.
“We've certainly seen that in our conversations with our electric retail cooperatives, our small water utilities. They just don't have the same bandwidth that our large utilities have,” ACC Commissioner Lea Márquez Peterson said.
“Their issue is really the resources, the people to actually take a look and implement and assess their own systems,” Ley said. “They'll probably never have or be able to hire the people that the large organizations have.”
Partnerships with academia can play a major role in improving education and training while also boosting organizational security, Ley said.
Utilities at the meeting said some of those efforts are already underway.
Tyler Kilian, who helps lead security efforts at Tucson Electric Power, said he works with Pima Community College in Tucson on the school’s “robust” cyber efforts.
“They have what's called a ‘live fire range’ that they manage, which allows them to do that type of work ... to actually test cybersecurity,” Kilian said. The Cyber-CHAMP assessment could be a part of that work, he said.
David Boynton, director of cybersecurity at Arizona Public Service, told the commission Grand Canyon University and Arizona State University offer tech programs and the utility has worked with interns from those schools.
