Dive Brief:
- In all 81 pages of the roster of U.S. state utility regulators, there is not a single member whose job title includes the word "cybersecurity."
- The revelation comes after years of warnings about the grid's vulnerability to both cyber and physical threats. However, the National Association of Regulatory Utility Commissions (NARUC) said members from 37 states had undergone cybersecurity training since 2012.
- To address the lack of in-house cybersecurity personnel, New England states took the unprecedented step of hiring external cybersecurity consultant Steven Parker of nonprofit consultancy EnergySec. "Very few of the states have anyone on the staffs with significant knowledge of cybersecurity," Parker said. "That's part of why they got together."
Dive Insight:
As the grid transitions from a one-way delivery system to a two-way integrated network, there is a growing cyber threat. While certain steps have been taken at the federal level, the U.S. grid is highly regional and thus the responsibility falls with state regulatory commissions and grid operators.
"Cyberthreats are a stream that keeps coming. It keeps changing. If you don't have anyone assigned to that, even part-time, how in hell are you going to do it?" said Parker. "That is a badly needed step." Parker and other industry analysts pointed out that few regulators actually have a member of staff with enough security experience to meet the challenge of protecting the grid. New England's pragmatic response could be a model for other regions to follow.
Aside from a lack of personnel or the funds to train staff in cybersecurity threat response, one strategy NARUC recommends places more of an onus on the relationship between regulators and utilities. Regulators need to be able to assess if utilities are addressing cybersecurity threats adequately, said Miles Keogh, NARUC's director for grants and research.
NARUC recently released a set of questions regulators can ask utilities, which are designed to test preparedness in the event of a cyberattack on the grid. "The first recommendation is for commissions to look at themselves and ask, what kind of regulator do they want to be, and can they be, given their environment? The second question is, what actions are called for? This step calls for commissions to figure out what they want to do, and then set expectations," Keogh said.