First of two stories.
The annual membership directory of state utility regulators lists several hundred key staff members of the 50 state commissions. Not a single staff position in the 81 pages has "cybersecurity" in the title.
While the vulnerability of the nation's high-voltage interstate grids attracts increasing concern and attention at the federal policy level, the ability of state commissions to oversee the cyber and physical security defenses of local distribution utilities varies greatly. With some exceptions, neither commissions nor utilities have the depth of security expertise to match their potential adversaries, experts and officials agree.
Commissioner Philip Jones of the Washington State Utilities and Transportation Commission, and the past president of the National Association of Regulatory Utility Commissioners (NARUC), said the threat is acutely recognized across the state commissions.
"I think we've come a long way," Jones said, but the progress is hard to measure. "How far have we gotten? I cannot answer. The markers are always changing. Every time I get a new briefing or read a new article, I continue to be very concerned.
"I can tell you there are enough risks that state commissioners regulate that give me great pause," Jones added.
"The states are taking it seriously," said Miles Keogh, NARUC's director of grants and research, who heads the security briefings program. NARUC, the national organization for state regulators, has given a top priority to cyberthreats, conducting training programs for commissions in 37 states so far since 2012.
But there are important differences in the state commissions' ability to respond to the challenge, Keogh said.
Unlike the evolving federal cybersecurity standards for the interstate high-voltage network developed by the electric power industry and certified by the Federal Energy Regulatory Commission, state cybersecurity regulations are few and far between.
A primer on the threat, "Cybersecurity for State Regulators," created by Keogh and colleague Christina Cody, states the challenge directly: "Given that there are very little or no cybersecurity standards specified at this point by State regulatory authorities in regard to the distribution portion of the electrical grid, what are you doing to get in front of this?"
A cyber skills gap
Mark Weatherford, a principal with the Chertoff Group who was chief information security officer in California and also in Colorado before becoming a deputy undersecretary in the Department of Homeland Security, sees a substantial gap in cyber capabilities at the state commission level.
"There is no state, as far as I can tell, that has created a position for a security specialist responsible for cyber and physical security oversight," Weatherford said.
"The number of state commissions that actually have any competence at all -- anyone on the staff with any degree of cybersecurity background -- is probably two or three," he added. "Very few states have changed anything. They don't have money in their budget to add staff and couldn't get it through state legislatures."
Some states vest cybersecurity policy responsibility with the chief information security officers (CISOs) on governors' staffs. A 2010 paper by the IBM Center for the Business of Government described the roles of CISOs in California, Colorado, Delaware, Kansas, New York and Washington state, noting their ability to coordinate cybersecurity policies. These officials, however, are responsible for protecting a wide range of state activities against cybersecurity attacks -- health systems, tax departments, law enforcement and social services, among others -- and don't have direct responsibility for the electric power sector.
"The state [public utility commissions] have no intelligence capacity. They don't have security clearances or vaults to store secure information," said Arthur House, chairman of the Connecticut Public Utilities Regulatory Authority. "This is an extremely demanding job. Commissioners need to understand engineering, economics, law, public policy, management. Nobody is fully qualified to do all the things you need to do. Last thing in the world a PUC needs is to have cybersecurity thrown on top of that."
Paul Centolella, a former public utility commissioner in Ohio, said that "the technical capabilities of commissions vary significantly from commission to commission, depending on what kind of staff they have in place and the experience of the state."
"In Ohio, we had two to three people who had some experience in security issues. At least we were in a position to monitor what was going on. Not every state is so fortunate," Centolella said.
"The proof is in the pudding," said energy consultant Andrew Bochman. "If you look at the organization charts of any state public utility commission you would be hard-pressed to find anybody with cybersecurity in a title. That is an indication of the commitment.
"I don't mean to sound too negative," Bochman said. "They are beginning to understand the gravity of the issue. They're just not quite there yet. I think they will get there eventually. We have to decide if they will get there fast enough."
An unusual partnership
To raise their cyberdefense capabilities, a group of New England states took the unusual step last year of pooling resources to hire an outside cyber consultant, Steven Parker, president of EnergySec, a nonprofit consulting firm in Portland, Ore.
"What is going on in New England is a good example of what should be happening," Parker said, beginning with a cautious examination of the unique issues each system faces in order to understand the threats and then proceed with strategic responses.
"The level of preparedness is going to vary quite a lot" across the entire utility spectrum from large, sophisticated systems in major metropolitan areas to small municipal power providers regulated by city councils, he said.
Preparedness "is definitely trending upward," he said. "We're seeing very wide awareness of the issue. It's going in the right direction."
But there is a long way to go. "Very few of the states have anyone on the staffs with significant knowledge of cybersecurity," Parker said. "That's part of why they got together."
Given the sensitivity of the issue, experts say there is no public score card of which state commissions are leading and which are lagging in their responses to cyber and physical security threats.
"I have not seen a systemic look at who has done what," said Granger Morgan, a Carnegie Mellon University professor who led a National Research Council report, "Terrorism and the Electric Power Delivery System."
A headline threat to the lower-voltage power distribution system in cities is an attack on utility control systems, which typically distribute power radially from substations, with less redundancy than the high-voltage grids provide.
"The vulnerability of the supervisory control and data acquisition (SCADA) systems controlling public utilities has been demonstrated, raising wide-spread concern that the Internet connectivity of these systems could lead to significant disruption of utility services (especially electricity) by malicious parties," a Defense Science Board report in January 2013 concluded.
"It isn't too hard to attack the distribution system," Carnegie Mellon's Morgan said. "All of this sits out open. We can't armor it all."
Morgan worries more about the potential societal consequences of a successful attack on the high-voltage networks, but there are significant risks to the local networks, as well, he added. "You could cause a real problem locally" with a successful attack on a key distribution substation.
Jones said there is increasing concern over changes in utility distribution systems as smart-grid technologies and new automation tools proliferate. "These are all big vulnerabilities in the system," he said.
Bochman said at the very least, state commissions need to have a point person responsible for security issues whose role is clearly identified. "That gives you some continuity and greatly increases chances you can have communication" in emergencies, Parker said. "Cyberthreats are a stream that keeps coming. It keeps changing. If you don't have anyone assigned to that, even part-time, how in hell are you going to do it?" he added. "That is a badly needed step."
A new strategy
If state utility commissions generally don't have a full-fledged cybersecurity capability now, and if -- as Parker and others believe -- many states will have a hard time reaching that point, then a different strategy is called for, he and others argue.
For a commission to determine how well a company has set up cybersecurity defense is diabolically difficult, Keogh said, because companies that have been penetrated very likely don't know that they have been beaten or how it happened.
Rather than try to tell utilities which cybersecurity product to buy, or which defensive strategy to adopt, utility commissions need to determine whether their utilities are tackling the challenge in the best way, Keogh said.
"The first recommendation is for commissions to look at themselves and ask, what kind of regulator do they want to be, and can they be, given their environment?" Keogh said.
"The second question is, what actions are called for? This step calls for commissions to figure out what they want to do, and then set expectations."
The third step is for the commissions to ask whether utilities are making good decisions on managing their risks.
The NARUC primer by Keogh and Cody lists 48 key questions that commissions could put to the utilities they regulate, covering policy, standards, procurement practices, personnel practices and operations. Each commission should tailor the questions to its circumstances, Keogh said, and use the exchange to prompt actions to close gaps in cyberdefenses.
Some questions are directed at basic issues. For example, the questionnaire prompts commissions to ask whether a utility has a cybersecurity policy and has appointed a chief security officer with cybersecurity responsibilities. Another question asks whether a utility records attacks on its system.
Other questions go deeper into specific capabilities. Question No. 22 asks whether a utility's vendors are providing control systems that "are beyond the ability of your organization to monitor, understand, or assure? Has your organization explored whether these may create cybersecurity vulnerabilities to your operations."
"Your utilities may not be particularly forthcoming with some of their answers, but their answers create a dialogue of understanding and responsibility in the event of a cyber attack," Keogh and Cody said in their report.