Researchers tackle wide gap in states’ cyberdefenses

By Peter Behr | 02/11/2019 07:33 AM EST

State regulators were briefed yesterday on a new research effort that confronts an old challenge — bringing cyberdefenses of distribution utilities across the 50 states up to a “best practices” threshold, at least.

Cybersecurity standards vary from state to state.

Cybersecurity standards vary from state to state. Oran Viriyincy/Flickr

State regulators were briefed yesterday on a new research effort that confronts an old challenge — bringing cyberdefenses of distribution utilities across the 50 states up to a "best practices" threshold, at least.

A nonprofit grid security advisory firm, Protect Our Power, has taken on the task that has occupied the National Association of Regulatory Utility Commissioners (NARUC) for most of this decade: confronting the vast but unmapped gap between state commissions with effective cybersecurity policies and others with hardly any at all.

No one knows how serious that gap is today, said Richard Mroz, a senior adviser to Protect Our Power and former president of the New Jersey Board of Public Utilities. Mroz presented the organization’s agenda to commissioners yesterday at the NARUC winter policy meeting in Washington, D.C.


"There is not a good body of work for a comprehensive analysis of where cybersecurity matters stand in the states," Mroz said following yesterday’s briefing. "The [cyber] sophistication in each state is different," he added.

The skill and financial resources vary.

"It is a patchwork. There are no standards across the states," he said.

Mark James, an assistant professor at the Vermont Law School’s Institute for Energy and the Environment, who joined Mroz in yesterday’s presentation, added an anecdote. In a recent conversation with an unnamed state commission member, he was told, "Our cyber guy just left." James said he "waited a beat" to hear what would come next, but nothing did. Apparently, there wasn’t another one on deck, he said.

Surveying for strategies

Developing a slate of best practices is the first step, James said.

At the end of the process, state commissions need a way to assess whether the electric utilities they oversee are meeting standards, and if they aren’t, why, James said.

The state follow-up can range from formal audits to informal meetings between commissioners and utility executives and their staffs, with no notes taken or records kept. State commissions can join that process at different levels depending on their resources, James said. "But you need to join," he said.

Protect Our Power, headed by Jim Cunningham, former president of the Pennsylvania Electric Association, is backing a survey by the Vermont Law School of strategies state commissions can follow to upgrade cyberdefenses and incentivize utilities to invest in grid defense and recovery.

The institute next month will release its survey, based on interviews with executives of utilities, commissions and trade groups. Issues in the study include the protection of utilities’ confidential operational information that could include sensitive details on vulnerabilities and metrics for assessing utilities’ resilience in the face of cyberattacks.

The institute will look for answers to the conflict between drawn-out, multi-year rate cases and the need to quickly fund new, state-of-the-art cyberdefenses or newly identified investments in grid hardening for resilience.

Until utilities and regulators agree on standardized metrics for benchmarking the value of investments in grid defense and resilience, utilities will struggle to justify investments that wind up on customers’ bills, the institute’s survey outline said.

"The cost is a significant hurdle, so constituencies must be convinced that the threats are clear and present" and the response plan is clear and compelling, the institute said.