In Washington state, power utilities are expected to invite "good guy" hackers to try to break into critical systems to surface any cybersecurity vulnerabilities.
The state’s Utilities and Transportation Commission, which encourages but does not require such penetration testing, also conducts on-site audits of regulated companies’ security plans.
The Pennsylvania Public Utility Commission requires utilities to certify annually that their defenses are up to date, covering not only cyber threats, but also physical security, emergency response and continuity of operations. "I’m very happy to say that our utilities have taken it seriously," said PUC Commissioner Pamela Witmer.
In Montana, regulators had utilities respond to a lengthy cybersecurity preparedness survey NARUC produced, but there haven’t been any follow-up actions.
"There’s really been no major conversation concerning [cybersecurity], so we just don’t have a lot of information," said Joel Tierney, utility engineer and pipeline safety program manager for the state’s Public Service Commission. "It’s one of those things where it takes something to happen for people to get excited about it."
The three examples illustrate a wide disparity in how state utility commissions are responding to cybersecurity threats to utilities they regulate, documented in a recent report by the National Regulatory Research Institute.
"Some states … they’re super enthusiastic about it," said Daniel Phelan, a NRRI research associate who prepared the report summarizing state regulators’ responsibilities for cybersecurity. "Whereas other states, you struggle to find any information about what they’ve been doing."
NRRI provides research services for members of the National Association of Regulatory Utility Commissioners, which put cybersecurity high on the agenda for its winter meeting this week in Washington, D.C. The NRRI survey was prepared for the Middle Atlantic Cybersecurity Collaborative, representing six commissions in that region.
Eighty percent of the U.S. electric power network is in the hands of distribution utilities regulated by states, municipal councils or cooperative boards. Only the interstate high-voltage grids are governed by the Federal Energy Regulatory Commission and its standards-setting organization, the North American Electric Reliability Corp. (NERC).
Phelan found that as of the end of last year, 11 commissions had completed rules or orders relating to cybersecurity: Arkansas, California, Connecticut, Maryland, Montana, New Jersey, New York, Oregon, Pennsylvania, Texas and Washington.
Eight other states, plus New York and Connecticut and the District of Columbia, had ongoing dockets on cybersecurity policy: Indiana, Kentucky, Louisiana, Massachusetts, Missouri, Rhode Island, South Carolina and Vermont.
Thirty-one states are not on either list.
The NRRI report and interviews with state officials reveal a patchwork of cyberthreat responses that causes some experts to question whether gaps exist in cybersecurity defenses of the nation’s distribution utilities.
Yochi Zakai, policy adviser for Washington’s UTC, says it "is only a matter of time" before a utility gets hacked in a big way, echoing a warning last year by Adm. Michael Rogers, head of the National Security Agency and the U.S. Cyber Command.
"If you’re aware of what’s going on in this field, no system is 100 percent secure, and you know we have to be very vigilant," Zakai said. "So hopefully a company has a good system set up and then they are able to identify [the attack] right away and it’s not serious."
Some experts and officials say the hit-and-miss response to the NRRI survey of state commissions likely understates the extent of cybersecurity threat response among both commissions and the distribution utilities they regulate. But Phelan said he knows of no comprehensive public assessments of cybersecurity defenses protecting electric power utilities.
How safe is the electricity distribution network? "We don’t know," said one expert, who declined to speak on the issue for attribution. "We won’t know until something happens."
Utility executives and industry and government cybersecurity officials say that the amount and quality of cybersecurity threat information that utilities can use and act on varies significantly.
Anthony Earley Jr., chairman and CEO of PG&E Corp., which runs California’s largest power utility, says that his company and some other large utilities have access to advanced cybersecurity forensics and defenses through a top-level federal-industry partnership, the Electricity Sub-sector Coordinating Council (ESCC).
"The utility sector and the federal government have a really good, cooperative relationship," Earley said.
A new phase of the relationship followed the devastation of Superstorm Sandy in 2013, he added. It was clear that the impact of a severe cybersecurity attack could resemble the widespread damage and recovery obstacles the storm created.
"The federal government has very sophisticated tools for going into a system, monitoring it to see its vulnerabilities and whether it has been broken into. Utilities have been able to use these tools to help improve their systems because these tools are far more sophisticated than anything that is commercially available that we could get," Earley said.
So far, several dozen utilities have chosen to pay a fee for access to the ESCC threat-sharing program Earley described, according to one industry expert. ESCC information on a more general level is shared with other utilities through a broader organization, the Energy Sector Information Sharing and Analysis Center — ES-ISAC — operated by NERC.
ES-ISAC employs technology from the Department of Homeland Security to share threat data. However, many utilities are not yet equipped to plug into the full capabilities ES-ISAC offers, officials say.
To strengthen participation in ES-ISAC, utilities around the country are being asked, "what do you need? What tools and capabilities do you want the ES-ISAC to have and provide so you can take actions to protect system," one informed official explained.
States experiment
Many governors’ offices have also sought to sharpen their cyber readiness.
The National Governors Association created a Resource Center for State Cybersecurity in 2012 to assist state officials. A paper by NGA senior policy analyst Andrew Kambour last year said that Delaware, Maryland, Missouri, Rhode Island, Utah and Washington have created cybersecurity units within the National Guard. Kambour noted that Washington, home state to Microsoft Corp., specifically draws on the cybersecurity and technology expertise of guard members in their day jobs.
State utility commissions are designed as independent bodies not under a governor’s direct control. However, some governors have emphasized the need for strong partnerships with the private sector, including utilities, said Doug Robinson, executive director of the National Association of State Chief Information Officers, which advises state governments on cybersecurity issues.
"The best example of that is Michigan," Robinson said. The state’s Public Service Commission is part of Gov. Rick Snyder’s governmentwide Michigan Cyber Initiative. "They are early adopters."
The differences in state commission cybersecurity responses creates a broad check list of potential strategies for overseeing the threat, illustrating states’ roles as "laboratories" for policy experimentation.
The staff of the California Public Utility Commission has recommended a series of cybersecurity actions by state commissions, including directing utilities to break out and itemize what they are spending on cyber actions in rate requests.
"Funding discussions on cybersecurity tend to be that the utilities are spending too much on cybersecurity, until they are not," said Chris Villarreal, CPUC senior regulatory analyst.
"Having a good way of measuring the effectiveness of cybersecurity funding remains a challenge, as the utility has to justify spending money avoiding something — how to justify the cost of spending money on something that doesn’t happen?" he said. Detailing those costs in rate cases is a start.
The NRRI survey, however, found that there were only seven states where utilities explicitly detailed cybersecurity costs within rate cases.
The rarity of seeing cybersecurity in rate cases stems from the difficulty of conducting cost/benefit analyses for cyber protections, experts say.
It’s also "really hard for commissioners to assess the reliability of any such kinds of estimates," noted Paul Stockton, former assistant secretary of Defense for homeland security and managing director of consultancy Sonecon LLC. "This is an area where informal, non-docketed discussion between commissioners, their staffs and the utilities is absolutely vital."
Meanwhile, emerging technologies are blurring the lines between distribution and transmission networks, further changing risk assessments, Stockton said.
"The grid is being modernized and strengthened so rapidly that I don’t believe we understand, in the years to come, how many new attack surfaces we’re creating, all of the interdependencies that are likely to emerge," he said. "That is an area that requires further analysis — not just where we are today, but attempting to anticipate how investment is going to go forward."
Info protection
State commissions that ask utilities to report cyberattacks or vulnerabilities have to be able to protect information that may be accessible under state open records laws.
"Much of this information is highly confidential, and care needs to be taken to ensure the ongoing protection of this information. Utilities are reluctant to tell the regulator of high risk [factors] for fear of regulatory investigation and potential liability risks," California’s Villarreal said.
Across the utility spectrum, officials say a crucial priority is congressional action on threat-sharing legislation. Officials say utilities need a safe harbor when they disclose vulnerabilities and a shield from lawsuits if they have to cut off customers’ power temporarily to deal with severe cyber intrusions — assuming the utilities have taken reasonable measures to protect themselves.
Missouri’s Public Service Commission began a formal cybersecurity review in 2012, asking utilities to answer the NARUC questions and give high-level presentations on their cyberdefense programs. But that soon evolved into an informal arrangement.
"We created a team of staff experts [at the commission]," said Terry Jarrett, a former Missouri commission member. The team brought together people with backgrounds in information technology, grid operations and engineering.
"They were regularly in contact with our regulated utilities on cybersecurity issues," Jarrett said. "We found that was very, very helpful. Some of our utilities weren’t having issues but were sharing risks they were seeing and the steps they were taking."
The informal nature of the conversations put utilities at ease, he added.
"We didn’t want any formal documents on sensitive cybersecurity issues that we would house on the commission server that might be hacked," said Jarrett, who headed NARUC’s cybersecurity panel before leaving the commission in 2013.
Arthur House, chairman of the Connecticut Public Utilities Regulatory Authority, cited similar concerns as a basis for seeking a close but informal dialogue with the state’s electric utilities on cybersecurity. "We don’t want to be the custodian of sensitive information," he said.
Yet another issue for commissions is recruiting qualified cybersecurity staff.
Washington’s Zakai said that states should be flexible with defining "qualified," however.
"I wouldn’t call myself qualified to go out and try to hack into a company’s system," he said. "But that’s OK, I don’t think we need that expertise in-house in the commission as long as we’re making sure the companies do have someone outside of their internal teams that are looking at it."
Budgetary constraints play a role in preventing commissions from attracting and keeping cybersecurity talent. Villarreal mentions another issue: Many state commissions do not have staff with security clearances to be part of the larger, national conversation on cybersecurity.
"It’s difficult for a state commission to have a cybersecurity expert," said Pennsylvania Commissioner Witmer. "Quite frankly — to this point — most of the state cybsersecurity experts are self-taught IT [information technology] folks. We’re now just starting to see universities develop degrees in cybsersecurity."
That expertise will help utilities and commissions in the future if their budgets have the room.
"Our larger utilities have more resources, so one of the things we’ve been working very hard at is helping break down barriers in the conduit of information and allow our larger utilities to serve as mentors to some of our smaller and midsized companies," Witmer said.
Unconventional strategies
Some states have acted to strengthen utility cybersecurity defenses outside of the utility commission regulatory framework.
In Utah, legislators carved out funding for a cyber protection and investigation unit after a breach at the state’s Department of Technology Services leaked the personal information of hundreds of thousands of Medicaid recipients and child patients three years ago.
The State Bureau of Investigation’s new Cyber Crimes Unit is equipped to respond to cyberthreats involving electric utilities, officials said.
"We would investigate cyberthreats to the electrical grid if requested by the entity," said Maj. Brian Redd, cyber division director at the Utah Department of Public Safety.
He added that the unit would coordinate with federal investigators for any incident involving critical infrastructure, such as an attack on the electric grid.
Redd said the harried response following the health care data breach revealed a need for more resources to counter cyberthreats.
"We feel much more prepared now to deal with intrusions," he said, although he added that "we have a long ways to go," particularly when it comes to sharing information with the private sector.
For its part, Utah’s Public Service Commission has talked about cybersecurity with regulated utilities at technical conferences but has yet to take formal action.
Still, Gary Widerburg, administrator for Utah’s PSC, said the regulator would be open to having conversations with the Cyber Crimes Unit to prepare for a possible attack on the grid.
"Cybersecurity is definitely a discussion that is going to continue to grow," Widerburg said. "It’s not something that can be ignored, and you’re going to hear more and more about it."
Some states have used voluntary cyber guidelines published by the National Institute of Standards and Technology as a benchmark for their regulated utilities’ progress. Other state regulators hew toward relying on Critical Infrastructure Protection standards for the bulk electric power grid.
Since 2012, New York’s Public Service Commission has directed large utilities to go above and beyond NERC standards by addressing cybersecurity budgeting and staffing needs.
Phelan credited New York as being one of the more vocal states on the cybersecurity issue but concluded from the survey that most electric utilities and regulatory commissions are far from declaring victory against the shadowy, evolving cybersecurity threats they face.
"We really found that commissions aren’t ready to say that they’ve been successful, that their way is the right way," he said. "So the level of confidence in utility commissions that they’re doing the right thing isn’t extraordinarily high, but they’re more than willing to act and to try to figure out the way forward."
