By Rich Heidorn Jr.
The National Association of Regulatory Utility Commissioners this week completed the release of a suite of tools it says will allow state regulators to gauge their utilities’ cybersecurity preparedness — without becoming technical experts.
NARUC said the two newest offerings, a template of questions and an evaluation tool, will help regulators make “well informed … decisions regarding the effectiveness of utilities’ cybersecurity preparedness efforts and the prudence of related expenditures.”
“The threat posed by cybersecurity incidents is very real, and it is essential that regulators have a clear understanding of the work being done by our utilities to safeguard vital systems and address current and future cyber threats,” said Pennsylvania Public Utility Commission Chair Gladys Brown Dutrieuille, who heads NARUC’s Critical Infrastructure Committee.
Understanding Cybersecurity Preparedness: Questions for Utilities supplements prior NARUC cybersecurity publications, providing a list of queries that regulators can use to evaluate a utility’s cybersecurity risk management program and practices.
The Cybersecurity Preparedness Evaluation Tool (CPET) provides a way to measure the maturity of individual utilities’ cybersecurity risk management programs over time. It is intended to be used with the questions on an iterative basis to help regulators identify utilities’ cybersecurity gaps and press them for continued improvement.
“As regulators, we must assess utilities’ decisions to invest in risk management tools and other protections for business and customer information, but we are not cybersecurity experts,” Washington Utilities and Transportation Commissioner Ann Rendahl said. “CPET will help us dive into risk management and cybersecurity topics without each commission reinventing the wheel.”
The two new publications supplement three previously released resources: the Cybersecurity Strategy Development Guide (2018), which provides a “roadmap” for regulators to structure “long-term engagement” with utilities on cybersecurity; the Cybersecurity Tabletop Exercise (TTX) Guide (2019), an aid for creating exercises to gauge utilities’ and other stakeholders’ ability to respond to and recover from a cybersecurity incident; and a Cybersecurity Glossary (2019), which defines cybersecurity terms used in the other publications.
The content builds on NARUC’s Cybersecurity Primer, which was released in 2012 and updated in 2017.
Questions Template
The new questions document is organized by the five cyber risk management functions defined in the National Institute of Standards and Technology’s industry-agnostic Cybersecurity Framework (CSF).
The questions are divided into two categories: policy and plans, and implementation and operations.
NARUC recommends regulators consider creating cross-functional teams, including personnel familiar with utility operations, IT specialists and legal staff, to conduct the evaluations. Some commissions may hire cybersecurity consultants to assist.
The questions align with NERC’s Critical Infrastructure Protection standards. Some samples: Does an asset inventory exist? Do you require specialized cybersecurity training for personnel with IT or OT [operational technology] responsibilities? Do you budget for cybersecurity tools and technology separately from IT? Have you identified minimal operational functionality for recovery of critical assets?
Evaluation Tool
NARUC said its cybersecurity evaluation tool is intended to be more accessible than other resources, such as the Department of Energy’s Cybersecurity Capability Maturity Model (C2M2).
“Feedback from NARUC working groups and interviews consistently reveal that many [commissions] do not have access to the resources and technical knowledge necessary to apply highly technical tools like the C2M2,” it said. “By focusing only on the aspects of cybersecurity most important to commissions, completing an assessment using the CPET is likely to be less resource intensive on both the commission and the utility than assessments using other maturity models.”
The CPET helps regulators determine whether utilities have sufficient cyber plans and policies ready and have protected their IT and OT systems and are prepared to respond and recover quickly to attacks. While C2M2 can be used to evaluate generation, transmission or distribution operations separately, the CPET is intended to provide an overall assessment.
“By regularly engaging with utilities (e.g., annually, semiannually) using the Questions for Utilities and analyzing the information received using the CPET, commissions can assess the year-over-year change in cybersecurity preparedness of individual utilities within a [commission’s] jurisdiction, promote continuous improvement, and increase the overall awareness and visibility of cybersecurity preparedness and resilience across the utility landscape within their states,” NARUC said.
The CPET allows regulators to assign one of six maturity levels for nine topic areas consistent with the NIST CSF and NERC CIP standards.
NARUC recommends state regulators perform the cybersecurity evaluations separately from regulatory proceedings, saying it is likely to produce more openness from the utilities.
The CPET is not intended to be used to compare utilities’ maturity levels “as the operating environment and resource availability for each utility is unique and does not lend to a one-to-one comparison,” NARUC said.
“Although the CPET is not intended to assess utilities against each other, commissions can use the data collected from its analysis to develop a comprehensive view of cybersecurity preparedness across its jurisdiction, including strengths, challenges, best practices and other valuable information that will help guide their long-term activities and future engagements with utilities.”