Public utility commissions’ executive leadership must be willing to take a “champion” role in building their organizations’ cybersecurity expertise, according to a guideline released this week by the National Association of Regulatory Commissioners.

NARUC created the guide to recognize the growing importance of electronic communication tools to utilities in their everyday operations. The proliferation of innovative technology throughout the grid has made it easier than ever for system operators to track and respond to disturbances in real-time, but also created many new points of access for malicious cyber actors seeking to damage critical infrastructure.

The problem was highlighted by the discovery last year that hackers linked to Russia’s military gained access to computer networks used by thousands of public- and private- sector organizations. Earlier this year FERC’s Joseph McClelland told NARUC’s Winter Policy Summit that large-scale replacement of affected systems “may be the only option” for some organizations. (See SolarWinds Recovery May Require Extreme Actions.)

Utilities must bear the cost of preventing future breaches, or mitigating their damage, by setting up robust cyber protections. However, PUCs cannot afford to sit idle; they will need their own cybersecurity experts, both to make sure their own defenses are capable of shielding vital information and ensure that power providers’ measures are suitable.

“We must weigh the costs and benefits of utilities’ cybersecurity investments. And should the day come, we must be ready to work with our utilities to recover from a successful cyberattack. To perform these functions, access to cybersecurity expertise is vital,” Pennsylvania PUC Chair Gladys Brown said in the document’s foreword.

Multiple Organizational Models

The NARUC guide draws on previous work, such as the organization’s Cybersecurity Strategy Development Guide from 2018, while expanding on two key areas: organizational approaches for PUCs’ cybersecurity divisions and guidelines for hiring and retaining cyber talent.

Setting up a cybersecurity department may seem like a daunting task for commission staff, particularly if they have spent most of their careers focused on utilities and find themselves playing catch-up in the world of electronic defenses. This is why executive-level buy-in is so critical: PUC leaders must set a clear goal for the new project, lay out how it aligns with the commission’s mission, define how the newly hired professionals will fit into the existing structure and ensure they are treated equally to veteran employees.

“In some PUCs, [cybersecurity experts] exclusively have external utility-facing roles; in others, they may only secure PUC-specific IT infrastructures, and in others, they may perform both functions,” the report states. “It is worth noting that in some PUCs, cybersecurity may not be a full-time role; rather, it may be part of a more extensive umbrella of critical infrastructure and risk management work.”

PUC leaders must also keep their available resources in mind when laying out organizational plans, including budgetary constraints that might keep them from employing their own full-time cybersecurity professionals. The guide suggests several alternative organizational models to dedicated in-house cyber divisions, such as a mix of internal and outsourced operations or adding cybersecurity responsibilities to an existing division. However, the organization emphasized that “many effective variations of these models exist.”

Recruitment and Retention

Budgetary factors may also strain a PUC’s ability to attract and retain the needed level of cybersecurity talent, particularly given the high demand for security professionals among all organizations. The report notes a 2019 study that suggests the U.S. needs to expand the cybersecurity workforce by 62% to meet demand, with more than 900,000 individuals already working in related professions between May 2019 and June 2020, but over 500,000 positions are still unfilled.

Because it may be tough for PUCs to match salaries offered in the private sector, NARUC suggests playing on different motivators to entice cybersecurity experts. Attractive aspects to employment with PUCs for entry and mid-level professionals include the security of a government job, a positive work/life balance compared to the private sector and a “sense of civic duty” that comes from serving one’s fellow citizens. For director-level candidates, NARUC suggests portraying the position as a chance to tackle new challenges and enter a second career phase.

Keeping skilled professionals on board is another challenge for commissioners because rapid turnover means private sector organizations are always looking for new talent. The report recommends showing employees that their suggestions and concerns are taken seriously, giving them opportunities for ongoing training and providing reliable pathways for advancement to higher levels.

“There is no ‘default’ cybersecurity expert or single skillset that applies to cybersecurity broadly,” the report says. “When hiring, PUCs must carefully consider their state’s cybersecurity strategy, their own cybersecurity strategy, the roles and responsibilities that a cybersecurity professional will undertake and the essential skills necessary to perform them.”