By Rich Heidorn Jr.

WASHINGTON — A recent survey of state cybersecurity practices provided some surprising results, New Jersey Board of Public Utilities President Richard Mroz told the National Association of Regulatory Utility Commissioners’ winter meeting last week.

“We found most of the states actually do have a fusion center of some sort, so states are taking that seriously,” Mroz said, referring to locations at which state agencies share intelligence on security threats. “On the other hand we hear … from our colleagues that they don’t know what the best [cybersecurity] practices are — what’s working elsewhere.”

Mroz is chairman of NARUC’s Critical Infrastructure Committee, which sent the survey last year to the 34 states that are members of the committee; 19 had responded as of January. The committee is now seeking responses from the remaining states, including those not on the panel. The results will be included in what NARUC intends as a “living” catalog of information about state regulators’ efforts on critical infrastructure resilience. The survey is also referenced in the latest edition of NARUC’s cybersecurity primer, which was released Jan. 31.

‘Retasking’ the National Guard

Also speaking on the NARUC General Session panel Tuesday was former Sen. Rick Santorum (R-Pa.), who expressed concern over the shortage of cybersecurity personnel and their lack of preparation for “war.”

“These are people who went to school for computer service or a whole variety of other things and they’re the people who are our quote ‘war fighters.’ They’re not trained as war fighters … and yet they’re in the middle of a battle,” said Santorum, an unsuccessful presidential candidate in 2012 and 2016.

“So they don’t take the approach of ‘How do we comprehensively deal with this problem?’ … We seem to be saying just ‘How do we defend ourselves?’ instead of ‘How do we really put a strategy together to attack the enemy to make sure they aren’t attacking us?’

“I’m not too sure we want corporations out there attacking those who might attack them, but I think we have to start thinking about innovative ways in which to deter people from coming at us,” he added.

In conversations with former colleagues on Capitol Hill, Santorum said, he has proposed “retasking” the National Guard for a cyberdefense role. “We need these people to be out across America to be almost like a Minute Man type of operation to be able to respond to some of these threats we have.”

‘Lanes of Effort’

Jonathon Monken, PJM’s senior director of system resiliency and strategic coordination, a West Point graduate and former director of the Illinois State Police, responded that officials need to “de-conflict … the lanes of effort” by clearly defining roles and responsibilities to determine “who’s best suited to do what.”

Monken said the electric industry also needs to improve the security of its tools.

“Recognizing the fact that our systems are interconnected. Our [information technology] configurations are very, very similar. They’re not identical. It’s not if you breach one that you get access to everybody. But it’s not like there’s that many different [energy management system] providers out there. It’s just a handful of system types and the architectures are very similar.”

Separately, acting FERC Chairman Cheryl LaFleur talked about the importance of collaboration between government and industry and of not relying on just meeting NERC’s standards on critical infrastructure protection.

“While mandatory standards are important, the cyber challenges are evolving so quickly, you can’t really regulate your way out of it. You can’t do a standard fast enough for some new piece of malware or ransomware that comes along,” she said. “The non-mandatory piece is becoming more and more important.”