Why state regulators may soon be on your case about cyber security (and why it's a good thing)
Editor's note: Some electric power utilities take a reactive approach to cyber security -- "we'll do something when mandated." But many industry observers -- including me -- think they need to be more proactive. So when I saw a recent white paper from the California Public Utilities Commission (CPUC) suggesting a proactive approach -- and making specific recommendations -- I asked for permission to run a short summary here.
California is a progressive state that is watched closely by others. What's more, commissions in Michigan, Pennsylvania and Texas are also developing cyber security policies. In other words, if you haven't yet heard from your PUC about the issue, you probably will soon. If I were you, I'd be getting ready right now. The article below is a good starting point. -- Jesse Berst
By Elizaveta Malashenko
With grid modernization underway, cyber security is recognized as an increasingly important factor in ensuring resiliency, reliability and safety. Indeed, it has become a top national security issue. Many cyber security events have already taken place, including Stuxnet, Aurora, RuggedCom, smart meter hacks and others.
From a regulatory perspective, grid cyber security has been addressed most actively at the Federal level through the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) requirements. However, the NERC-CIP framework has important limitations.
First, NERC-CIP primarily covers only generation and transmission assets that qualify as "critical." Estimates suggest that 80-90% of grid assets are outside NERC-CIP’s scope. Second, NERC-CIP is primarily compliance-based. Compliance is important, but it is not enough to ensure that the rapidly evolving risks are adequately considered and acted upon.
Issues to address
Regulators should explore cyber security best practices and develop a recommended approach for their investor-owned utilities. California has already instituted an explicit safety and security risk assessment (including cyber security) as cornerstone of its approach to reliability and safety. It has also established privacy rules for customer data and has required utilities to report on cyber security activities in their Smart Grid Deployment Plans. Other potential issues include:
Â· What actions can regulators take to address cyber security to ensure public safety and reliability?
Â· What is their position whether and how NERC-CIP cyber security requirements should be applied to the distribution grid?
Â· What are the proper regulatory mechanisms to ensure cyber security, including both compliance-based and risk assessment-based approaches?
Â· How can regulators ensure that utilities and technology providers are properly incentivized to adequately address cyber security?
Â· What requirements should be developed to ensure that the electric system is designed to be resilient to cyber-attack?
Â· What are the metrics to track the effectiveness of cyberseucirty policies and investments?
Â· How do confidentiality rules apply to cyber security reporting?
Â· Should regulators consider safe harbor protections to encourage utilities to share cyber security information?
Cyber security is a cornerstone of safe and reliable electric power. Regulators should take a proactive approach.
Elizaveta Malashenko is Program and Project Supervisor for Grid Planning and Reliability in the Energy Division of the California Public Utilities Commission. This article was adapted with permission from the CPUC staff paper "Cyber security and the Evolving Role of State Regulation: How it Impacts the California Public Utilities Commission," which is available for free download at the CPUC Reports and White Papers web page (scan for the Sept 19, 2012 report).
More on cyber security and the grid...