WASHINGTON, April 15, 2019—Cost recovery for electric sector cybersecurity investments is a critical component in ensuring that utility companies make key investments to protect the U.S. electric grid from cyberattacks, according to a new study.
The study, conducted by the Vermont Law School’s Institute for Energy and the Environment (IEE) for the non-profit group Protect Our Power, also concludes:
- Many systems have not invested sufficiently in cybersecurity;
- There is a lack of uniformity of regulatory oversight;
- Improved sharing of confidential information on utility security practices between utilities and regulators is needed, and
- Resilience metrics are needed to strengthen the electric distribution grid against cyberattacks.
The report, “Improving the Cybersecurity of the Electric Distribution Grid,” identifies the status of efforts and ongoing challenges to addressing the growing risk of a cyberattack on the electric grid. It also presents best practices that state electric utility commissions and their regulated utilities can use to increase investments to enhance grid security. It includes case studies of actions taken in California, Connecticut, Florida, Michigan, New York and other states to enhance cybersecurity.
The report comes amid another wave of warnings from the U.S. intelligence and defense communities that threats to critical infrastructure, and especially to the electric grid, grow more serious. Russia, for example, is known to have hacked into power plant industrial control systems and, according to the Worldwide Threat Assessment of the U.S. Intelligence Community, “Moscow is mapping our critical infrastructure with the long-term goal of being able to cause substantial damage.”
The study, conducted by IEE researchers over the past eight months, identifies several key areas where action is needed, including:
- Improving protections for confidential information shared between utilities and regulators regarding vulnerabilities and plans to address them;
- Improving the frequency and quality of utility commission engagement with cooperatives, public power utilities and smaller utilities to elevate the security posture of all distribution utilities;
- Aligning investment incentives with system needs;
- Reducing regulatory obstacles to utility investment, and,
- Deploying new metrics for assessing a system’s security performance.
“It is clear that action is needed to reduce the likelihood and impact of a cyberattack on the nation’s distribution grid, and this report provides concrete steps towards ensuring a more resilient grid,” said Mark James, project lead and assistant professor with the Vermont Law School. “Our research identifies pathways for utilities and utilities commissions to reduce existing barriers to investment and increase system resilience.”
Richard Mroz, Protect Our Power’s senior advisor for state and government relations, former president of the New Jersey Board of Public Utilities and former chairman of the National Association of Regulatory Utility Commissioners’ Critical Infrastructure Committee, said the study offers valuable insights into a complex problem that is rife with confusion and cost challenges.
“As a former state regulator, I know how difficult it can be to strike the right balance between the need for new investments to protect critical infrastructure and the potential cost to electric ratepayers,” Mroz said. “This report highlights the clear challenge for industry and regulators but also case studies of how this challenge is being met to secure the grid.”
Mroz said he hopes this report will give regulators confidence that the necessary investments can be made prudently.
Protect Our Power commissioned the study in June 2018. The goal is to help identify a pathway, or model approach, that state electric utility commissions and their utilities can use to facilitate timely grid upgrades, including appropriate financial options for equitably sharing the costs of upgrades.
The IEE team conducted its research by: reviewing utility commission dockets and orders; analyzing state statutes and regulations; evaluating cybersecurity policies; and, interviewing representatives of investor-owned utilities, national trade organizations, public utility commissions, information security officers and others. The report will be shared with NARUC, state utility commissions and electric industry representatives and organizations.
The IEE team soon will begin Phase Two of the research project, designed to develop model regulations and policies that could be used by states to help bring a higher level of consistency to regulatory approaches nationally, still allow individual states the flexibility to address local issues.
About Protect Our Power
Protect Our Power is a not-for-profit organization designed to build a consensus among key stakeholders, decision-makers and public policy influencers to launch a coordinated and adequately funded effort to make the nation’s electric grid more resilient and more resistant to all external threats. The national program must also ensure establishment of an enhanced power restoration and recovery component for all grid operations that would include communications protocols to protect the American public. Protect Our Power has a highly-experienced staff and 25-member Advisory Panel representing a broad cross-section of grid-related disciplines. POP is singularly and uniquely positioned as a non-partisan, unbiased thought leader able to serve as a convening, moderating, action-oriented voice.
About Vermont Law School
Vermont Law School, a private, independent institution, is home to the nation’s largest and deepest environmental law program. VLS offers a juris doctor curriculum that emphasizes public service in four master’s degree and four post-JD degree programs.
###
Media Contact
Steve Kerekes, Protect Our Power
703-508-2550