To bolster the cybersecurity of the electric grid nationally, a new study identifies how states and state utility commissions can use existing tools to break down barriers that leave the distribution system vulnerable to massive disruption.
State statutes, regulations and utility commission orders from more than two dozen states — including California, Florida, Iowa, Michigan, New York and Pennsylvania — are examined in the study conducted by the Vermont Law School’s Institute for Energy and the Environment (IEE) for the non-profit grid advocacy group, Protect Our Power. The new report is part of a larger public policy effort that, last April, saw IEE release its Phase 1 report for Protect Our Power that identified state-level barriers to grid security enhancements.
IEE’s Phase 2 report discusses statutory and regulatory approaches that facilitate sharing of confidential security information, assess utility security practices, incentivize cybersecurity investments and evaluate system performance. The study’s findings were presented publicly for the first time to the Critical Infrastructure Committee of the National Association of Regulatory Utility Commissioners during its recent annual meeting and education conference in San Antonio.
“The complex nature of each of the issues means that simple solutions are not going to work,” the report states. “What will work are tools that help information move between utilities and regulators, incentivize investment while protecting the public interest, assess system performance and system needs, and ensure that cybersecurity is a fundamental objective of grid modernization plans.”
IEE’s new report is entitled “Improving the Cybersecurity of the Electric Distribution Grid: Pathways to Enhancing Grid Security.” Some of the study’s major findings, buttressed by examples from states’ laws and best practices:
- The movement of confidential information is a critical element in improving the cybersecurity posture of utilities and boosting the institutional capacity of regulators. States are crafting processes and protocols that facilitate information flows between regulators and utilities without adding risk to the system.
- Cybersecurity reports, smart grid reports and management and operations audits are established processes that can reduce the “information asymmetry” that exists between utilities and their regulators and limits actions on cybersecurity.
- As utilities increasingly propose the use of alternative rate mechanisms to incentivize cybersecurity investments, legislatures and commissions will need a balanced approach to weigh the benefits of the alternative rate mechanism against its potential shortcomings, such as a reduction in the lengthy, formal due process.
- Resiliency metrics are critical tools for assessing cyber preparedness, but they are not widely utilized. State commissions can draw on the historic deployment of reliability metrics to develop their resiliency metrics programs.
Richard Mroz, Protect Our Power senior advisor for state and government relations, former president of the New Jersey Board of Public Utilities and former chairman of the National Association of Regulatory Utility Commissioners’ Critical Infrastructure Committee, said the study elevates approaches that can be implemented widely to better secure the electric distribution grid.
“This work highlights how states and their regulators, along with the industry, are beginning to meet the challenges for the protection of our critical infrastructure,” Mroz said. “Our prior works on these issues brought focus to how difficult these issues can be for industry and regulators to encourage the investments while keeping in mind the benefits but costs to customers.”
IEE researchers conducted the study over the past year. The IEE team conducted its research by reviewing utility commission dockets and orders; analyzing state statutes and regulations; evaluating cybersecurity policies; and interviewing representatives of investor-owned utilities, national trade organizations, public utility commissions, information security officers and others. The report will be shared with NARUC, state utility commissions and electric industry representatives and organizations.
“Action is needed to reduce the impact of a major cyberattack on the nation’s distribution grid and this report provides concrete steps towards ensuring a more resilient grid,” said Mark James, project lead and adjunct professor at Vermont Law School. “Our research identifies pathways for utilities and utilities commissions to reduce existing barriers to investment and increase system resilience.”
Protect Our Power commissioned the study in June 2018. The goal is to help identify a pathway, or model approach, that state electric utility commissions and their utilities can use to facilitate timely grid upgrades, including appropriate financial options for equitably sharing the costs of upgrades.