Cost recovery for electric sector cybersecurity investments and development of resilience metrics to gauge the industry's progress are two of several recommendations unveiled by Vermont Law School researchers.
The researchers briefed the Critical Infrastructure Committee of the National Association of Regulatory Utility Commissioners (NARUC) on the findings of a six-month study of electric grid security.
The study, conducted for Protect Our Power by the law school's Institute for Energy and the Environment (IEE), recommends that state utility commissions exercise their authority to increase the flow of confidential information regarding vulnerabilities and best practices.
It also identifies the diversity of regulatory approaches to cybersecurity regulation by utility commissions across the country as a concern that warrants attention and improvement.
"Addressing anticipatory threats such as cyberattacks is a challenge that we are not fully meeting," said Mark James, assistant professor of energy law and a senior research fellow, who led the institute's research team.
"As interconnections between and within distribution systems increase, the vulnerability of the electric grid also increases. Continuous communication between utilities and their regulatory commissions is the first step to improving the depth, quality and consistency of efforts to address cybersecurity vulnerabilities."
Richard Mroz, former president of the New Jersey Board of Public Utilities and the former chairman of NARUC's Critical Infrastructure Committee, said the study offers valuable insights into a complex problem that is rife with confusion and cost challenges.
"As a former state regulator, I know how difficult it can be to balance the needs for new investments to protect critical infrastructure against the potential cost to ratepayers," said Mroz, who serves as Protect Our Power's senior advisor for state and government relations.
"That challenge is made even more difficult because protecting against cyberattacks is a new necessity, and the utility industry and regulators don't necessarily have the legal tools required to evaluate and support such investments."
Mroz said he believes this new research will help regulators evaluate whether they need new or additional polices to support investments to protect against an ever-growing variety of cyberattacks on the electric grid.
The IEE team conducted its research by: reviewing utility commission dockets and orders; analysing state statutes and regulations; evaluating cybersecurity policies; and, interviewing representatives of investor-owned utilities, national trade organisations, public utility commissions, information security officers and others.
The study follows the recent Worldwide Threat Assessment of the U.S. Intelligence Community, in which National Director of Intelligence Dan Coats warned that "Russia has the ability to execute cyberattacks in the United States that generate localised, temporary disruptive effects on critical infrastructure—such as disrupting an electrical distribution network for at least a few hours—similar to those demonstrated in Ukraine in 2015 and 2016. Moscow is mapping our critical infrastructure with the long-term goal of being able to cause substantial damage."
Today's briefing to NARUC on the study's key findings occurred on the opening day of the NARUC Winter Policy Summit. The study will be finalised over the next several weeks and is expected to be released officially in early March, James said.