The National Association of Regulatory Utility Commissioners (NARUC) released on Monday a guide that aims to serve as an important tool that enables state public utilities to develop or expand cybersecurity proficiencies, understand how cyber experts typically function in a PUC environment, and identify the needed skill sets. The guide also helps in recruitment, retention and alternative tactics, and provides examples of cybersecurity job descriptions.
Based in Washington, D.C., NARUC is a non-profit organization that represents the state public service commissions, which regulate utilities that provide essential services, including energy, telecommunications, power, water, and transportation. The ‘Guide for Public Utility Commissions: Recruiting and Retaining a Cybersecurity Workforce’ is a response to the evolving threat environment, and provides state regulators with another tool in their cybersecurity arsenal.
Rising threats in the critical infrastructure sectors from malicious actors has led the public utility commissions (PUCs) to increase their cybersecurity expertise. However, a shortage of trained cybersecurity professionals in the workforce, coupled with internal budget constraints and strict civil service hiring requirements, may impact a PUC’s ability to hire and retain qualified staff. These challenges, however, are not insurmountable.
“We all play a role in keeping critical infrastructure cyber secure,” wrote Gladys Brown Dutrieuille, chairman at Pennsylvania Public Utility Commission and chair of NARUC Committee on Critical Infrastructure. “As regulators, it is incumbent on us to engage our utilities and other key stakeholders on cybersecurity matters for this purpose. We must understand the evolving threats and vulnerabilities as well as the risk mitigation options that are available.”
Recent attacks on critical infrastructure have brought the spotlight on maintaining cybersecurity. The most recent power grid failure in Texas cut off the critical energy needed to keep people warm, operate critical building control systems, and deliver water.
“Today’s bad situation is weather-related, yesterday it was natural disasters in the form of forest fires, and every other day seems to be ransomware and compromised endpoints and VPNs,” wrote John Livingston in a Verve Industrial company blog. “But all disaster recovery plans need the support of people, processes, and technology. Decision-makers must plan for worst-case scenario instead of developing plans around optimized conditions,” he added.
Commissioners also need advice on utilities’ cybersecurity-related programs and cost recovery issues, emerging technical standards and requirements, and risks associated with applicable new technologies.
These professionals identify, gather, and analyze pertinent information regarding utilities’ cybersecurity risk management and preparedness programs. They identify gaps and articulate the impact to customer service reliability, and help identify ranges of viable improvements and associated costs for decision makers, in addition to facilitating information sharing that helps utilities prevent or recover from a cybersecurity incident.
At times, security experts may be called upon to participate in, or lead cybersecurity audits or risk assessments of utilities, use their subject matter expertise to engage utilities in discussions about their risk management strategies, processes, and practices, and identify potential security gaps. Upon completion of such an assessment, cybersecurity professionals will be better positioned to advise commissioners on how utilities are approaching risk, placing the commissioners in a better position to choose to advise or direct utilities to stimulate additional investment.
The guide also examines the skill sets required by cybersecurity experts, and segments cybersecurity professionals within the public utilities to perform tasks that match their specialty areas, or work with utility professionals who perform these tasks to accomplish public utilities’ goals. There are distinct levels of cybersecurity professionals who collectively work toward these goals, such as professionals at the director-level, mid-level and entry-level. Although they perform similar contextual duties, each team member is generally responsible for work matching their education and experience level.
PUCs must target their recruitment efforts depending on the level of cybersecurity talent they are attempting to hire. A cybersecurity professional’s ideal characteristics will differ based on their level of experience in the cybersecurity industry, while experience level will also indicate appropriate recruitment pipelines, what attracts them to government service, and challenges PUCs may face as they recruit qualified talent.
In addition to compensation and common employer benefits, research has shown that cybersecurity professionals generally stay with employers who offer continuous training/certification opportunities, take their opinions/suggestions seriously, provide a positive work/life balance, and offer opportunities for promotion/ career advancement. Importantly, as PUCs explore building or expanding their cybersecurity programs, the support of PUC leadership plays a critical component to acquiring and retaining dedicated professionals to meeting cybersecurity goals.
“Regardless of the hiring path chosen, the key to commission success is prioritizing cybersecurity as if our nation’s critical infrastructure depended on it,” said Dutrieuille. “In fact, it does,” she concluded.