A new report reveals how states can bolster the cybersecurity of the national electric grid. This week, Vermont Law School’s Institute for Energy and the Environment released Phase 2 of a study done in partnership with non-profit grid advocacy group Protect Our Power. The report identifies how states and state utility commissions can use existing tools to better secure distribution systems and prevent massive disruption.
According to the report the utility industry has expressed concerns that current information sharing practices are hampering their ability to respond to emerging cybersecurity threats. As part of the study, IEE looked at state statutes, regulations and utility commission orders from more than two dozen states, including California, Florida, Iowa, Michigan, New York and Pennsylvania, in an effort to examine how the need for more information sharing competes against the need for enhanced information security.
“The complex nature of each of the issues means that simple solutions are not going to work,” the report states. “What will work are tools that help information move between utilities and regulators, incentivize investment while protecting the public interest, assess system performance and system needs, and ensure that cybersecurity is a fundamental objective of grid modernization plans.”
Information sharing is valuable to system operators and systems regulators, however it can also be used by hackers to infiltrate the very systems utilities are trying to protect. Keeping this information secure is vital, but according to the report, state disclosure laws can impact efforts to keep information confidential.
IEE’s Phase 2 report identifies state-level barriers currently preventing secure information sharing that could allow for grid security enhancements. It also supplies statutory and regulatory approaches states can take to facilitate the sharing of confidential security information. The report also provides insight on how organizations can better assess utility security practices, incentivize cybersecurity investments and evaluate system performance.
“Action is needed to reduce the impact of a major cyberattack on the nation’s distribution grid, and this report provides concrete steps towards ensuring a more resilient grid,” said Mark James, project lead and adjunct professor at Vermont Law School. “Our research identifies pathways for utilities and utilities commissions to reduce existing barriers to investment and increase system resilience.”
IEE’s findings suggest that cybersecurity reports, smart electric grid reports and management and operations audits can reduce the “information asymmetry” that exists between utilities and their regulators. The report also indicates that resiliency metrics are a critical tool for assessing cyber preparedness and suggests that state commissions can draw on the historic deployment of reliability metrics to develop their resiliency metrics programs.
“This work highlights how states and their regulators, along with industry, are beginning to meet the challenges for protection of our critical infrastructure. Our prior works on these issues brought focus to how difficult these issues can be for industry and regulators to encourage the investments while keeping in mind the benefits but costs to customers,” Richard Mroz, Protect Our Power senior advisor for state and government relations, former president of the New Jersey Board of Public Utilities and former chairman of the National Association of Regulatory Utility Commissioners’ Critical Infrastructure Committee, said in a press release.