DOE-funded initiative proposes cybersecurity baselines for electric distribution systems, distributed energy resources

The U.S. Department of Energy (DOE) announced last week its support for the newly released cybersecurity guidelines aimed at electric distribution systems and distributed energy resources (DER) like solar, wind, and storage. The publication underscores the Biden-Harris Administration’s dedication to enhancing the national and energy security of the United States, as well as achieving the President’s objective of a net-zero emissions economy by 2050.

The effort, led by the National Association of Regulatory Utility Commissioners (NARUC) and funded by the DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER), was developed with the help of a steering committee composed of industry and government experts, including electricity sector stakeholders, state regulatory bodies, cybersecurity professionals, and more. 

Cyber threats are increasingly sophisticated and target critical energy infrastructure more frequently than ever before. Last year, the National Cybersecurity Strategy directed the DOE to ‘promote cybersecurity for electric distribution and distributed energy resources (DERs) in partnership with industry, states, federal regulators, Congress, and other agencies.’ 

The NARUC/DOE initiative complements industry and government efforts by providing cybersecurity baselines, tailored for electric distribution systems and the DERs that connect to them, creating a common starting point for cyber risk reduction activities. These baselines, coupled with the forthcoming implementation guidance, are intended to be a resource for state Public Utility Commissions, electric distribution utilities, and DER operators and aggregators. 

The move encourages alignment across states that adopt baselines to mitigate cybersecurity risk and enhance grid security. NARUC convened a Steering Group of regulatory, cyber, and industry experts from across the sector to help execute this challenging task. The development process also included multiple stakeholder review and comment cycles to ensure a wide range of perspectives were considered. 

This initiative is divided into two phases. In the first phase, the development of a vetted set of cybersecurity baselines for electric distribution systems and the DERs that connect to them. These baselines define the cybersecurity controls that should be implemented, without specifying which procedures or technologies to use. It is expected that the baselines may be used by regulatory bodies and distribution utilities as a potential framework for developing their cybersecurity requirements in conjunction with Phase 2 implementation strategies. 

The second phase covers the preparation of implementation strategies and adoption guidelines to support electric distribution system stakeholders as they continue to develop and refine their cybersecurity requirements. These Implementation Guidelines will include recommendations for assessing cybersecurity risks, prioritizing the assets to which the cybersecurity baselines might apply, and prioritizing the order in which the baselines might be implemented based on cyber risk assessments. 

The guidance will also address risk-based implementation timelines. The Implementation Strategies and Adoption Guidelines are aimed at Public Utility Commissions, utilities, and DER operators who wish to adopt the baselines. Phase 2 is expected to be completed over the next year.

“Safeguarding America’s energy infrastructure and advancing U.S. cybersecurity capabilities is critical to achieving President Biden’s ambitious climate goals,” David M. Turk, U.S. Deputy Secretary of Energy, said in a media statement. “Today’s announcement underscores the Biden-Harris Administration’s commitment to working with key partners, like NARUC, to develop vital cybersecurity solutions and strengthen the resilience of America’s electric systems.” 

“Americans want to know our electricity systems are safe and cyber secure. And companies want uniform expectations when it comes to cybersecurity,” said Anne Neuberger, U.S. Deputy National Security Advisor. “The Department of Energy and NARUC have taken the first step to achieving both, with the release of these cybersecurity baselines. Thank you to the many public and private sector contributors.” 

The regulatory oversight of electric distribution systems and distributed energy resources occurs at the state level. The guidance developed by NARUC, through CESER’s funding, will help provide states with uniform cybersecurity baselines instead of creating a patchwork of cybersecurity requirements across the country. Further, the baselines will enable electric companies and DER providers to work with state utility commissions and energy offices, boards, and communities to prioritize cybersecurity investments across the United States. 

The cyber baselines are based on DOE’s extensive work on energy sector cybersecurity and the U.S. Department of Homeland Security’s Cybersecurity Performance Goals (CPG). The baselines demonstrate the value of public-private partnerships to advance national security priorities. 

The Phase 1 Cybersecurity Baselines are intended to be used in concert with Phase 2 Implementation Guidance. Implementing the baselines without thoughtful consideration of scope, priorities, sequencing, and risk may result in the inefficient use of limited resources on the part of Commissions, distribution utilities, and DER providers and aggregators, thus diluting the effectiveness of cyber protections being applied where they matter most. 

Publishing the baselines now while undertaking Phase 2 allows for broader awareness of their development and allows commissions to engage in discussions with key stakeholders within their jurisdictions as the implementation guidance is being designed.

Additionally, Phase 2 will tailor cybersecurity controls that focus on addressing risk to the different stakeholders that participate in the distribution system. The number of distribution system participants continues to increase, and each participant faces different types of risk based on entity sizes, architectures, components, and control mechanisms of power systems. 

Those risks will evolve as the power systems change, and as technologies advance and become more pervasive. Phase 2 will develop implementation guidelines based on these and other factors. As Phase 2 develops, enhancements to the baselines may be suggested.

In 2024, DOE looks forward to working with NARUC, industry, and states through a similar public-private approach to develop implementation strategies and adoption guidelines, driving toward uniform cybersecurity guidance across the country. The guidelines will include recommendations for assessing cybersecurity risks and prioritizing the assets the baselines might apply to, driving toward uniform cybersecurity guidance across the country.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.