In January 2017, the National Association of Regulatory Utility Commissioners (NARUC) released an updated Cybersecurity Primer to provide guidance to state utility regulators on cybersecurity issues. The Cybersecurity Primer is intended to be “a tool for policymakers who are charged with making decisions about the electric, gas, water, communications, and transportation systems that are vital to everyday life.” Utilities can use the Cybersecurity Primer to help them anticipate issues that are relevant to their regulators. The document sets forth over 100 recommended questions for regulators to ask that gauge a utility’s readiness and approach to cybersecurity. Those questions are broken into several categories representing different key components to managing cybersecurity, among which include a utility’s cybersecurity planning, compliance standards, reporting practices, procurement practices, personnel and policies, risk management, response and recovery procedures, organizational governance, and systems and operations.
NARUC also presents in the Cybersecurity Primer a high level overview of cybersecurity issues in the utilities industry and highlights the importance of viewing cybersecurity both from a compliance and risk management standpoint. Given the wide-ranging cyber threats, it is not only essential to comply with standards such as the North American Electric Reliability Corporation’s Critical Infrastructure Protection standards in combating cybersecurity but to implement a risk-based approach to allocate resources to appropriately defend against vulnerabilities and threats prioritized by likelihood, consequences, and potential interactions with other risks. The National Institute of Standards and Technology’s Cybersecurity Framework provides one example of a risk-based approach to managing and mitigating cybersecurity threats.