Dear State Public Utility Commission Chairmen and Chairwomen,

Risk management isn’t a new concept for any of the utility companies you regulate, nor I’m sure, is it new for you and your team.  When large storms or fires cause power outages, you monitor how quickly electric utilities return service to customers. When proposals for new infrastructure modernization projects come to you, you evaluate the potential benefits as well as the potential risks. Drawing from decades of experience, you know what’s normal and are able to praise or critique utilities for being faster or slower, better or worse, than expected.

With the best interests of your state and its citizens in mind, you have the authority to levy fines as punishment for particularly inappropriate or negligent behavior, as when poorly maintained natural gas distribution lines lead to explosions, property damage and loss of life. You possess similar responsibilities for the the safe and reliable delivery of water in your jurisdiction.

While physical security — protecting assets from harm as well as from unauthorized access — has always been an essential component of utilities’ safety, reliability and risk management programs, prior to the arrival of the internet, cybersecurity was not.  This is all changing with the de-regulation of electricity and gas providers in many states, as well as with modernization efforts often tagged with the prefix “smart”.  Ten years ago, cybersecurity was largely considered a nuisance-level threat to administrative applications like HR and payroll. In other words, cyber risk was seen to mainly bear on systems highly unlikely to affect core responsibilities like safety or reliability.

However, as you may be aware, from your utilities’ perspectives, over the past several years perceptions of cybersecurity risks have leapt to boardroom-level attention due to several factors:

• In addition to DOE’s Aurora demonstration, which destroyed a generator, the sophisticated Stuxnet attack on Iranian nuclear centrifuges made it clear cyber attackers could reach and wreak havoc on physical assets.
• Several US utilities suffered breaches and other data loss episodes exposing millions of their customers’ private information.
• NERC Critical Infrastructure Protection (CIP) standards were created to hold utilities accountable for the security of the cyber systems supporting designated generation, transmission and control center assets, with the prospect of heavy fines for non compliance.
• There has been unprecedented growth in interconnection of customers, markets, control centers and adjoining utilities.
• Heightened process risk arising from complex and frequently changing regulatory requirements, including, earlier this year, U.S. executive-branch actions intended to improve the security of critical infrastructure

Cyber threats have the clear potential to imperil performance in critical categories including: reliability, safety, reputation, and audit and compliance, and your utilities are adapting with varying degrees of speed and success. Some, facing stiff penalties from NERC starting in 2011, had to move quickly to build a team and implement additional process and technical controls. Others, pursuing American Recovery and Reinvestment Act (ARRA) grants, had to include significant cybersecurity sections in their AMI and smart meter proposals and then follow through accordingly in their implementations.

But many utilities have few or no assets that fall under NERC’s CIP program purview, and by some estimates, even accounting for those that do, the CIPs only pertain to 3% of total US grid, as distribution assets are largely under the supervision of the states. The ARRA incentives were a one time thing, and were at best a mixed blessing. Clearly, another type of motivation is needed to complete the push toward better cybersecurity.  Increased and appropriate cybersecurity competence can only come from attitude and culture changes within utilities as part of an updated enterprise risk management portfolio.

The type of protections needed will not come simply with technology or documented best practices. The requirement for security starts with an organization’s understanding of its own business and exposure, and that understanding can be enhanced with good guidance meant for the highest levels of management.  Once this awareness is embedded and the sense of responsibility permeates the organization, then cybersecurity, too, will have become a measurable, manageable discipline.

We’re in a period of transition and adaption with some utilities moving quicker than others, while oversight at the state level is in largely in catch-up mode. I urge you to evaluate your own commission’s capabilities in this domain. You and your staff have many other responsibilities and needn’t become security experts overnight. But to credibly fulfill your oversight role you’ll need to increase your commission’s knowledge in this area.  One good place to start is NARUC’s Cybersecurity Guide for State Commissions. A second is DOE’s Electricity Sub-sector Cybersecurity Capability Maturity Model (ES-C2M2) and there are plenty of other resources that can help you for low or no cost.

You share many mutual goals with the utilities you regulate, including the desire to have the residents of your state provided with electricity that is reliable, safe and affordable. As cybersecurity threats to utilities and the defenses against them are concerned, the interests of utilities and regulators are almost fully aligned. All parties, including customers, will benefit when you and your commission are ready to play a more active role.

Andy Bochman is Principal at Bochman Advisors LLC which focuses on increasing cybersecurity awareness in utilities and the federal and state organizations that regulate them. A contributor to industry and national security working groups on energy security and cybersecurity, Andy lives in Boston, is an active member of the MIT Energy Club, and is the founder of the Smart Grid Security and DOD Energy Blogs.