press releases

NARUC Releases Two New Cybersecurity Manual Resources

View as PDF
For Immediate Release:

Contact: Scott Bolden, 202-898-8083,

NARUC Releases Two New Cybersecurity Manual Resources

WASHINGTON (July 17, 2019) — The National Association of Regulatory Utility Commissioners has developed a comprehensive suite of resources, collectively referred to as the Cybersecurity Manual, to help public utility commissions gather and evaluate information from utilities about their cybersecurity risk management practices. These evaluations facilitate well-informed PUC decisions regarding the effectiveness of utilities’ cyber security preparedness efforts and the prudence of related expenditures. The Cybersecurity Manual is comprised of five complementary resources, two of which were released recently.

“The threat posed by cybersecurity incidents is very real, and it is essential that regulators have a clear understanding of the work being done by our utilities to safeguard vital systems and address current and future cyber threats,” said Chairman Gladys Brown Dutrieuille, Pennsylvania PUC and Chair of the NARUC Critical Infrastructure Committee. “The more our PUCs are educated on these issues, the better we are able to evaluate current issues and target future enhancements.”

NARUC’s newly released cybersecurity resources include Understanding Cybersecurity Preparedness: Questions for Utilities. This tool provides a set of comprehensive, context-sensitive questions that PUCs can ask of a utility to gain a detailed understanding of its current cybersecurity risk management program and practices. The questions build upon and add to those included in prior NARUC publications.

The other just-released resource, Cybersecurity Preparedness Evaluation Tool (CPET), provides a structured approach for PUCs to use in assessing the maturity of a utility’s cybersecurity risk management program and gauging capability improvements over time. The CPET is designed to be used with the Questions for Utilities on an iterative basis to help PUCs identify cybersecurity gaps, spur utilities’ adoption of additional mitigation strategies and inform cybersecurity investment decisions.

“Together, these tools will help state commissioners evaluate utility cyber preparedness more quickly and effectively. As regulators, we must assess utilities’ decisions to invest in risk-management tools and other protections for business and customer information, but we are not cybersecurity experts,” said Commissioner Ann Rendahl, Washington Utilities and Transportation Commission. “CPET will help us dive into risk-management and cybersecurity topics without each commission reinventing the wheel.”



NARUC is a non-profit organization founded in 1889 whose members include the governmental agencies that are engaged in the regulation of utilities and carriers in the fifty States, the District of Columbia, Puerto Rico and the Virgin Islands. NARUC's member agencies regulate telecommunications, energy, and water utilities. NARUC represents the interests of State public utility commissions before the three branches of the Federal government.