New USAID-NARUC Cyber Guide Helps Regulators in the United States, Europe, and Eurasia
By Regina Lavette Davis
As the world stands in the grip of waging war against a silent, invisible virus, a new cyber guide aims to prevent the spread of a different type of pandemic that threatens cybersecurity in the United States and overseas.
The Utility Regulator’s Role in Promoting Cybersecurity: Resilience, Risk Assessment, and Standards is a practical guide that aims to increase regulators’ technical capacities and ability to face a host of cyber threats across the energy sector. With support from the United States Agency for International Development (USAID), NARUC engaged a group of international cyber experts to prepare the publication, which is aimed primarily at utility regulators in Europe and Eurasia as well as U.S. regulators.
Regulators have several core functions, including: ensuring the quality of supply, evaluating utility investment plans, and setting tariffs. With increased cyberattacks on utilities, energy regulators have the opportunity to serve as leaders within their countries to ensure secure and reliable energy supply to their consumers. This guide allows regulators to consider and adapt standards to their national contexts.
Authors Stefano Bracco, of the Agency for the Cooperation of Energy Regulators; Frances Cleveland, from Xanthus Consulting International (on behalf of the International Electrotechnical Commission System Committee - Smart Energy - Cyber Security Task Force), and Tim Conway, from the SANS Institute, are noted cyber authorities in the United States and the European Union. For this article, Bracco and Cleveland have provided key insights to the guide and describe challenges across the cyber landscape.
“The harmonization of cybersecurity measures with neighboring and interconnected countries is the biggest challenge,” said Bracco, adding that, “like the COVID-19 pandemic, electrons and cybersecurity do not respect the notion of borders.”
Other challenges include the need to translate complex technical measures into regulations that are not complicated, not burdensome for industry, or costly to consumers.
Finally, Bracco, said regulators are challenged by the ability of “adversaries” to keep pace with evolving technologies, noting that it is hard to “keep track of it all and keep up to speed.”
The guide is very comprehensive, and there’s much to be gleaned from the tome. As for U.S. regulators, Cleveland hopes they will be able to “better understand the broader cybersecurity issues that go beyond the NERC CIPs [North American Electric Reliability Corporation critical infrastructure protection], which only address bulk power security.”
Specifically, the rapid expansion of distributed energy resources (DERs) interconnected with the distribution grid raises many cybersecurity concerns, even if the loss of a small number of these DERs might not cause large scale power disruptions.
These cybersecurity concerns are even greater due to the multitude of stakeholders involved with different cybersecurity expertise and capabilities, including residential and commercial customers, DER aggregators, DER vendors and implementers, renewable energy power plants, micro-grids, market-based energy service providers, as well as the distribution and transmission utilities.
She also notes that aside from the expected loss of privacy, other risks include physical danger to personnel and the public, the loss of local and regional electric power due to coordinated attacks, market disruptions caused by pricing manipulations, and “the legal and regulatory nightmares that might follow from such attacks.”
Developing standards and ensuring that those standards reflect current cyber requirements is crucial. The guide presents clear information on standards and the importance in understanding how standards can complement regulatory and utility counter-measures. In particular, NARUC highlights the annex, which outlines key existing cybersecurity standards and best practices in the United States and in Europe. By increasing collaboration among regulators, utilities, and other key institutions, as well as sharing best practices globally, regulators are bolstering the security and resilience of electricity and gas sectors around the world.
“The lesson to take home is that there is no perfect standard, but all standards contribute to a better ecosystem from a cybersecurity perspective,” said Bracco. Standards, he said, “are important tools to implement policies and they also provide great help to the regulators,” who will need to understand those tools and the steps involved to implement them.
In the United States, the Institute of Electrical and Electronics Engineers (IEEE) 1547:2018 standard describes the mandatory requirements for all DERs that will be interconnected to the grid.
“We are working on IEEE 1547.3 recommendations for cybersecurity for these interconnected DER,” explained Cleveland. “I would hope that U.S. regulators also urge the adoption of these cybersecurity recommendations — once they are published by the IEEE, hopefully in early 2021.”
The global explosion of telecommuting screens in the wake of the novel coronavirus pandemic has, naturally, increased attention to the need for cyber secure environments, particularly for those functions and organizations for which remote work is not routine.
The very same day that the pandemic appeared in his home country of Italy, Bracco says the first priority, of course, was to save lives, which was followed by an “imminent need to make sure that the digital infrastructure would not cripple under the cyber-attacks.”
Such a scenario, he says, would have been “the perfect storm.”
“I still remember that in one of the first meetings, one of the discussions was to enforce cybersecurity measures and to provide training. With people teleworking at 95 percent of the full capacity, with access to sensitive information remotely, cybersecurity became the biggest concern internally and externally.”
He goes on to describe the situation:
“Then people started thinking to critical infrastructures and if they were resilient enough to be operated with limited human intervention. We all know the grid has physical assets that require real humans to manage them, but indeed, digitalization has helped to alleviate the work of people and to reduce risks for operators. Both regulators and utilities managed to reassure their respective customers that they could deliver all the energy needed to work remotely. Also, during this difficult situation, the number of cyber-attacks increased exponentially (some statistics say 800 percent).”
“Because cybersecurity is a new topic to many of our counterparts, we often suggest that, as a first step, regulators and utilities customize existing standards rather than developing completely new guidance,” said Steven Burns, the chief of energy and infrastructure at USAID’s Bureau for Europe and Eurasia.
So, what are the first steps regulators should take in assessing and building on existing standards?
“Most cybersecurity standards that cover what steps should be done (versus those that state how technology must be used) assume that their statements apply equally for all environments,” observes Cleveland. “However, the reality is that cybersecurity requirements are naturally open to interpretation since situations can vary significantly across industries and across different systems.”
Along with distinguishing the what from the how, is the question of why it’s done. Bracco says to “start looking to how others are doing things, and why, but having an eye to the context they work in.”
He adds that people often start from scratch, but all the existing standards “have hundreds of valuable implementations around the world and in different contexts” and suggests that “before inventing your own procedures, just look for what others have been doing: it is what people should always do. A standard is a template, you have just to adapt to your own reality: if you take inspiration from another implementation, you will just start from a different level.”
Cleveland has observed that many standards assume they are applying to a single organization that can ultimately control all of its cybersecurity implementations. “But in the real world, these assumptions can cause confusion and misinterpretation,” she says. “Therefore, regulators should also ask experts (both cyber and process experts) in their industries and/or regions to ‘annotate’ existing cybersecurity requirement standards to apply them more precisely and clearly to the relevant stakeholders.”
For instance, she says, “regulators involved with DERs could request annotations of the cybersecurity standards to apply to utilities, DER facilities, aggregators, vendors, and other third parties. These annotations could also include how to manage these cybersecurity requirements across multiple stakeholders.”
To assess existing standards, Bracco “strongly advises” (where possible) to start from lessons learned. “Incidents are the first sources of thoughts. Regulators should ask themselves one question: ‘If I would have changed the standard and the way I implement it locally, would I still have had this incident or could I have reduced the impact?’”
If the answer to the first part of this question is “yes,” then start looking for a way to better apply the standard or look for a new one. However, if a new standard (of whatever kind) would not have changed the final result, then assume that due care would suggest simply to keep monitoring, he advises.
However regulators start or the process used along the path to enhanced cybersecurity, Bracco advises that “an essential point in cybersecurity is to have a critical mind.” The standard(s) used by regulators should be subject to a regular review and a continuously monitored implementation. “Cybersecurity is evolving; the standards and their implementation have to follow closer,” he notes.
So far, there has been positive feedback to the guide. Bracco says that a U.S. colleague reached out to him (one who had participated with him and co-author Tim Conway in a NARUC-USAID Black Sea workshop), who was glad to read the guide and found it “very informative and useful.” He has received similar reactions from EU colleagues.
“My takeaway from all feedback is that such guides are needed, and we (the community of those who are working on cybersecurity on the energy sector) should touch base on different topics in the sphere of cybersecurity, because there is a real and tangible need to understand it in order to implement strategies and to achieve policy objectives,” he says. “It is, indeed, an investment, but an investment that will payback and will return a gain to the citizens.”
Bracco thinks that there will be more investment in cybersecurity both during the pandemic and also after, as people have become “incredibly aware of the importance of the cyber world.” Continuing along the pandemic analogy, he notes that the need to protect people from a real virus is evident, and at the same time it is vital to protect the infrastructure from hidden virtual enemies to speed up the recovery from the pandemic. “Hopefully, this will be a lesson that will help investments in the right direction.”
By increasing collaboration among regulators, utilities, and other key institutions, as well as sharing best practices globally, regulators are bolstering the security and resilience of electricity and gas sectors around the world. NARUC, with support from USAID, is continuously working to provide regulators with the knowledge and tools needed to tackle modern cybersecurity challenges. To this end, NARUC will be releasing a guide for energy regulators on evaluating the prudency of cybersecurity investments. As investments in cybersecurity increase, and will likely continue to rise as cyberattacks become more sophisticated, this guide will assist with the decision-making process for cybersecurity investments.
Check out recent publications at https://www.naruc.org/international/news.