Core Sector: Critical Infrastructure and Cybersecurity

Cybersecurity for Utility Regulators

Accelerated by advances in technology and modernization efforts, cyber attacks on critical infrastructure in the U.S. are growing in frequency and potential for disruption. Cybersecurity risk management has become a top priority for industry and policy makers alike. NARUC CPI works to provide state regulators with strategies, tools, and expertise to engage utilities in discussions about cybersecurity preparedness, response, and recovery planning, policies, and practices. These initiatives, coupled with training and technical assistance, support PUCs in their mission to ensure safe, reliable, and resilient energy infrastructure at reasonable rates.

NARUC staff experts who support these activities include Lynn P. Costantini, Deputy Director - CPI, and Jody Raines, Senior Cybersecurity Policy Specialist - CPI.

  • Cybersecurity Baselines for Electric Distribution Systems and DER
    NARUC and DOE CESER developed a set of cybersecurity baselines for the electric distribution systems and distributed energy resources (DER) that connect to them. These baselines, coupled with the forthcoming implementation guidance, are intended as resources for state public utility commissions, utilities, and DER operators and aggregators. Learn more
    • Nominate yourself to join the steering group for the Cybersecurity Baselines Phase 2: Implementation Guidance by completing this form.  
  • Emerging Issues Brief: Volt Typhoon
    This brief describes the threat to critical infrastructure posed by the cyber threat actor group known as Volt Typhoon. It contains questions PUCs may consider asking utilities about their actions to identify and mitigate malicious Volt Typhoon-related activity on their critical systems. Download
  • On-Demand Cybersecurity Training Modules
    The Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response in partnership with NARUC have produced a set of on demand cybersecurity training modules. Much of the content included in the training is based on NARUC's Cybersecurity ManualLearn More
  • Cybersecurity Advisory Team for State Solar (CATSS)
    Created by the National Association of State Energy Officials and NARUC, the CATSS Toolkit provides State Energy Offices and public utility commissions with actionable information on cybersecurity for solar power and supports state cybersecurity enhancements for solar and other distributed energy resources. Learn More
  • Compendium of Cyber Incident Notification Requirements for Critical Infrastructure Utilities by State
    This resource details state-by-state requirements for utiltiies to report cybersecurity incidents. Links to statutes and orders are included. Download
  • Issue Brief: Log4j Vulnerability
    This one pager describes the recently discovered Log4j vulnerability, which affects millions of applications world wide. The brief contains questions PUCs may consider asking utilities about their actions to identify and mitigate the vulnerability on thier systems. Download
  • A Guide for Public Utility Commissions: Recruiting and Retaining a Cybersecurity Workforce
    This paper serves as a reference guide for PUCs trying to develop or expand their cybersecurity proficiency. It describes the role of cybersecurity personnel within a PUC and a range of cybersecurity skill sets that may fit a PUC’s needs, as well as avenues for recruiting, retaining, and growing cybersecurity expertise. Appendices provide lists of cybersecurity training resources, recruitment pipelines, and a compendium of sample cybersecurity job descriptions for PUC consideration. Download
  • Cybersecurity for the Smart Grid: Questions for Utilities
    This paper introduces cybersecurity topics relevant to the smart grid. It also suggests questions PUCs might ask utilities to better understand how they are assessing and mitigating the new risks associated with advancing technologies that comprise the smart grid. Concepts in this paper draw from seminal works by the National Institute of Standards and Technology (NIST) as well as topics introduced in NARUC’s Cybersecurity Manual. This paper is a complement to Understanding Cybersecurity Preparedness: Questions for Utilities, one component of the manual. Download
  • Cybersecurity Manual
    NARUC has developed a comprehensive suite of resources, collectively referred to as the Cybersecurity Manual, to help public utility commissions gather and evaluate information from utilities about their cybersecurity risk management practices. These evaluations facilitate well-informed PUC decisions regarding the effectiveness of utilities’ cyber security preparedness efforts and the prudence of related expenditures. Learn More

    • Cybersecurity Strategy Development Guide
      This document aims to guide commissions’ interactions with their utilities on issues related to cybersecurity, drawing from the experiences of federal, state, and private-sector stakeholders, including state PUCs themselves. Further, it provides guidance and practices for regulators to consider as they develop and implement their strategies. Commissions that have already developed a strategy can use this guide to review and enhance their current strategy.
    • Understanding Cybersecurity Preparedness: Questions for Utilities
      This resource provides a set of comprehensive, context-sensitive questions that PUCs can ask of a utility to gain a detailed understanding of its current cybersecurity risk management program and practices. The questions build upon and add to those included in prior NARUC publications.
    • Cybersecurity Preparedness Evaluation Tool (CPET)
      The CPET provides a structured approach for PUCs to use in assessing the maturity of a utility’s cybersecurity risk management program and gauging capability improvements over time. The CPET is designed to be used with the Questions for Utilities on an iterative basis to help PUCs identify cybersecurity gaps, spur utilities’ adoption of additional mitigation strategies, and inform cybersecurity investment decisions.
    • Cybersecurity Tabletop Exercise Guide
      This guide details the steps that PUCs can take to design, execute, and evaluate a cybersecurity-focused tabletop exercise (TTX). An exercise could examine utilities’ and other stakeholders’ readiness to respond to and recover from a cybersecurity incident or analyze the PUC’s internal capabilities. This guide includes example scenarios and customizable templates.
    • Cybersecurity Glossary

      This glossary contains cybersecurity terms used throughout the Cybersecurity Manual, as well as “terms of art” that utilities may use during discussions with PUCs. It also contains a list of cybersecurity related events that demonstrate the growing threats and vulnerabilities against critical infrastructure sectors.

  • Cybersecurity Baselines Steering Group for Phase 2: Implementation GuidanceNARUC NARUC and DOE are launching phase 2 of the Cybersecurity Baselines Initiative: developing implementation strategies and guidelines for stakeholders interested in applying the new baselines. This resource will include recommendations for assessing cybersecurity risks, prioritizing the assets to which the cybersecurity baselines might apply, and prioritizing the order in which the baselines might be implemented, based on cyber risk assessments. Complete this form to nominate yourself to join the Phase 2 steering group. 

  • Advanced Cybersecurity Training for Commission Staff
    NARUC, with funding from the Department of Energy, Office of Cybersecurity, Energy Security, and Emergency Response, is offering a limited number of scholarships for advanced cybersecurity training. Training will be provided by the renowned SANS Institute and focus on cybersecurity of operational technologies.

    Please note that the application window for this training opportunity has closed. 

  • Regional Cybersecurity Training for Regulators
    NARUC conducts in-person training events that focus on cybersecurity topics through the lens of a public utility regulator. Subject matter experts, recruited from around the country, make presentations, lead discussions, and offer topical and timely “boots on the ground” perspectives.

    The next training is April 16-18, 2024 in New Orleans, LA. Please visit the registration page to learn more and register.

    Past training events have been held in the following locations:

    • September 2023 - Phoenix, AZ
    • March 2023 - Indianapolis, IN
    • March 2022 - Denver, CO
    • September 2021 - Virtual
    • February 2021 - Virtual
    • September 2020 - Virtual
    • September 2019 - Austin, TX
    • July 2019 - Chicago, IL
    • October 2018 - Beverly, MA
  • Webinars
    • Cyberspace Solarium Commission Report: An Update for State Regulators (April 24, 2020)
      NARUC, in collaboration with Protect Our Power conducted this webinar to review key pillars of the Cyberspace Solarium Commission report and the role state regulators could play to enact key provisions. Two Cyberspace Solarium Commissioners, Tom Fanning, CEO of Southern Company, and Chris Inglis, former Deputy Director of the National Security Agency, presented. Recording
    • The 411: Cybersecurity Fundamentals that Drive Infrastructure Resilience (July 9, 2019)
      This webinar highlighted key cybersecurity principles and how electric and gas utilities implement them to enhance resilience. Recording
    • Blockchain 101 (June 23, 2017)
      An introduction to Blockchain. Recording

NARUC is grateful to the U.S. Department of Energy, Office of Cybersecurity, Energy Security, and Emergency Response for funding that enables the resources and activities described on this webpage.