center for partnerships & innovation

Critical Infrastructure, Cybersecurity and Resilience

Cybersecurity

Critical Infrastructure

Accelerated by advances in technology and modernization efforts, cyber attacks on critical infrastructure in the U.S. are growing in frequency and potential for disruption. Cybersecurity risk management has become a top priority for industry and policy makers alike.  NARUC CPI works to provide state regulators with strategies, tools, and expertise to engage utilties in discussions about cybersecurity preparedness, response, and recovery planning, policies, and practices.  These initiatives, coupled with training and technical assistance, support PUCs in their mission to ensure safe, reliable, and resilient energy infrastructure at reasonable rates. 

  • A Guide for Public Utility Commissions: Recruiting and Retaining a Cybersecurity Workforce

    This paper serves as a reference guide for PUCs trying to develop or expand their cybersecurity proficiency. It describes the role of cybersecurity personnel within a PUC and a range of cybersecurity skill sets that may fit a PUC’s needs, as well as avenues for recruiting, retaining, and growing cybersecurity expertise. Appendices provide lists of cybersecurity training resources, recruitment pipelines, and a compendium of sample cybersecurity job descriptions for PUC consideration. Download

  • Cybersecurity for the Smart Grid: Questions for Utilities

    This paper introduces cybersecurity topics relevant to the smart grid. It also suggests questions PUCs might ask utilities to better understand how they are assessing and mitigating the new risks associated with advancing technologies that comprise the smart grid. Concepts in this paper draw from seminal works by the National Institute of Standards and Technology (NIST) as well as topics introduced in NARUC’s Cybersecurity Manual. This paper is a complement to Understanding Cybersecurity Preparedness: Questions for Utilities, one component of the manual. Download

  • Cybersecurity Manual

    NARUC has developed a comprehensive suite of resources, collectively referred to as the Cybersecurity Manual, to help public utility commissions gather and evaluate information from utilities about their cybersecurity risk management practices. These evaluations facilitate well-informed PUC decisions regarding the effectiveness of utilities’ cyber security preparedness efforts and the prudence of related expenditures. Learn More

    • Cybersecurity Strategy Development Guide

      This document aims to guide commissions’ interactions with their utilities on issues related to cybersecurity, drawing from the experiences of federal, state, and private-sector stakeholders, including state PUCs themselves. Further, it provides guidance and practices for regulators to consider as they develop and implement their strategies. Commissions that have already developed a strategy can use this guide to review and enhance their current strategy.

    • Understanding Cybersecurity Preparedness: Questions for Utilities

      s resource provides a set of comprehensive, context-sensitive questions that PUCs can ask of a utility to gain a detailed understanding of its current cybersecurity risk management program and practices. The questions build upon and add to those included in prior NARUC publications.

    • Cybersecurity Preparedness Evaluation Tool (CPET)

      The CPET provides a structured approach for PUCs to use in assessing the maturity of a utility’s cybersecurity risk management program and gauging capability improvements over time. The CPET is designed to be used with the Questions for Utilities on an iterative basis to help PUCs identify cybersecurity gaps, spur utilities’ adoption of additional mitigation strategies, and inform cybersecurity investment decisions.

    • Cybersecurity Tabletop Exercise Guide

      This guide details the steps that PUCs can take to design, execute, and evaluate a cybersecurity-focused tabletop exercise (TTX). An exercise could examine utilities’ and other stakeholders’ readiness to respond to and recover from a cybersecurity incident or analyze the PUC’s internal capabilities. This guide includes example scenarios and customizable templates.


    • Cybersecurity Glossary

      This glossary contains cybersecurity terms used throughout the Cybersecurity Manual, as well as “terms of art” that utilities may use during discussions with PUCs. It also contains a list of cybersecurity related events that demonstrate the growing threats and vulnerabilities against critical infrastructure sectors.

Activities

  • Regional Cybersecurity Training for Regulators

    NARUC conducts in-person training events that focus on cybersecurity topics through the lens of a public utility regulator. Subject matter experts, recruited from around the country, make presentations, lead discussions, and offer topical and timely “boots on the ground” perspectives.

    The most recent training events were held in the following locations:


  • Webinars
    • Cyberspace Solarium Commission Report: An Update for State Regulators (April 24, 2020)

      NARUC, in collaboration with Protect Our Power conducted this webinarto review key pillars of the Cyberspace Solarium Commission report and the role state regulators could play to enact key provisions. Two Cyberspace Solarium Commissioners, Tom Fanning, CEO of Southern Company, and Chris Inglis, former Deputy Director of the National Security Agency, presented. Recording

    • The 411: Cybersecurity Fundamentals that Drive Infrastructure Resilience (July 9, 2019)

      This webinar highlighted key cybersecurity principles and how electric and gas utilities implement them to enhance resilience. Recording

    • Blockchain 101 (June 23, 2017)

      An introduction to Blockchain. Presentation | Recording

NARUC is grateful to the U.S. Department of Energy, Office of Cybersecurity, Energy Security, and Emergency Response for funding that enables the resources and activities described on this webpage.

NARUC staff who support these activities include:
Lynn P. Costantini, Deputy Director
Ashton Raffety, Senior Technical Program Officer