Black Sea Regulators on Path to Effective Cybersecurity Strategies

May 2017 – In many ways, cybersecurity is a journey into the unknown. Facing actors working in the shadows, regulators, utilities and governments must navigate unknowns and challenges as they choose the best path to prepare for attacks on their systems.

Just as a map is foundational to any journey, developing a strategy is key for regulatory commissions trying to effectively meet this emerging challenge. With the support of the United States Agency for International Development (USAID), NARUC is working with regulators in the Black Sea region to develop these necessary strategies and help strengthen the security and resilience of their energy sectors.

The Need for Cybersecurity Strategies
USAID and NARUC launched the Black Sea Cybersecurity Initiative in December 2016 in an effort to provide the regulators of Armenia, Georgia, Moldova and Ukraine with the tools and technical capacity to prevent and mitigate cyberattacks as well as to improve and safeguard overall energy security across the region. Developing strategies to do this is key, as regulators must define goals for addressing cybersecurity to ensure that time and funding are properly allocated.

Defining a cybersecurity strategy is also critical in finding balance between technical goals of implementing effective protections and “right-sizing” the response in a cost-effective manner.

Progress Toward Effective Cyber Strategies
In just a few months since the launch of the initiative, participating regulators have already made important strides. In response to NARUC recommendations, the National Energy and Utilities Regulatory Commission (NEURC) of Ukraine has formed a cybersecurity unit within the Commission.

Five Steps NARUC Recommends for Regulators on Cybersecurity

Convene an internal team of staff to set aside time in addition to normal duties to work on cybersecurity and develop essential expertise.
Develop a strategy that outlines the commission’s desired approach, goal and timeframe for proceeding, while also setting expectations for utility performance.
Ask questions – especially to utilities – and handle answers carefully.
Engage with companies and other stakeholders in a context geared toward addressing cybersecurity as a discrete issue.
Take action and then revisit the strategy and ensuing steps in a cycle of continuous improvement.

That unit has begun drafting a questionnaire drawing from the 107 questions found within the NARUC Research Lab’s Cybersecurity Primer for Regulators (see the box below) to ask of utilities and initiated meetings with utilities to begin discussing and evaluating their cyber-preparedness.

Drawing from specific recommendations of NARUC's Primer, NEURC's cybersecurity team has also decided to draft the commission's regulatory cybersecurity strategy. NEURC officials plan to collaborate with NARUC experts on the development of the strategy in the coming months.

In addition to NEURC, the Georgia National Energy and Water Regulatory Commission (GNERC) has likewise decided to form and build the capacity of an internal team that will focus on addressing cybersecurity issues related to the power grid in Georgia and drafting their own cybersecurity strategy, steps that took form after the December 2016 NARUC workshop in Kyiv, Ukraine.

Workshop in Estonia
USAID and NARUC conducted their second workshop in March 2017 in order to continue progress toward developing cybersecurity strategies. Held in Estonia, a global leader in cybersecurity, the workshop gathered US and European officials to discuss best practices for regulators to construct regulatory cybersecurity strategies, engage with utilities and evaluate effective utility cybersecurity performance.

NARUC’s Work on Cybersecurity
Both in the US and around the world, NARUC is a leader on the regulatory response to cybersecurity challenges. NARUC’s Research Lab has conducted nearly 50 technical workshops across the US and internationally to train regulators on cybersecurity.

Participants discussed the essential components and structure of regulatory cybersecurity strategies, which outline the role of a commission, its goals and expectations of utilities and a commission's method of engagement. NARUC also presented an outline of its Cybersecurity Strategy Development Guide, which will be finalized in May 2017 and sent to Black Sea regulators to assist them in drafting their own strategies.

Looking ahead, USAID and NARUC will continue to work with Black Sea regulators as they develop their strategies, build internal cybersecurity teams and collaborate with utilities to protect and safeguard their power grids from potential cyber threats.

Together, the initiative will support the regulators as they take the journey to bolster their defenses against the threat of cybersecurity.

This story is made possible by the generous support of the American people through the United States Agency for International Development (USAID). The contents are the responsibility of NARUC and do not necessarily reflect the views of USAID or the United States Government.