In many ways, cybersecurity is a journey into the unknown. Facing actors working in the shadows, regulators, utilities and governments must navigate unknowns and challenges as they choose the best path to prepare for attacks on their systems.
Just as a map is foundational to any journey, developing a strategy is key for regulatory commissions trying to effectively meet this emerging challenge. With the support of the United States Agency for International Development (USAID), NARUC is working with regulators in the Black Sea region to develop these necessary strategies and help strengthen the security and resilience of their energy sectors.
The Need for Cybersecurity Strategies
USAID and NARUC launched the Black Sea Cybersecurity Initiative in December 2016 in an effort to provide the regulators of Armenia, Georgia, Moldova and Ukraine with the tools and technical capacity to prevent and mitigate cyberattacks as well as to improve and safeguard overall energy security across the region. Developing strategies to do this is key, as regulators must define goals for addressing cybersecurity to ensure that time and funding are properly allocated.
Defining a cybersecurity strategy is also critical in finding balance between technical goals of implementing effective protections and “right-sizing” the response in a cost-effective manner.
Progress Toward Effective Cyber Strategies
In just a few months since the launch of the initiative, participating regulators have already made important strides. In response to NARUC recommendations, the National Energy and Utilities Regulatory Commission (NEURC) of Ukraine has formed a cybersecurity unit within the Commission.
That unit has begun drafting a questionnaire drawing from the 107 questions found within the NARUC Research Lab’s Cybersecurity Primer for Regulators (see the box below) to ask of utilities and initiated meetings with utilities to begin discussing and evaluating their cyber-preparedness.
Drawing from specific recommendations of NARUC's Primer, NEURC's cybersecurity team has also decided to draft the commission's regulatory cybersecurity strategy. NEURC officials plan to collaborate with NARUC experts on the development of the strategy in the coming months.
In addition to NEURC, the Georgia National Energy and Water Regulatory Commission (GNERC) has likewise decided to form and build the capacity of an internal team that will focus on addressing cybersecurity issues related to the power grid in Georgia and drafting their own cybersecurity strategy, steps that took form after the December 2016 NARUC workshop in Kyiv, Ukraine.
Workshop in Estonia
USAID and NARUC conducted their second workshop in March 2017 in order to continue progress toward developing cybersecurity strategies. Held in Estonia, a global leader in cybersecurity, the workshop gathered US and European officials to discuss best practices for regulators to construct regulatory cybersecurity strategies, engage with utilities and evaluate effective utility cybersecurity performance.
Participants discussed the essential components and structure of regulatory cybersecurity strategies, which outline the role of a commission, its goals and expectations of utilities and a commission's method of engagement. NARUC also presented an outline of its Cybersecurity Strategy Development Guide, which will be finalized in May 2017 and sent to Black Sea regulators to assist them in drafting their own strategies.
Looking ahead, USAID and NARUC will continue to work with Black Sea regulators as they develop their strategies, build internal cybersecurity teams and collaborate with utilities to protect and safeguard their power grids from potential cyber threats.
Together, the initiative will support the regulators as they take the journey to bolster their defenses against the threat of cybersecurity.