Evaluating the Prudency of Cybersecurity Investments: Guidelines for Energy Regulators

May 2020 – "Evaluating the Prudency of Cybersecurity Investments: Guidelines for Energy Regulators" is a first-of-its-kind resource developed with funding support from the United States Agency for International Development (USAID) under the Energy and Infrastructure Division of the Bureau for Europe and Eurasia.

The guidelines demonstrate the leadership of USAID and NARUC in empowering energy regulators to increase grid resilience by ensuring prudent and effective investments in cybersecurity by their regulated entities, and attempt to answer the following questions:

• Which regulatory frameworks are best suited to evaluate the prudency of cybersecurity expenditures?
• How can regulators identify and benchmark cybersecurity costs?
• How can regulators identify good countermeasures for cybersecurity?
• How can regulators assess the reasonableness of the costs associated with these countermeasures?
• Is it possible to evaluate the effectiveness of cybersecurity investments?
• Who should identify, benchmark, measure, and evaluate the countermeasures in different regulatory frameworks?

As power systems across the region continue to modernize, digitize, and integrate, they are increasingly exposed to additional vulnerabilities that can be exploited by cyberattacks. Attacks on the power grid can have devastating effects on a nation’s security, economy, and public welfare, and are a serious threat to all nations worldwide.

While these guidelines were developed for the Europe and Eurasia region, much of their content can be applied universally, and NARUC encourages U.S. regulators and others to look for applicability within their own contexts and environments.

"Evaluating the Prudency of Cybersecurity Investments: Guidelines for Energy Regulators" can be found here.