How Much Does Cybersecurity Really Cost?

This article was originally published in the October 2020 issue of Public Utilities Fortnightly, and is the second in a two-part review of cybersecurity resources published through a partnership between the National Association of Regulatory Utility Commissioners (NARUC) and the United States Agency for International Development (USAID) under the Energy and Infrastructure Division of the Bureau for Europe and Eurasia.

The USAID and NARUC publication "Evaluating the Prudency of Cybersecurity Investments: Guidelines for Energy Regulators" is intended to assist regulators in defining tariffs by establishing a regulatory approach to enhance the cybersecurity stance of power systems.

It attempts to answer the following questions:

  • Which regulatory frameworks are best suited to evaluate the prudency of cybersecurity expenditures?
  • How can regulators identify and benchmark cybersecurity costs?
  • How can regulators identify good countermeasures for cybersecurity?
  • How can regulators assess the reasonableness of the costs associated with these countermeasures?
  • Is it possible to evaluate the effectiveness of cybersecurity investments?
  • Who should identify, benchmark, measure, and evaluate the countermeasures in different regulatory frameworks?

These questions have each been asked by regulators in the United States, the European Union, and the Europe and Eurasia region for many years without answers. The guidelines serve to address this long-neglected topic by helping regulators to better understand how to assess the prudency of cybersecurity investments and balance costs with preparedness.

To discuss the merits of these cyber guidelines and how they differ from other cyber guides, NARUC posed several questions to lead author and editor, Elena Ragazzi, Research Institute on Sustainable Economic Growth of the National Research Council of Italy. What follows are detailed descriptions and highlights from the guidelines, which provide a snapshot of what regulators and others can glean from the publication. Read the full article here.

For reference, part one of this two-part review is an article that was originally published in the July 2020 issue of Public Utilities Fortnightly titled "Navigating Global Challenges of Implementing Cybersecurity Standards and Improving Resilience." With increased cyberattacks on utilities, energy regulators have the opportunity to serve as leaders within their countries to ensure secure and reliable energy supply to their consumers. The USAID and NARUC publication "The Utility Regulator’s Role in Promoting Cybersecurity: Resilience, Risk Assessment, and Standards" allows regulators to consider and adapt standards to their national contexts.

The authors of the publication - Stefano Bracco, of the Agency for the Cooperation of Energy Regulators; Frances Cleveland, from Xanthus Consulting International (on behalf of the International Electrotechnical Commission System Committee - Smart Energy - Cyber Security Task Force), and Tim Conway, from the SANS Institute - are noted cyber authorities in the United States and the European Union. For this article, Bracco and Cleveland have provided key insights to the publication and describe challenges across the cyber landscape. You can read the article here.