international

The Indispensable Role of Energy Regulators in Protecting the Electric Grid

The Indispensable Role of Energy Regulators in Protecting the Electric Grid

Regulators play an indispensable role in achieving effective cybersecurity in the energy sector, and serve a key role in efforts by the U.S. Agency for International Development to improve electricity sector cybersecurity in Europe and Eurasia.

Working in collaboration with utilities, government officials and others, regulators are necessary players in ensuring that the right cybersecurity policies are developed and that the appropriate processes and technologies to protect the electric grid are set in place. And while cyber is a relatively novel field in energy and regulation, regulators’ role in cyber shares many similarities with their other core responsibilities. 

The Role of the Regulator
Regulators have to evaluate utilities’ investments in cyber to ensure that consumers pay a fair and affordable rate, just as they do with decisions about building new transmission lines or substations. Regulators also ensure that electricity service and the grid itself are reliable and that utilities are prepared for severe events. 

Key Considerations on Cybersecurity

When it comes to helping utilities set targets, regulators should ensure that key areas are addressed. These include planning and governance, which ensure that utilities have designated people and procedures to respond in a comprehensive, focused, and well-planned manner to serious events.

Here’s more on what key areas utilities need to address as they approach the challenge of cybersecurity:

  • Planning: responses are not haphazard, reactive, or fragmented
  • Standards: awareness of best practices and compliance with obligations
  • Reporting: transparency and information sharing
  • Procurement: systemic and interdependency-aware thinking
  • Personnel and Policies: integration of risk management across the enterprise, including people
  • Risk Management: a security perspective that addresses security over compliance
  • Governance: how reporting and transparency create accountability for performance
  • Systems and Operations: plans should be cyclical and a process, not just a one-time check-box.

A cyber-attack that causes widespread power outages certainly fits the description of a “severe event,” as does something that regulators and utilities have been dealing with for a long time – major storms. 

Just like with storms, the work of the regulator is not during the storm itself, when utility crews are working to bring back power and keep consumers safe. Rather, regulators must set expectations and key objectives on the front end, months and years before the storm. Then, after the storm has passed, regulators evaluate the utility’s actions and performance in realizing those goals.

How Regulators Address Cybersecurity
In the same way, regulators are not tasked with constructing a cyber defense – fortifying systems or training staff on best security practices. But regulators are responsible for helping utilities set targets in line with policy objectives and periodically evaluating utilities’ performance. 

And without regulators on board, it is unlikely countries will be able to develop the right cybersecurity policies or set in place the appropriate processes and technologies to protect the electric grid.

In collaboration with NARUC and other partners, USAID’s Europe and Eurasia Cybersecurity Initiative works to provide regulators with the tools, policies, and knowledge to effectively collaborate with utilities in safeguarding the electric grid from cyber-attacks. To date, this work has helped regulators develop regulatory strategies for cybersecurity, laying out the goals and objectives for utilities and setting the groundwork for evaluating progress. 

Regulators are critical to successfully defending the grid from cyber-attacks. And through USAID and NARUC’s work, regulators in Europe and Eurasia are taking the lead in their countries’ energy sectors. Regulators are engaging with stakeholders to build and adapt their own cybersecurity policies and defenses to face this emerging challenge, making progress on the journey toward self-reliance.