international

The Regulatory Cybersecurity Strategy: a Key Building Block for an Energy Sector's Cybersecurity Policy Framework

The Regulatory Cybersecurity Strategy: a Key Building Block for an Energy Sector's Cybersecurity Policy Framework

“It is critical that we confront the challenge of cybersecurity. By being strategic in our approach, we can figure out where we are, where we want to go, and how to get there.”

That’s Andy Bochman, Senior Cyber and Energy Security Strategist at the Department of Energy’s Idaho National Laboratory. Andy is a frequent volunteer with the USAID Europe and Eurasia Energy Sector Cybersecurity Initiative (ESCI). As an implementing partner of ESCI, NARUC has been helping regulators and utilities in Europe and Eurasia since December 2016 to plan and act strategically in assessing and preparing for cybersecurity threats to the energy sector. 

This is precisely why, in line with U.S. best practices, the initiative began its work on cybersecurity by assisting national energy regulators in countries such as Armenia, Georgia, Moldova, and Ukraine to draft a strategy document for their respective commissions. 

Why a Strategy?
A regulatory strategy is not the first thing people associate with cybersecurity. But, for regulators, utilities and others, it is a critical first step to the success of any cyber program. Creating a strategy does the following:

A regulatory strategy is not the first thing people associate with cybersecurity. But, for regulators, utilities and others, it is a critical first step to the success of any cyber program.

  • Sends a message to utilities, government officials and the public that cybersecurity is a high priority.
  • Communicates to utilities that prudent cybersecurity-related investments – i.e., training, infrastructure, personnel – are acceptable.
  • Initiates a conversation between all stakeholders about how ready the energy sector is for evolving cyber threats and how best to address its greatest vulnerabilities. 

A Place to Start
Looking to Connecticut and Washington as examples, the most effective public utility commissions have begun their work on cyber by creating a strategy. Although these strategies take different shapes — from concise drafts to detailed descriptions of staffing, funding, and reporting requirements — they outline how commissions and electric utilities will work together to mitigate cyber vulnerabilities. 

In 2016, USAID recognized that no guidance was available to draw from for energy regulators in its partner countries looking to develop their own cybersecurity strategies. To fill this gap, USAID, NARUC and experts like Andy and state utility regulators from Connecticut and Washington teamed up to draft the first-ever Cybersecurity Strategy Development Guide. Drawing from the experience of U.S. commissions, the Guide covers the most important issues and questions that regulators must address in drafting a cybersecurity strategy.

Regulators are certainly not the first line of defense, but the leadership and vision they articulate in a strategy are essential first steps to safeguarding the energy sector from cybersecurity threats.