Through USAID-supported Cybersecurity Project, U.S. and Eastern European Energy Regulators Develop Model for Regulatory Cybersecurity Strategies Worldwide

Through USAID-supported Cybersecurity Project, U.S. and Eastern European Energy Regulators Develop Model  for Regulatory Cybersecurity Strategies Worldwide

October 2018 – On December 23, 2015, hackers activated malware in a Ukrainian distribution utility system. This cyber-attack ultimately shut off power to 230,000 customers and ushered in a new era of vigilance against the growing challenges of cybersecurity and energy security.

For the countries of Europe and Eurasia, cybersecurity is the newest avenue for bad actors to threaten energy security in the region. USAID and NARUC are helping to combat this threat through the USAID Europe and Eurasia Energy Sector Cybersecurity Initiative (ESCI), which is helping to build resilience and expertise within energy regulators in the Black Sea region and beyond. 

“Addressing cyber threats is a key part of improving energy sector resilience, whether here in the U.S. or in the countries of the Black Sea region like Ukraine,” said Andy Bochman, Senior Cyber & Energy Security Strategist at Idaho National Laboratory. “We can take what’s worked in the U.S. and share it with our colleagues abroad.”

The Makings of a Strategy

When Black Sea regulators began working on cybersecurity with USAID and NARUC, they were stepping into uncharted territory. In 2016, regulators did not have a guide or set of instructions for how to structure a cyber strategy. This information deficit led USAID and NARUC to pull together best international practices to create the Guide.

The Guide covers what regulators should address and key questions they should ask to inform their approach to cyber. These include:

  • Mission and Goals
  • Scope of Strategy
  • Staffing and Policies
  • Performance Requirements and Reporting
  • International and External Communications Approaches

Creating a Strategy
USAID and NARUC took the important step of helping regulators start from square one – the creation of a regulatory strategy for the energy sector. To provide needed support to their partners, USAID and NARUC developed the Black Sea Cybersecurity Strategy Development Guide, which helps regulators customize a strategy to their own priorities, resources, and needs in alignment with international best practices.

The Guide includes key questions that regulators must address in structuring their strategies and provides examples of how regulators at U.S. commissions have approached similar questions.

Through the creation of this first-of-its-kind Guide, USAID helped to fill a void in the cyber policy space and reaffirmed its position as a thought leader on this critical and increasingly important topic. USAID’s assistance to regulators in the Black Sea — and the creation of the Guide and other materials — has helped regulators make progress on some of the first-ever regulatory policies on cyber in the region.

A Two-Way Flow of Information
Connecticut’s state regulator drafted a state-level cybersecurity strategy in 2014, with Washington’s regulator developing a strategy shortly after. Their efforts have paved the way for how a regulatory commission should begin its work on cyber, and key U.S. partners abroad are now utilizing this expertise and thought leadership. 

Officials from Connecticut and Washington helped to develop and review the Guide through USAID and NARUC. They have also offered best practices and lessons learned to Black Sea regulators as they worked to develop their own strategies. 

“Every time we sit down with our colleagues in Europe and Eurasia, good ideas and information flow both ways,” said Art House, Chief Cyber Officer for Connecticut. “Our work together through USAID helps everyone prepare for the next cyber-attack.” • 

The contents of this post are the responsibility of NARUC and do not necessarily reflect the views of the United States Government.