Understanding Cybersecurity Maturity Models within the Context of Energy Regulation

October 2020 – With support from the United States Agency for International Development (USAID) Energy and Infrastructure Division of the Bureau for Europe and Eurasia, the National Association of Regulatory Utility Commissioners (NARUC) has published the primer "Understanding Cybersecurity Maturity Models within the Context of Energy Regulation."

Cybersecurity maturity models provide regulators with a means to measure the cybersecurity readiness of a utility and compare this level of preparedness against previous assessments, a target baseline, and other utilities. Regulators can use the models to identify both good and bad trends. In addition, the cybersecurity maturity model data gathered by regulators can also influence regulatory changes.

The main goal of this primer to provide an understanding of the fundamental principles of maturity models so that the greatest benefit can be realized from their use, rather than ranking maturity models against each other. This will permit regulators to work efficiently and effectively with utilities on the subject of cybersecurity regardless of the cybersecurity model that is selected for use, whether by the regulator or the utility.

This primer discusses cybersecurity maturity models within the context of energy regulation to provide a fundamental understanding of their application, benefits, and the value that they can afford in the regulatory process. It provides insight into:

• the basics of maturity models;
• how maturity models pertain to cybersecurity for utilities;
• the role of the regulator with regard to cybersecurity;
• the use of cybersecurity maturity models as a regulatory tool; and
• the use of cybersecurity maturity models to influence regulatory practices and decisions.

You can access the primer here. It has also been translated into Russian.