NARUC’s Role in Strengthening Energy Security in Europe and Eurasia

With support from the United States Agency for International Development (USAID), under the Energy and Infrastructure Division of the Bureau for Europe and Eurasia, the National Association of Regulatory Utility Commissioners (NARUC) launched the Europe and Eurasia Cybersecurity Initiative in December 2016 to provide the regulators of Armenia, Georgia, Moldova, and Ukraine with the tools and understanding to work with utilities and governmental agencies to effectively strengthen the cybersecurity and resilience of their respective energy sectors. In October 2018, USAID and NARUC expanded the scope of the initiative to include regulators from Southeast Europe, specifically Albania, Bosnia and Herzegovina, Kosovo, North Macedonia, Serbia, and Montenegro.

Through this initiative, USAID is helping to ensure reliability of the power grid in the face of increasing cyberattacks in Europe and Eurasia. By supporting regulators to become cyber auditors through developing cybersecurity strategies, engaging with utility companies, setting benchmarks, and approving prudent cyber investments, USAID’s efforts enable energy regulators to take a leading role in overseeing the security and reliability of the power grid and advancing best practices that can be shared globally.

For cybersecurity, some of NARUC’s main focus areas include:

• Standards

• Cybersecurity Strategies

• Prudency of Investments

• Maturity Models

---

USAID and NARUC Europe and Eurasia Cybersecurity Initiative Toolkit

These publications are meant to serve as resources that regulators can use to help improve energy sector resilience in alignment with international best practices and in the context of their respective priorities and needs.

Black Sea Cybersecurity Strategy Development Guide | 2017

This guide was developed to provide information and lessons learned to support Black Sea regulators, and others, in developing their own commissions’ cybersecurity strategies. Drawing from experiences and best practices from U.S. state-level regulatory commissions and elsewhere, this document has been designed to cover the important issues and questions that regulators should address as they begin the process of developing their unique cybersecurity strategies.

It is also available in Russian.

Cybersecurity Evaluative Framework for Black Sea Regulators | 2017

This evaluative framework is an easy-to-use tool for regulators to assess utilities’ cybersecurity preparedness. It is designed to provide a structured way for regulators to gauge what level of cyber-preparedness utilities have reached and identify areas for improvement.

It is also available in Russian.

The Utility Regulator's Role in Promoting Cybersecurity: Resilience, Risk Assessment, and Standards | 2020

This guide was initially developed for regulators in Europe and Eurasia to reinforce their knowledge of practical cybersecurity solutions in the face of ongoing threats within the energy sector. However, the questions of how to evaluate risks, assess mitigation measures, and select standards are relevant for regulators around the world.

It is also available in Russian.

Evaluating the Prudency of Cybersecurity Investments: Guidelines for Energy Regulators | 2020

These guidelines were developed to assist regulators in ensuring that investments made in the name of cybersecurity are reasonable, prudent, and effective. These guidelines are intended to assist regulators in defining tariffs by establishing a regulatory approach to enhance the cybersecurity stance of their power systems and are based on literature and current practices.

It is also available in Russian.

Understanding Cybersecurity Maturity Models within the Context of Energy Regulation | 2020

This primer discusses cybersecurity maturity models within the context of energy regulation to provide a fundamental understanding of their application, benefits, and the value that they can afford in the regulatory process.

It is also availeble in Russian.

---

Additional Resources

With support from USAID, NARUC has produced a new infographic titled "Modernized Grids Can Increase Cybersecurity Risks."

The focus of the infographic is to provide clear and concise information on the following topics:

• Defining critical infrastructure risks
• What regulators should do when it comes to cyber preparedness

You can access and download the full infographic here.

---

News

North Macedonia Regulator Adopts Cybersecurity Rules, Takes on Leading Role in Securing Energy Sector Protection and Resilience

In June 2023, the Energy and Water Services Regulatory Commission (ERC) of North Macedonia adopted new Cybersecurity Rules, which will be integral to implementing cybersecurity standards in the energy sector, strengthening the sector’s resilience, and protecting critical energy infrastructure.

Energy Regulators from Armenia and North Macedonia Make Progress in Cyber Preparedness

We followed up with regulators from both Armenia’s Public Services Regulatory Commission (PSRC) and the Energy and Water Services Regulatory Commission of the Republic of North Macedonia (ERC) to track the progress they have made in relation to the key themes of each of the following USAID and NARUC publications: “The Utility Regulator's Role in Promoting Cybersecurity: Resilience, Risk Assessment, and Standards” and “Evaluating the Prudency of Cybersecurity Investments: Guidelines for Energy Regulators.”

Albania Establishes First-Ever Cybersecurity Regulation for the Electricity Sector

The Albanian Energy Regulatory Authority (ERE) has recently approved the country’s first-ever cybersecurity regulation for the electricity sector, titled “Regulation on Cybersecurity of Electricity Sector Critical Infrastructure.” In doing so, they have established incident reporting criteria and requirements that electricity system operators can use to assess and improve their cybersecurity maturity as well as their protection and response capabilities. 

How Much Does Cybersecurity Really Cost?

This article was originally published in the October 2020 issue of Public Utilities Fortnightly (www.fortnightly.com), and is the second in a two-part review of cybersecurity resources published through a partnership between NARUC and USAID. It includes key insights from lead author and editor, Elena Ragazzi (Research Institute on Sustainable Economic Growth of the National Research Council of Italy). Throughout the article, she explores key highlights from the guidelines and answers questions such as “What cybersecurity aspect is most misunderstood by regulators?”

Navigating Global Challenges of Implementing Cybersecurity Standards and Improving Resilience

Originally published in the July 2020 issue of Public Utilities Fortnightly (www.fortnightly.com), this article includes key insights from two of the three authors of the NARUC/USAID publication “The Utility Regulator’s Role in Promoting Cybersecurity: Resilience, Risk Assessment, and Standards” – Stefano Bracco (Agency for the Cooperation of Energy Regulators) and Frances Cleveland (Xanthus Consulting International). Throughout the article, they describe current challenges across the cyber landscape and discuss the importance of being able to consider and adapt standards to national contexts.