Opportunities and Challenges for State Utility Regulators
Sherina Maye Edwards is a Commissioner on the Illinois Commerce Commission. She takes an interest in electric reliability, pipeline safety and critical infrastructure issues. Commissioner Edwards earned a J.D. from Howard University School of Law. Caitlin M. Shields is an Associate at Wilkinson, Barker, Knauer, LLP. She focuses her practice on energy and environmental regulation. Caitlin earned her J.D. at the University of Denver Sturm College of Law. Nakhia C. Crossley is legal counsel and policy advisor to Commissioner Edwards. Nakhia provides analysis and research on the regulation of the energy, telecommunications, water, and transportation industries. Nakhia earned her J.D. from Thomas Jefferson School of Law. Anne McKeon joined the Illinois Commerce Commission as a legal and policy advisor to Commissioner Sherina Maye Edwards in August 2015. Anne earned her J.D. from Notre Dame Law School.
In Part I of this article, which appeared in February's PUF, the authors examined the evolving role of state regulators in addressing cybersecurity in the energy sector. While state commissioners have not traditionally regulated this area, many are now grappling with the proper role to play. Part II surveys best practices in various locations and recommends methods for developing regulatory procedures that will ensure the security of critical energy assets.
These include asking whether the utility prioritizes controls, assets and C-suite involvement; converges technical controls with IT controls; implements test and drill measures; creates a culture of security; willingly shares threat information regarding its regulators and industry counterparts; and ensures regular audits.
Prioritize Controls, Assets and C-Suite Involvement
The first step a utility must take in evaluating cyber-readiness is to identify essential asset systems and networks contributing to critical functionality that need to be protected. It is important to think of risk as influenced by the nature and magnitude of a threat or hazard, vulnerabilities to that threat or hazard, and the consequences that could result.
Risk assessment includes analyzing dependencies and interdependencies, identifying threats, weighing vulnerabilities and evaluating potential impacts on critical assets.