Opportunities and Challenges for State Utility Regulators
Sherina Maye Edwards is a Commissioner on the Illinois Commerce Commission. She takes an interest in electric reliability, pipeline safety and critical infrastructure issues. Commissioner Edwards earned a J.D. from Howard University School of Law. Caitlin M. Shields is an Associate at Wilkinson, Barker, Knauer, LLP. She focuses her practice on energy and environmental regulation. Caitlin earned her J.D. at the University of Denver Sturm College of Law. Nakhia C. Crossley is legal counsel and policy advisor to Commissioner Edwards. Nakhia provides analysis and research on the regulation of the energy, telecommunications, water, and transportation industries. Nakhia earned her J.D. from Thomas Jefferson School of Law. Anne McKeon joined the Illinois Commerce Commission as a legal and policy advisor to Commissioner Sherina Maye Edwards in August 2015. Anne earned her J.D. from Notre Dame Law School.
In Part I of this article, which appeared in February's PUF, the authors examined the evolving role of state regulators in addressing cybersecurity in the energy sector. While state commissioners have not traditionally regulated this area, many are now grappling with the proper role to play. Part II surveys best practices in various locations and recommends methods for developing regulatory procedures that will ensure the security of critical energy assets.
These include asking whether the utility prioritizes controls, assets and C-suite involvement; converges technical controls with IT controls; implements test and drill measures; creates a culture of security; willingly shares threat information regarding its regulators and industry counterparts; and ensures regular audits.
Prioritize Controls, Assets and C-Suite Involvement
The first step a utility must take in evaluating cyber-readiness is to identify essential asset systems and networks contributing to critical functionality that need to be protected. It is important to think of risk as influenced by the nature and magnitude of a threat or hazard, vulnerabilities to that threat or hazard, and the consequences that could result.
Risk assessment includes analyzing dependencies and interdependencies, identifying threats, weighing vulnerabilities and evaluating potential impacts on critical assets.
In a survey of over ninety-six hundred global executives, forty-one percent of U.S. respondents had experienced one or more security incidents during the past year. A separate survey of nearly two hundred companies showed that when a breach does occur, boards are most likely to hold the CEO accountable.
"Regulators should demand that a cybersecurity culture permeate utilities." – Sherina Maye Edwards
This shows that responsibility for attacks is seen as a broader business issue, shifting the onus away from the chief information security officer (CISO) and the IT security team. With such high stakes, many agree that information security deserves full attention at the highest levels of any company.
Yet, cybersecurity is still considered a purely technical matter in some corporations. One study showed that only five percent of C-suite executives consider cybersecurity the highest-priority corporate initiative. It's second to last on a list of ten major corporate initiatives. Instead, they prioritize issues such as acquiring customers and growing internationally.
On the other hand, security executives overwhelmingly rank cybersecurity as the number one corporate initiative for their company. Security personnel have increasingly and correctly raised the concern that security threats are not only the domain of IT, but also an enterprise-wide concern that necessitates a team approach across the executive suite.
Converge Technical Controls with IT Controls
Integrating Operational Technology (OT) and IT is one way to address the concerns raised above. OT consists of hardware and software systems that monitor and control physical equipment and processes. IT is the application of computers to process, transmit and store data. Historically, OT and IT utility departments have developed independently of each other and are typically managed as separate organizational silos.
"State regulators are in a unique position to facilitate information sharing among utilities." – Caitlin Shields
This meant that cybersecurity was the responsibility of IT personnel, while control systems were the responsibility of engineering and operations personnel. Thus, the expertise, culture, risk tolerances and approach to technology have been different. IT emphasizes confidentiality and integrity of assets; OT prioritizes reliability and availability of equipment and services
Increased connectivity has expanded the attack surface of OT networks by opening them up to those dangers well known by IT practitioners. Communication systems and automated control equipment that sit between information systems and critical assets can fall in between the defined roles of established departments. Unaddressed, these accountability gaps can turn into cybersecurity gaps.
An attacker views their target as a vulnerable asset, not as an institution with multiple business silos. It is therefore critical that utilities foster close communication between their IT, engineering and operations groups when developing cybersecurity plans. The average information security professional does not have OT security knowledge, and matters of security are different for IT and OT staff.
OT security, with its emphasis on reliability, requires drawing upon IT expertise where applicable, but maintaining some distinctions. Best practices, such as improving access control with log-on IDs, can be translated from IT to OT without impacting reliability. At the same time, OT practices must meet the rigorous security requirements of information systems within the operational realities of critical assets.
"Of particular concern are sensitive business system data and personal information." – Anne McKeon
The harmonizing of these two crucial units must take place with support and direction from the chief executive and the board of directors. Some utilities have begun bridging this gap by creating teams of IT, OT and data personnel to share best practices and implement cross-functional security techniques. When company executives facilitate and encourage these conversations, it demonstrates the importance of multi-faceted engagement.
Test and Drill
Preventive measures are important, but being prepared to respond to a breach is equally critical. In light of today's advanced technology, utilities should anticipate breaches from two types of attacks. The first, internal group, includes malicious breaches or operator error mistakes. The second, external group, includes breaches by state sponsored attackers, hackers, or terrorists.
This requires response plans in place to isolate affected systems, remove them and recover from attacks. However, the best-documented business resumption plan does not provide much value if it has not been tested and updated on a regular basis.
One way to test for cyber readiness is through tabletop exercises. These are high-level cyber war game drills in which the C-suite responds to a broad cyber incident coupled with specific testing. The biennial NERC GridEx also provides an opportunity for industry and other stakeholders to respond to simulated cyber and physical attacks of the grid.
"Regulators should ensure utilities undergo regular audits to assess their cybersecurity programs." – Nakhia Crossley
The drill includes utilities, state and local governments and reliability coordinators from the U.S., Canada and Mexico. In November 2015, forty-four hundred registered individuals from three hundred sixty-four organizations participated in GridEx III.
Another biennial cybersecurity exercise is Cyber Storm, facilitated by the Department of Homeland Security (DHS). The latest drill scenario under Cyber Storm V introduced participants to multiple adversaries that distributed complex new malware. It crippled several critical infrastructure sectors. The scenario gave participants the opportunity to assess and implement their companies' procedures and share information.
Another way for utilities to test their cyber-preparedness is through penetration testing, which is done regularly on the IT side of most companies' networks. It is designed to mimic the sophisticated techniques used by attackers by identifying and validating gaps in security processes.
Penetration testing on OT networks is less common, but it can also be used to understand how attackers might exploit vulnerabilities to disrupt operations. Armed with that knowledge, companies can take appropriate steps to prevent an attack, just as they currently do in the IT arena.
Create a Culture of Security
With over forty percent of cyber-attacks targeted at the energy sector, sources can range from basement hackers to well-funded nation-states. Therefore, a successful cybersecurity program requires a pervasive security culture in which all employees are aware of the importance of practicing good security in all work activities.
Regulators should demand that a cybersecurity culture permeate utilities, including security aspects for a corporate code of conduct, periodic security training for employees, and other measures to promote security and privacy.
Spear phishing is one example of a prevalent risk to energy companies. Phishing is the attempt to acquire sensitive information by masquerading as a trustworthy entity in an electronic communication.
In the case of spear phishing, the apparent source of the e-mail is often an individual in a position of authority within the recipient's own company. Once the target clicks on a link or opens an attachment, the attacker establishes a foothold in the network, enabling them to complete their mission.
To create a culture of security, utilities must train employees and third parties such as vendors and consultants to recognize spear phishing tactics, adequately protect the devices they control, and report suspicious activity.
Many utilities invest in cyber-safe training programs that may include monthly departmental presentations and ongoing education. Utilities also regularly phish their own employees and encourage them to report any accidental responses to phishing. This allows the company to get in front of the problem before any damage can spread.
Although employee training is important, management should not rely on education alone to guard against attack. There will always be a human error component in security, and utilities should assume that someone will click on a phishing link.
Therefore, management should also add higher levels of technical and engineering controls, such as blocking access to emails originating in certain countries and granting access on a need-to-know basis only.
Information Sharing
As the range and specialization of cyber threats grow, it will become increasingly difficult for companies to maintain sufficient in-house expertise to detect and manage penetrations. Utilities must remain aware of the threats that can impact critical data and systems by maintaining regular communication with peers and appropriate agencies, participating in information sharing forums and engaging cybersecurity professionals.
As discussed in Part I, there is already a fair degree of collaboration among stakeholders within the utility industry. Many are members of sector-specific professional associations such as AWWA, AGA and EEI that often have groups or committees focused on cybersecurity initiatives.
Some states also have state-specific cross-sector associations, such as the Illinois Utilities Cybersecurity Coalition (IUCC). The IUCC is a forum created by Illinois electric, gas and water utilities to share best practices, threat information and operational experience in order to develop protocols for timely responses to cyber threats. While this sort of information sharing is valuable, utilization of independent consultants can also reinforce and complement existing regimes.
State regulators are in a unique position to facilitate information sharing among utilities with different needs and approaches. For example, NARUC's Committee on Critical Infrastructure (CI Committee), which originally formed on a temporary basis after the 9/11 terrorist attacks, now provides a permanent forum for state regulators to collaborate among themselves and with their federal counterparts.
The CI Committee recently announced a new project: to compile a catalogue of information pertaining to individual commissions' activities in the area of critical infrastructure resilience. This CI Catalog is intended to be a living resource for best practices, with new information added as state utility commissions undertake new activities.
Audits
A cybersecurity program is only effective to the extent it is utilized. Regulators should ensure that utilities undergo regular audits to assess the effectiveness of their cybersecurity programs. Several physical and technical measures should be periodically reviewed for compliance, including restricted access to server rooms, locks on smart meters and security fencing cameras at substations.
A number of state utility commissions have implemented audit procedures, ranging from voluntary to mandatory and run by either the utility commission or a third-party auditor. While mandatory third-party audits are preferable, many utilities already engage in audit programs as part of their own policies or on a voluntary basis.
Of particular concern to state regulators is the cybersecurity of sensitive non-operational business systems and personal information recorded in utility data systems. For example, a final order issued by the New York Public Service Commission (NYPSC) in Case No. 13-M-0178 requires water and sewer companies to conduct third-party cybersecurity audits of their New York operations.
The NYPSC set strict guidelines for what is to be reported in the scope of the audit. That included the quality of the overall data security at the network, host, database and application levels; policies and procedures established regarding the handling and protection of personally identifiable information; data loss prevention measures; privacy training and post-incident response protocols and drills for a suspected or known breach.
In 2007, Texas promulgated rules requiring independent security audits of investor-owned utilities that deploy AMI, and compliance with cybersecurity standards specified by an independent meter data-management organization, the regional transmission organization or the PUC.
Regulators should also collaborate with utilities to develop audit procedures that are non-duplicative and that enhance existing cybersecurity protocols, keeping in mind that utilities will later seek recovery for auditing costs.
In a 2014 rate case, the Michigan Public Service Commission directed DTE Electric Company to submit annual reports on cybersecurity in line with a staff recommendation.
Staff of the MPSC created a framework for reporting on cybersecurity information that requires that DTE provide an annual report, verbally or in writing, which includes an overview of DTE's cybersecurity program. It also requires an organizational diagram of DTE's cybersecurity teams, a description of local, regional or national cybersecurity training exercises for employees, and investments made in cybersecurity upgrades throughout the year.
Also required was a summary on risk and vulnerability assessments, as well as an incident summary outlining any unauthorized actions that resulted in loss of service, financial harm or a breach of sensitive business or customer data.
In an effort to improve regulatory oversight of cybersecurity reporting, the MPSC later directed its staff to develop rules concerning cybersecurity reporting. They are listed in amendments to the Technical Standards for Gas Service and Technical Standards for Electric Service.
Similarly, regulators should ensure their own agencies regularly review and audit their policies, procedures and practices. Though state-by-state practice and procedure varies, highly confidential critical infrastructure and customer information is regularly submitted and exchanged electronically through PUC e-filing and e-mail systems. Commissions should conduct sporadic internal audits to assess staff training, ensure compliance, evaluate standard non-disclosure agreement practices and otherwise protect confidential information.
Finally, agencies are uniquely positioned to engage with and lead stakeholders by ensuring that discovery procedures protect highly sensitive information in the course of proceedings. This may include requiring minimum-security standards for litigants who exchange sensitive information, limiting the electronic transmission of highly sensitive information, and imposing encryption requirements. In the case of extremely sensitive information, they may require that it only be viewed in person in physical data rooms.
Conclusion
As cyber threats become increasingly sophisticated, state regulators must respond by becoming increasingly vigilant. However, numerous opportunities and challenges exist for regulators who seek to effectively manage cybersecurity threats.
Opportunities include the significant amount of collaboration and dialogue that has occurred to date, as well as a mix of voluntary and mandatory standards that other states have already tested and implemented. However, state regulators must also navigate the various layers of jurisdiction to minimize redundant regulation and promote efficiency.
Regulators also face the challenges of economically analyzing cyber risk mitigation, ensuring safety of a network interconnected to non-jurisdictional municipal utilities and cooperatives, and ensuring that communications with utilities can occur confidentially.
While the precise role of state regulators is still evolving, regulators will be well served to focus their energies on promoting a variety of best regulatory practices to mitigate risk and increase preparedness.
Lead image © Can Stock Photo / kentoh
