NARUC
Regina Davis is NARUC’s Director of Communications and Public Affairs. She served in a similar role for the Maryland Public Service Commission before joining NARUC in 2015.
Marisa Lewis is a Communications Specialist for NARUC’s International Programs. She holds a BA in Foreign Affairs from the University of Virginia and an M.S. in Commerce from the University of Virginia McIntire School of Commerce.
This is the second in a two-part review of cybersecurity resources published through a partnership between the National Association of Regulatory Utility Commissioners (NARUC) and the United States Agency for International Development (USAID) under the Energy and Infrastructure Division of the Bureau for Europe and Eurasia.
The most recent publication, "Evaluating the Prudency of Cybersecurity Investments: Guidelines for Energy Regulators," is intended to assist regulators in defining tariffs by establishing a regulatory approach to enhance the cybersecurity stance of power systems.
It attempts to answer the following questions:
Which regulatory frameworks are best suited to evaluate the prudency of cybersecurity expenditures? How can regulators identify and benchmark cybersecurity costs? How can regulators identify good countermeasures for cybersecurity? How can regulators assess the reasonableness of the costs associated with these countermeasures? Is it possible to evaluate the effectiveness of cybersecurity investments? Who should identify, benchmark, measure, and evaluate the countermeasures in different regulatory frameworks?
These questions have each been asked by regulators in the United States, the European Union, and the Europe and Eurasia region for many years without answers. The guidelines serve to address this long-neglected topic by helping regulators to better understand how to assess the prudency of cybersecurity investments and balance costs with preparedness.
Lead author and editor, Elena Ragazzi, Research Institute on Sustainable Economic Growth of the National Research Council of Italy, regards the publication as a "first-of-its-kind resource, demonstrating the leadership of USAID and NARUC in empowering energy regulators to support and encourage grid resilience by ensuring prudent and effective investments in cybersecurity by their regulated entities. The guidelines strive to provide space for concepts, processes, and methods rather than prescriptive lists or ready-to-use formulas."
According to Erin Hammel, NARUC's Director of International Programs, "through USAID/NARUC collaborative efforts, we are excited to see regulators in the Europe & Eurasia region take initiative in the cyber realm through the creation of cyber strategies and working groups.
Regulators play a key role in ensuring that the investments - made by utilities to improve cybersecurity measures - are reasonable and effective."
To discuss the merits of these cyber guidelines and how they differ from other cyber guides, NARUC posed several questions to Ragazzi. What follows are detailed descriptions and highlights from the guidelines, which provide a snapshot of what regulators and others can glean from the publication.
How is this Cyber Guide for Regulators Unique?
There are two elements that make this product unique. First, this guide is intended for the regulators. Investments to protect critical infrastructures are in the hands of utilities and, more generally, of companies. The large majority of documents in the filed literature deal with what companies and operators should do. In comparison, discussions about the role of regulators are often out of the public eye.
However, energy regulators have a unique role to play in the field of cybersecurity - to ensure that the interconnected system has an equal level of protection. They also have to ensure that cybersecurity investments are reasonable, prudent, and effective - particularly, when those investments are going to be reflected in consumer tariffs.
These guidelines do not represent a recipe on the best cybersecurity strategy for the power system; a recipe would be outdated in a few months. Instead, they review instruments (such as concepts, approaches, procedures, and sources) that regulators can use to make good decisions when trying to bolster the resilience of power systems to cyberattacks.
Second, these guidelines adopt a practical style, intended to give functional and comprehensive answers to the regulators' questions regarding how to intervene in the field of cybersecurity. Most available sources are represented from a more technical point of view, via lists of prescriptions and recommendations to manage a certain problem.
Even if the decision on how to handle the cybersecurity stance of the power system is the regulator's responsibility, this decision is just the beginning of the regulatory task. It is also necessary to consider the general regulatory framework, the real operational context, and the necessity to manage the interrelations between the various stakeholders. In response, the IT and cybersecurity aspects in these guidelines have been complemented while also taking into consideration approaches from other disciplines.
Energy regulators have a unique role to play in the field of cybersecurity. While the implementation of cybersecurity measures is typically the responsibility of power system operators, regulators have an obligation to ensure that investments made in the name of cybersecurity are reasonable, prudent, and effective.
These guidelines are intended to assist regulators in defining tariffs by establishing a regulatory approach to enhance the cybersecurity stance of their power systems and are based on literature and current practices.
What Can Industry Gain by Reading the Guide?
The range of instruments, pieces of information, and approaches addressed in these guidelines have different roles in the various regulatory frameworks and can be used by several different stakeholders in many ways. The implementation of cybersecurity strategy for the power system is the result of the interaction among the involved stakeholders. Everyone has a task to accomplish. This is discussed in the second chapter of the guidelines, "Preliminary Concepts for Correctly Using These Guidelines."
Companies should read the guidelines, not only because some arguments could be applied inside firms, but also because understanding the rationale behind regulatory actions is a fundamental condition to establishing trust and collaboration.
Cybersecurity Aspect Most Misunderstood by Regulators?
First, we address an aspect that tends to be overestimated in terms of importance. Many regulators feel that clearly defining what companies should do will guarantee better protection of the system. The request to researchers and to experts is: "Please tell us what the gold standard for cybersecurity is, and we will ask companies to implement any related measures and investments."
The problem with this compliance-based approach is that it can give a false sense of protection. Experts have repeatedly stated that threats keep evolving. The most dangerous threats appear to be advanced persistent threats (APTs).
In simple terms, an APT is an attack in which an unauthorized user gains access to a system and remains within it for an extended period of time, without being detected and identified. By doing this, hackers can have continuous access to sensitive data stored by the operator on its servers and may deploy long-term attack strategies.
An APT approach implies substantial investments and efforts on the attacker's part, and, in fact, the attackers are often organizations endowed with means and skills, managing a number of strategies and attacks. Effort and time are needed in order to acquire sufficient knowledge, to develop a method to launch such an attack, and to probe the target's entry points so as to exploit system vulnerabilities.
There is no investment in assets able to defend against APTs; the only response in this case is to continue to mature and proactively evolve defensive strategies. Spend more on training your soldiers than investing in walls.
This leads to the most overlooked point. Regulators tend to focus on cyber investments. Often, the regulation says that investment costs are recovered, while operational expenses remain charged to the company. This makes sense in many situations but can prove dangerous in the field of cybersecurity.
The top priorities are defining a strategy and working processes while increasing the skills of personnel. All of them turn mainly into current expenses. This remark has a general value but is especially relevant in transitioning economies where the most widespread shortcomings are represented by processes and personnel.
Experts underline that APTs are among the most dangerous threats because they are extremely difficult to detect and defend against, making them the attackers' weapon of choice.
Defenders (either internal security staff or defenders in a federated security operations center) need to continuously increase their level of maturity by using the most advanced tools and strategies. Proactive anticipatory maturity is necessary to gather and effectively operate cyber-physical system protection tools. It is recommended to perform regular audits in order to identify gaps in the solutions offered to effectively respond to APTs. It is also necessary to timely gather, prioritize, and process data.
Most Difficult Aspect of Writing this Cyber Guide?
One of the main struggles in our work has been the attempt to be concrete and practical without being prescriptive. We believe that although the design of a regulatory approach is not a technical task, it should be rooted in many technical assessments.
On the other hand, it is also connected to a country's values, vision, and legal environment. These guidelines are intended to help regulators think through the paradigm imposed by the cybersecurity challenge, and to learn to constantly adapt to change with the goal of making power operators better prepared and able to react.
The guidelines are neither fish nor fishing pole. With regard to this analogy, we hope they will serve as good instruction to prepare a competent and aware fisherman. Finally, nothing but experience can turn a beginner into a seasoned veteran. Instead of following specific or limited guidelines, regulators must learn valuable lessons through their own experiences.
The guidelines present five possible scenarios applying a consequential decision process. Their merit is to show how to apply the template practically, and that the choice depends on the initial situation and on the values at the basis of the regulatory activity.
Although they represent only five possible outcomes out of hundreds of possible combinations, two issues appear to be outstanding:
What mutual aid agreements are in place (if any)? Do I have enough skilled personnel in-house to address cybersecurity cost identification and benchmarking (for cost-plus)?
The design of a regulatory approach is not a technical task, but it is truly connected to a country's values, vision, and legal environment. These guidelines are intended to help them think through this new paradigm and learn to constantly adapt to change, with the goal of making the power operators better prepared and able to react.
The scenarios also show that different approaches may coexist in the same country, for example, a general regulation based on cost-plus and a pilot application of PBR for a specific objective.
EU countries (and the individual States in the U.S.) have adopted different regulatory strategies, and some of them are still in an early phase of initial prospection on the problem. This shows that no gold standard has emerged.
It is useless to let time pass, waiting until a clear, complete, and even tailored picture appears. Regulators must get started immediately and learn lessons along the way, because experience will answer more questions than a thousand-page book that would become outdated in six-month's time.
These guidelines are intended to help them think through this new paradigm and learn to constantly adapt to change, with the goal of making the power operators better prepared and able to react.
Note that the guidelines' co-contributors include Alberto Stefanini, Daniele Benintendi, Ugo Finardi, and Dennis K. Holstein, under the Research Institute on Sustainable Economic Growth of the National Research Council of Italy (CNR-IRCrES).