From EnergyBiz on possible approaches for states to regulate critical infrastructure cybersecurity in a complicated regulatory environment.
All utility ratepayers benefit from prudent cybersecurity measures because of their effect on reliability, safety and consumer protection. Utilities are therefore entitled to recover the cost of prudent cybersecurity expenses from their rate base. Ultimately, the PUCs are responsible for assessing a utility’s cybersecurity expenses and allowing the cost recovery of prudent expenses.
Given these responsibilities, PUCs must ensure that their regulated utilities are ready to face cybersecurity threats. However, some challenges arise when a PUC examines cybersecurity. Jurisdiction can challenge a PUC in multiple ways. A regulated utility may have a service territory reaching beyond the jurisdiction of just one PUC, creating compliance requirements with multiple, varying cybersecurity regulations. Further, federal agencies share cybersecurity responsibilities, muddling jurisdictional lines. Although the bulk electric system falls under the purview of the North American Electric Reliability Corporation’s Critical Infrastructure Protection regulations, it has been estimated that 80 to 90 percent of grid assets are outside the scope of the CIP standards. The U.S. Environmental Protection Agency, the Transportation Security Administration, the U.S. Department of Energy and the Federal Communications Commission each oversee a different utility sector, and the U.S. Department of Homeland Security ultimately coordinates cybersecurity communication across sectors. With so many competing state regulations and federal agencies, it is often difficult for a state PUC and its regulated utilities to clearly understand where jurisdictional lines are drawn.
When a state PUC examines cybersecurity expenses, it can also face difficulty in assuring confidentiality. Cybersecurity measures necessitate a degree of secrecy in both defense practices and incident response plans. Unless properly shielded by clearly defined statutory protections, public requests under the Freedom of Information Act made to a PUC may expose the details of a utility’s cybersecurity plan. Utilities may hesitate to even provide this information to PUCs, despite the fact that PUC must have this information in order to assess the prudence of an expense. Additionally, in many states, information received by state employees may be deemed to be public information and, therefore, at risk for the exposure of critical details.
Another associated challenge is that of technical knowledge. PUCs must have the technical knowledge to understand what does or doesn’t make a prudent cybersecurity investment. A utility’s cybersecurity expenses may have been imprudent even if an attacker does not breach their systems, and prudent expenses cannot ensure the prevention of all cyberattacks. Cybersecurity metrics can be inconsistent between businesses and states, and the differences in those metrics resist simple classification by regulators. Familiarity with at least the basic details of cybersecurity is needed within a PUC for it to fully evaluate a utility’s plans.
With those responsibilities and challenges in mind, PUCs have reacted and have begun to formulate cybersecurity policies. Twelve state PUCs concluded dockets with rules or orders that address cybersecurity. Some state PUCs asked utilities questions about their cybersecurity plans, usually with considerations for confidentiality. PUCs have also addressed cybersecurity within the broader topic of smart meters, as a condition of advanced metering infrastructure rollouts. Other PUCs said that cybersecurity is a safety and reliability issue, and they developed planning or reporting requirements. There are 11 open dockets in separate jurisdictions that address cybersecurity. These largely tend to include cybersecurity considerations within AMI rollouts, but they also address third-party access to customer data, cost recovery of expenses related to NERC CIP, and the development of extensive cybersecurity plans.
Increasingly, cybersecurity has also been directly mentioned within rate cases. Utilities traditionally recover cybersecurity expenses as part of larger system costs. Utilities have included cybersecurity considerations within their equipment evaluations and then sought recovery for the entirety of the system cost. However, increased scrutiny on cybersecurity has drawn more discussion into general rate cases. In seven states, utilities have explicitly detailed cybersecurity costs within one or more rate cases. In roughly half of these cases, the utility has described the costs as regulatory compliance with NERC CIP or Nuclear Regulatory Commission requirements. Cybersecurity costs have also been included within capital additions, operations and management, and information technology costs. In these cases, utilities identified cybersecurity as an important factor in cost increases within larger categories.
State PUCs therefore have a number of questions to ask themselves before developing cybersecurity standards. PUCs can assess their regulations by asking themselves about the confidential treatment of security information, the responsibilities they may have been given by their state legislatures, the availability of training programs and the applicability of cybersecurity frameworks and standards to their regulated utilities. States may find different answers to these questions, and the nuances of a PUC’s legal responsibilities will influence the regulations that they may enact. With increased awareness of the issue, state PUCs will develop their own unique responses to the threats posed by cybersecurity.