The smart grid creates the need for greater cybersecurity and is also part of the solution. The smart grid represents the modernization of electricity infrastructure often through added technology, allowing the grid to gather and store data and to create a “dialogue” between all components of the grid, and also allowing for automatic command and response within the function of the grid. A fully evolved smart grid will provide many improvements to situational awareness, prevention, management and restoration that, in spite of the new vulnerabilities it introduces, fundamentally makes the electric system more secure and reliable. On the other hand, the smart grid enhances the need for cybersecurity because it adds a layer of computer systems and software to existing utility infrastructure. It may increase the portals through which a cyber threat could enter the system.
Last month, the National Association of Regulatory Utility Commissioners (“NARUC”) released an updated version of its cybersecurity primer Cybersecurity for State Regulators 2.0. Meant for state regulators, the Primer will be helpful to utilities as it provides a “heads up” to the questions you will be asked. It includes an introductory explanation of the issues, identifies the jurisdictional landscape and highlights some of the characteristics of good cybersecurity that policymakers should consider. Understanding that cybersecurity is a quickly evolving area, the Primer also encourages regulators to engage in strategic discussions about cybersecurity to enable and support a thoughtful, risk-based approach to prudent investments by infrastructure operators. It includes sample questions for regulators to customize and ask their regulated entities and provides other resources. Here are some of the thought-provoking questions:
- Does your cybersecurity plan include alternative methods for meeting critical functional responsibilities in the absence of IT or communication technology?
- Has your organization conducted a cyber risk or vulnerability assessment of its information systems, control systems and other networked systems?
- Does your organization perform vulnerability assessment activities as part of the acquisition cycle for products in each of the following areas: cybersecurity, SCADA, smart grid, internet connectivity and Web site hosting?
- Has the company managed cybersecurity in the replacement and upgrade cycle of its networked equipment? Does this include smart meters?