As vulnerabilities in and attacks on the US power grid are growing (by 60 a day, per NERC), the need to establish uniform, scalable cybersecurity standards across the energy sector has never been greater. There are over two dozen states that have developed or are developing cybersecurity requirements that utilities in those jurisdictions need to be aware of and potentially follow, despite any cross-border differences.

In an effort to create acceptable guidance from industry and government experts that could work more universally for the distribution portion of the grid, the National Association of Regulatory Utility Commissioners (NARUC) and the US Department of Energy’s (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER) are establishing cybersecurity baselines for electric distribution systems (EDS) and the distributed energy resources (DER) connected to them.

Cybersecurity Baselines for EDS and DER – FAQs

What Are the Baselines?

The Cybersecurity Baselines for Electric Distribution Utilities and DER is a vetted set of security recommendations for electric distribution systems and their connected distributed energy resources that define the minimum cybersecurity controls that should be considered.  They do NOT define specific technologies or procedures for meeting the baselines.

What Is the Purpose of the Baselines?

The new baselines are intended to provide a uniform cybersecurity approach to mitigating risk and improving power grid resilience for states that choose to adopt it. They will do this in conjunction with the forthcoming implementation guidance (Phase 2).

The baselines can be used as a framework around which individual states can build a more standardized cybersecurity strategy for electric distribution utilities and DER.

To Whom Do the Baselines Apply?

The baselines are intended as resources for utilities, state public utility commissions, and DER operators and aggregators.

Who Was Involved in Creating the Baselines?

NARUC and DOE’s CESER created the standards with input from a steering committee convened by NARUC consisting of regulatory experts, cybersecurity professionals, and energy industry advisors.

Phase 1:  What Are the Baseline Recommendations?

Phase 1 recommendations include:

  1. Using multi-factor authentication (MFA) to grant remote access to grid assets using the “strongest available method for that asset.”
  2. Revoking access to physical and online resources within 24 hours of an individual leaving the organization.
  3. Making a “good faith effort” to negotiate information-sharing requirements around security incidents when contracting for a new device or service.
  4. Requiring a 15-character minimum password for “in-scope IT and OT assets that are not otherwise protected” with MFA or other authentication tools.
  5. Keeping IT and OT networks separate and only allowing inter-communication on a Principle of Least Privilege basis with explicit approval.

Phase 2: What Comes Next?

As energy utilities begin accommodating the Phase 1 components of the Cybersecurity Baselines, NARUC and DOE are already launching Phase 2, which is expected to be released by the end of 2024.

“Creating implementation guidance is the natural next step to helping commissions and other stakeholders ensure that cybersecurity protections are applied on the electric distribution grid where they matter most,” stated Lynn Costantini, NARUC Center for Partnerships and Innovation Deputy Director.

This next stage will entail specific adoption strategies for “prioritizing assets to which the cybersecurity baselines might apply, as well as prioritizing the order in which the baselines might be implemented based on cyber risk assessments.”

Uniting the US Energy Sector: Getting Behind the Baselines

“This NARUC/DOE initiative complements ongoing industry and government efforts by providing cybersecurity baselines… that provide a common starting point for cyber risk reduction activities,” notes NARUC Executive Director Greg White. “Addressing cybersecurity is essential as electric distribution systems continue to evolve, spurred by… the ever-increasing threat of cyber attacks.” That evolution has brought new IT into direct contact with old OT systems, many of which were “implemented decades ago and are reaching or exceeding their intended lifespan,” making them even more vulnerable to attack.

This federal energy sector mandate echoes The White House’s National Cybersecurity Strategy’s calls to “rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, local governments, and infrastructure operators” and onto the backs of “organizations that are most capable and best-positioned to reduce risks for all of us;” in this case, the federal government. It also comes on the heels of a $45 million DOE grant to 16 cybersecurity projects across the country dedicated to improving the cybersecurity of the US energy sector.

About ITEGRITI

ITEGRITI serves multiple sectors, including energy, healthcare, and financial services across the United States and Canada. We assess, design, and improve cybersecurity and compliance programs to enhance defenses, detect breaches, minimize business disruption, and reduce incident recovery time, supported by internal controls to measure, monitor, and report ongoing program health. Our comprehensive approach includes incident readiness and tabletop exercises to prepare for and test responses to cybersecurity events. ITEGRITI. We Secure Critical Infrastructure.

Contact Us: https://itegriti.com/contact/

ITEGRITI Services: https://itegriti.com