11 Feb 2019

Law study turns spotlight on electric industry cybersecurity

Need for free flow of information and regulatory disconnect highlighted as industry and US intelligence community worry over cyberattacks.


Recovering costs for the electric sector investment in cybersecurity and development of resilience metrics to gauge the industry's progress are two of several recommendations unveiled by Vermont Law School researchers.

‘cybersecurity vulnerabilities’

The study, conducted for Protect Our Power (POP) by the law school's Institute for Energy and the Environment (IEE), recommends that state utility commissions exercise their authority to increase the flow of confidential information regarding vulnerabilities and best practices. It also identifies the diversity of regulatory approaches to cybersecurity regulation by utility commissions across the country as a concern that warrants attention and improvement. Researchers have briefed the Critical Infrastructure Committee of the National Association of Regulatory Utility Commissioners (NARUC) on the findings of a six-month study of electric grid security. Mark James, assistant professor of energy law and a senior research fellow, who led the  research team, says ‘addressing anticipatory threats such as cyberattacks is a challenge that we are not fully meeting.’ He explained, ‘as interconnections between and within distribution systems increase, the vulnerability of the electric grid also increases. Continuous communication between utilities and their regulatory commissions is the first step to improving the depth, quality and consistency of efforts to address cybersecurity vulnerabilities.’

Lack of legal tools

Richard Mroz, former president of the New Jersey Board of Public Utilities and the former chairman of NARUC's Critical Infrastructure Committee, balancing investment and consumer expectations ‘is made even more difficult because protecting against cyberattacks is a new necessity, and the utility industry and regulators don't necessarily have the legal tools required to evaluate and support such investments.’ Mr Mroz said he believes this new research will help regulators evaluate whether they need new or additional polices to support investments to protect against an ever-growing variety of cyberattacks on the electric grid. The study comes follows the recent worldwide threat assessment of the US intelligence community, in which national director of intelligence Dan Coats warned that ‘Russia has the ability to execute cyberattacks in the United States that generate localized, temporary disruptive effects on critical infrastructure, such as disrupting an electrical distribution network for at least a few hours.’