Report Cybersecurity and the Electric Grid | The State Role in Protecting Critical Infrastructure

Introduction

The nation’s energy infrastructure is under a growing cyberthreat as business and operational capabilities are increasingly targeted by malicious actors. While the federal government is taking action to help utilities and operators of critical infrastructure defend against the persistent barrage of cyberattacks, state policymakers are pursuing additional measures to establish security requirements and bolster cyber-protections.

The vulnerabilities of the energy sector are of particular concern to national security due to its enabling function across all critical infrastructure systems—with electricity and fuels used to power transportation, water facilities, hospitals and communications. A successful attack on the nation’s energy sector could snowball to affect many of these other systems.

At the same time, the electric grid is under additional scrutiny due to the way grid modernization efforts have increasingly bridged the gap between the physical, operational technology and information technology systems used to operate the grid. Previously, operational technology was largely isolated from information technology. But this separation has narrowed as grid operators incorporate new grid management systems and utilities install millions of smart meters and other internet-enabled devices on the grid. While these advanced technologies offer significant improvements in grid operations and real-time system awareness, they also increase the number of points on the grid that malicious actors can target in order to gain access and compromise larger systems.

The issue is further complicated by the decentralized nature of the grid. There are around 3,000 electric utilities of various sizes operating on the U.S. grid under a variety of regulatory jurisdictions and business models. The Federal Energy Regulatory Commission (FERC) has jurisdiction over the reliability of the bulk power grid—which mostly includes transmission and generation—and has promulgated cybersecurity standards for companies that fall under its jurisdiction. However, portions of the distribution grid fall outside federal jurisdiction.

Areas of Action

This is where state policymakers come into play, because much of the distribution grid is overseen by state regulators and municipal or cooperative governance. These entities operate under the constructs established by state legislators. A number of states have already taken action to bolster cyber-protections for the grid assets outside of the bulk power system, in addition to other energy systems and critical infrastructure. In particular, state legislatures have grown increasingly active in addressing these issues over the past several years. These actions have largely fallen into four categories:

• Establishing state-level cybersecurity task forces and committees.
• Establishing cybersecurity standards and reporting requirements.
• Expanding state open records exemptions to include cyber vulnerabilities.
• Directing and authorizing governors and state agencies to take certain actions to prepare for and respond to cyber emergencies.

During the 2019 legislative session, at least 16 states considered almost 50 measures intended to address the cybersecurity of the electric grid and other critical infrastructure—an increase of around 30% over the previous year. Of the bills introduced in 2019, at least 11 states passed over a dozen measures, most of which fell into the categories outlined above.

One important issue that continues to go largely unaddressed is how to pay for these cybersecurity programs. In order for utilities to address cybersecurity in a robust manner, it will require continuous investment in software and hardware, in addition to personnel and training. Many utilities have reported that current cost-recovery mechanisms make it difficult to maintain an agile cybersecurity posture, with regulatory processes used to approve those expenditures often lasting several months. In other cases, smaller utilities have said their size has limited their ability to invest in cybersecurity in a meaningful way. Most state utility commissions fall under the jurisdiction of state legislatures, and lawmakers may need to address this disconnect in the coming years.

Federal Role

The U.S. Department of Homeland Security (DHS) published reports tracking cyber-attacks for six years, and in that time the energy sector was the most-targeted subsector of all U.S. critical infrastructure, with more than half of all reported incidents being classified as advanced persistent threats from sophisticated actors. The physical impacts of cyberattacks have been observed internationally. Hackers from Russia disrupted power operations in Ukraine in 2015, a series of attacks on petrochemical facilities in Saudi Arabia caused damage to systems and nearly resulted in a significant explosion in 2017, and unknown assailants launched a ransomware attack against a South African electricity company resulting in blackouts in 2019. As the frequency, scale and sophistication of cyber threats increase, cybersecurity has become one of the most essential new frontiers for critical infrastructure.

The electric grid is fundamental to the systems that make modern life possible. It is used to power everything from wastewater treatment facilities and pipelines to health care and financial systems. A risk report from Lloyd’s of London suggested that a successful cyberattack on the Northeastern U.S. power grid that takes several weeks to fully recover from could come at a cost of between $243 billion and $1 trillion.

The electric grid is the only critical infrastructure sector with mandatory and enforceable security standards. FERC has authority, through the Energy Policy Act of 2005, to oversee the reliability and security of the bulk power grid. FERC has designated the North American Electric Reliability Corporation (NERC) with the authority to set and enforce standards in this area, including cybersecurity.

NERC has developed guidelines and standards for critical infrastructure protection (NERC-CIP) and has been actively updating and bolstering cybersecurity protections over the past several years. Those updates intend to identify weaknesses in the supply chain and increase mandatory reporting requirements to provide national authorities with greater situational awareness and threat assessments. Over the past year, NERC has shown an increased appetite to enforce its standards by handing down a record $10 million fine to an electric utility, followed by several substantial but lesser fines for cybersecurity lapses and violations.

The security of the nation’s network of natural gas, oil and hazardous materials pipelines is overseen by the Transportation Security Administration (TSA), which maintains voluntary cyber and physical defense guidelines. However, the strength of TSA’s oversight has been called into question. In a December 2018 report to Congress, the Government Accountability Office reported “significant weaknesses” in TSA’s oversight of these energy facilities, with its Pipeline Security Branch, which is responsible for both physical and cybersecurity, regularly understaffed and limited in its ability to conduct security reviews.

There are several other federal agencies at work in other capacities. The National Cybersecurity and Communications Integration Center (NCCIC), housed under DHS, is responsible for reducing cybersecurity risks nationwide. It is the central hub for cyber-monitoring activities and communications information, consolidating and analyzing reports from across the nation on cyber intrusions. It also houses technical expertise and operates around-the-clock situational awareness and emergency response capabilities. Along with FERC and DHS, the National Security Agency and the U.S. Department of Energy (DOE) are also working on the issue. DOE’s Office of Cybersecurity, Energy Security and Emergency Response (CESER) is the designated sector-specific agency for energy. Among other tasks, CESER coordinates efforts across the federal government and among stakeholders to increase the energy sector’s cybersecurity posture. The CESER office works closely with DOE's national labs, states, industry and other stakeholders to mitigate the threat posed by cyber incidents.

In collaboration with national associations, utilities work directly with their federal partners on many of these issues. However, given that NERC-CIP standards are applicable only to utilities and companies that operate on the bulk power system, it is increasingly falling on state officials to address issues that fall outside those boundaries.

State Role

Electric distribution systems fall largely under state jurisdiction. These systems are owned and operated by investor-owned utilities, public power utilities and electric cooperatives. There are nearly 2,000 public power utilities that provide service in 49 states and five territories, serving 15% of customers. Another 800 electric cooperatives serve 13% of customers, but own and maintain around 42% of electric distribution lines in the U.S. Investor-owned utilities (IOUs) are smaller in number—around 170—but larger in size and operations, serving the lion’s share of customers.

State utility commissions, which regulate rates and are authorized to impose certain requirements on electric utilities, often fall under the jurisdiction of state legislatures. Therefore, state legislatures may determine the breadth of the authority utility commissions have—and whether that authority extends to the realm of cybersecurity.

State utility commissions have regulatory oversight of IOUs. In some states, utility commissions also regulate consumer-owned utilities, such as electric cooperatives and public power utilities. However, in most states, the regulation of consumer-owned utilities is left to local government bodies and elected cooperative utility boards. In addition, any utility, whether investor-owned or consumer-owned, may operate facilities that are subject to FERC regulations because they are part of the bulk power system.

In the absence of state or federal oversight, public power utilities and cooperatives are subject to self-regulation, with governing boards made up of members or elected officials. These systems are often smaller, with limited operating budgets that don’t enable the type of investments in cybersecurity afforded to larger systems. A study conducted by the DOE’s National Renewable Energy Laboratory (NREL) found that, among a sample of distribution utilities, the resources available to fund cybersecurity programs varied substantially, with smaller utilities often struggling to adequately address the issue through base rates. The issue was especially prevalent for cooperatives, while IOUs and public power utilities often found it easier to fund cyber initiatives through their base rates, according to the study’s findings.

That doesn’t mean that smaller utilities or cooperatives are inherently less secure. Due to the fragmented nature of the electric network, the robustness of cybersecurity programs varies significantly from state to state and utility to utility. Even keeping up with minimum standards—which are a floor, not a ceiling—can leave utilities exposed if the standards and practices are not rigorous enough.

Regardless of size, an inadequately secured utility of any type represents a potential access point to the grid that could be targeted and exploited by malicious actors.

That isn’t to say the industry hasn’t worked to address these issues on its own. Many utilities rely heavily on national associations to improve cybersecurity. The Edison Electric Institute, American Public Power Association and National Rural Electric Cooperative Association have all worked to improve cybersecurity protections for their members.

States have also been active in addressing the issue, mostly from the perspective of preparing for and reacting to emergencies. Governors have moved to define roles in preparing for and responding to emergencies, encouraged state agencies to participate in cyber response exercises, and have started to incorporate cybersecurity into electricity infrastructure risk assessments. A number of states, including Oregon and Vermont, have developed comprehensive plans and task forces to define roles and coordinate between state agencies. The nation’s network of 79 fusion centers—which gather intelligence on a variety of threats, including cyberthreats—can bolster information-sharing between state agencies and utilities. The National Guard is also a valuable asset to states, with around 3,800 service members in 59 units across 38 states trained in cybersecurity—a number of which are focused on protecting state-level assets.

State legislatures, through oversight of state utility commissions, have the ability to shape cybersecurity for their utilities through state law. They can bolster state oversight, require increased information-sharing between utilities and utility commissions, and establish minimum cybersecurity standards. For example, Connecticut and New York have authorized utility regulators to conduct cyber audits of utilities and make recommendations.

One of the most pressing issues for utilities of all types can be enabling more responsive financing to support cybersecurity operations, which has largely gone unaddressed. In order to recover investments in cybersecurity from customers, regulated utilities must get approval from utility regulators to raise rates through processes that are often cumbersome and lengthy. A number of recent reports have highlighted this as a pressing issue that should be addressed to enable a more agile cybersecurity posture.

State Legislative Trends

In recent years, state legislatures have increasingly taken action to help address this issue in a variety of ways. In 2019, at least 16 states considered almost 50 measures intended to address the cybersecurity of the electric grid and other critical infrastructure.

The most commonly introduced bills seek to establish a state-level committee dedicated to studying the issue and providing policymakers with recommendations. Restricting public disclosure of cybersecurity vulnerabilities through the Freedom of Information Act (FOIA) has been another common measure.

More recently, state legislatures have started to address the issue in more substantial ways. In some cases, they are outlining utility cybersecurity planning or information-sharing requirements. In others, they are adding cyber-related offenses to the criminal code, supporting small and rural cooperatives with cybersecurity preparedness, and bolstering cybersecurity training and civilian cybersecurity reserves.

State-Level Committees and Task Forces

Since 2017, at least nine states—California, Delaware, Kansas, Maryland, Nevada, New Jersey, New York, Texas and Washington—considered legislation to create a state-level committee or task force to, among other things, address cybersecurity issues related to the energy sector and to advise policymakers on the subject. Other states have established legislative committees to review and track the subject.

In California, the legislature regularly directs state agencies to develop programs that bolster cybersecurity or create new agencies to address perceived shortcomings—though it has benefitted from its size and that of the utilities under its jurisdiction. Most recently, AB 2813 (enacted in 2018) established the California Cybersecurity Integration Center within its Office of Emergency Services. The state center is essentially a state-level version of the U.S. Department of Homeland Security’s NCCIC, and is similarly responsible for monitoring threats, consolidating and analyzing reports on cyberattacks, and maintaining situational awareness. It also has its own cyber incident response team and is responsible for interfacing with NCCIC. In addition, the new state entity has been directed to develop a statewide cybersecurity strategy based on recommendations from the California Task Force on Cybersecurity.

Texas SB 475 (enacted, 2019) created the Electric Grid Security Council to mitigate the risk of cyber and physical attacks on the state’s electric system. The council is tasked with developing and communicating “best security practices” to the electric industry, developing educational programs to promote workforce development in these areas, and collaborating with relevant stakeholders to prepare for events that could threaten grid security. Meanwhile, Kansas’ SB 69 (enacted, 2019) created an energy policy task force to study how utility cybersecurity programs, among other things, will affect electricity rates.

Arkansas took a slightly different approach with SB 632 (enacted, 2019), which authorizes the state Economic Development Commission to create a cyber initiative to mitigate cyberrisks to the state by increasing education about threats and defense, providing threat assessments to private and public sectors, and fostering the growth of cybersecurity technology and information technology development in the state.

The Iowa legislature created the Iowa Energy Center to, among other things, support cybersecurity preparedness at the state’s smaller, rural utilities. Finally, Massachusetts and Missouri have created committees with a broader focus on disaster and emergency preparedness, which include cybersecurity.

Planning and Reporting Requirements

Over the past couple of years, state legislatures have taken a more proactive role in outlining what is expected of their electric utilities with regard to cybersecurity planning and reporting. Utility reporting requirements are viewed as important measures for tracking attempted and successful cyberattacks and ensuring widespread threat awareness.

Connecticut was an early actor in this space when the General Assembly enacted its Comprehensive Energy Strategy in 2013, which recognized the electric grid’s physical safety and cybersecurity as priorities for the state utility commission. Ultimately, the utility commission issued a Connecticut Public Utilities Cybersecurity Action Plan. The plan required electric utilities to communicate regularly with the commission on the subject and authorized the commission to conduct cyber reviews of regulated utilities to assess their capabilities and make recommendations. The state utility commission also engaged with its natural gas utilities, which agreed to adopt and participate in the state’s process. New York and Texas have also established monitoring programs to audit utilities and assess their practices.

The Pennsylvania legislature passed requirements (Pa. Code 52 § 101) for its utilities to develop and maintain written physical and cybersecurity, emergency response and business continuity plans. The cybersecurity plans must include critical functions that require automated processing, backups for software and data, alternate methods for maintaining critical functions in the absence of IT systems, along with scenarios and timeframes at which point utilities would no longer be able to operate. These plans must be updated annually.

Texas SB 936 (enacted, 2019) authorized the state utility commission to contract with an entity to run a Cybersecurity Monitor Program to oversee and work with the state’s electric sector. The monitor is expected to regularly meet with utilities to discuss emerging threats, best practices and training opportunities. The monitor also will review utility self-assessments and keep the utility commission updated on the electric sector’s cybersecurity preparedness.

Colorado, New Hampshire, Virginia and Washington have all established various cybersecurity requirements of their electric utilities. Maryland has enhanced the level of reporting required of its utilities with over 30,000 customers, which are now required to periodically report on all unauthorized acts that result in confirmed access to the utility’s internal operating systems.

Open Records Exemption

Nebraska and North Dakota are the latest states to pass an open records exemption for information related to critical infrastructure cybersecurity systems. These laws prevent public access to information that could potentially be used to map and compromise the systems of critical infrastructure owners and operators. These states tend to exempt any information that could compromise a utility’s or critical infrastructure operator’s ability to prevent, mitigate or recover from a cyberattack, or expose cyber-vulnerabilities.

Open records exemptions for critical infrastructure are relatively common—over half of states have some type of open record exemption on the books for critical infrastructure vulnerabilities. Many of these were passed in the wake of the 9/11 terrorist attacks, when additional safeguards were considered prudent measures against revealing physical vulnerabilities or emergency response plans.

However, in recent years, a number of states with these laws in place have moved to include information related to cybersecurity under the same logic. These exemptions are considered important elements to establishing trust between critical infrastructure operators and the state agencies that oversee them. Critical infrastructure operators are more likely to voluntarily comply with information-sharing requirements regarding their cybersecurity programs and emergency planning when they know that information will not reach the public sphere, potentially exposing vulnerabilities and compromising their operations.

In 2019, Colorado, Nebraska and North Dakota passed open record exemptions related to critical infrastructure cybersecurity, while Iowa and Virginia also passed similar exemptions in recent years.

Financing Mechanisms

The issue of how to finance cybersecurity programs for electric utilities is beginning to emerge as a critical component to strengthening the electric sector’s cybersecurity posture. In some ways, a serious cyberattack can be considered in the same realm as other high-consequence, low-frequency events—much like a 100-year weather or an electromagnetic pulse (EMP) event. Historically, utilities have experienced some difficulty in financing programs to address these threats because they’re asking to raise costs on customers for benefits that may—or may not—be realized. Determining the cost-benefit of resiliency investments is much harder to demonstrate than more straightforward investments in improved infrastructure or energy efficiency programs.

However, with the frequency at which many electric utilities are experiencing attempted cyber-intrusions, the calculus has shifted slightly and at least one study on the subject now suggests that cyberattacks should be considered “highly probable” events.

Adding to its complexity is that cybersecurity programs need to be agile and ever-changing in response to the nature of the adversary. These programs require continuous investments in software and hardware, personnel and training, which challenge the traditional cost-recovery mechanisms used in many states. This may require more flexible and responsive regulatory approaches to funding cybersecurity programs.

While the traditional rate case can yield substantial long-term investments in cybersecurity, some states have also deployed funding mechanisms that allow for the incremental recovery of investments. For example, single-issue riders have been used in Ohio and Texas to allow for rapid consideration and incremental cost-recovery for certain investments. But utility commissions often must be authorized to approve these riders under state law.

This is what the Texas Legislature did when it passed SB 936 earlier this year. In addition to creating the state’s Cybersecurity Monitor Program, new law authorizes utilities to recover the costs of cybersecurity activities required under the law, explicitly authorizing the state regulatory commission to approve such investments.

More often, states have allocated broader cybersecurity funding, rather than addressing how utilities finance these investments. In Minnesota, the legislature has provided grid modernization funding to utilities that can go toward cybersecurity and a long list of other grid modernization efforts.

In California, the legislature allocated $35 million to a five-year cooperative research project between the state’s three IOUs and two of DOE’s national laboratories. The California Energy Systems for the 21st Century (CES-21), which ended in 2019, had a dual focus of developing resources to help model and simulate cybersecurity threat and response scenarios and researching reliability assumptions with increased renewable integration. In particular, the project’s work on a Machine-to-Machine Automated Threat Response is intended to create a grid architecture that’s capable of making time-critical decisions through automated responses to increase system survivability and resiliency.

Other Initiatives

A number of states have considered several other initiatives as well, including adding cyber-related offenses to the criminal code, financing cybersecurity workforce development programs and establishing cybersecurity response units that would be mobilized in the event of a disaster. Some of the highlights include:

• Florida SB 2500 (enacted, 2019) appropriates funding to the state Department of Education to establish workforce development and training programs in a variety of areas, including cybersecurity.
• Illinois SB 3203 (pending, 2018) would add the offense of cyberterrorism to the criminal code.
• Illinois HB 3017 (pending, 2019) would create the Veterans Cyber Academy Pilot Program, which would create certifications, apprenticeships and additional resources to encourage military veterans to enter the cybersecurity field.
• New Mexico SB 380 (enacted, 2017) authorized the activation of the National Guard in response to a cybersecurity threat under various circumstances, including the protection of critical infrastructure.
• Ohio HB 747 (pending, 2018) would establish a civilian cybersecurity reserve force.
• Utah HJR 14 (passed, 2019) urges Utah and the United States to harden the electric grid against cyberthreats.

Conclusion

Given that electric distribution systems fall largely under state jurisdiction, state legislators are particularly well-positioned to oversee cybersecurity efforts over large swaths of the electric system. State legislatures, through oversight of state utility commissions, have the ability to shape cybersecurity for their utilities through state law. In recent years, state legislators have been working to address growing concerns over the cybersecurity of the electric grid, energy sector and critical infrastructure. They have done so most often through measures that bolster state oversight, require increased information-sharing between utilities and utility commissions, and establish minimum cybersecurity standards.

Appendix and Acknowledgements

This paper was developed under an agreement with the U.S. Department of Energy’s Office of Cybersecurity, Energy Security, & Emergency Response under award number DE-OE0000819. NCSL gratefully acknowledges the U.S. Department of Energy’s support in developing this publication.