Electric distribution systems fall largely under state jurisdiction. These systems are owned and operated by investor-owned utilities, public power utilities and electric cooperatives. There are nearly 2,000 public power utilities that provide service in 49 states and five territories, serving 15% of customers. Another 800 electric cooperatives serve 13% of customers, but own and maintain around 42% of electric distribution lines in the U.S. Investor-owned utilities (IOUs) are smaller in number—around 170—but larger in size and operations, serving the lion’s share of customers.
State utility commissions, which regulate rates and are authorized to impose certain requirements on electric utilities, often fall under the jurisdiction of state legislatures. Therefore, state legislatures may determine the breadth of the authority utility commissions have—and whether that authority extends to the realm of cybersecurity.
State utility commissions have regulatory oversight of IOUs. In some states, utility commissions also regulate consumer-owned utilities, such as electric cooperatives and public power utilities. However, in most states, the regulation of consumer-owned utilities is left to local government bodies and elected cooperative utility boards. In addition, any utility, whether investor-owned or consumer-owned, may operate facilities that are subject to FERC regulations because they are part of the bulk power system.
In the absence of state or federal oversight, public power utilities and cooperatives are subject to self-regulation, with governing boards made up of members or elected officials. These systems are often smaller, with limited operating budgets that don’t enable the type of investments in cybersecurity afforded to larger systems. A study conducted by the DOE’s National Renewable Energy Laboratory (NREL) found that, among a sample of distribution utilities, the resources available to fund cybersecurity programs varied substantially, with smaller utilities often struggling to adequately address the issue through base rates. The issue was especially prevalent for cooperatives, while IOUs and public power utilities often found it easier to fund cyber initiatives through their base rates, according to the study’s findings.
That doesn’t mean that smaller utilities or cooperatives are inherently less secure. Due to the fragmented nature of the electric network, the robustness of cybersecurity programs varies significantly from state to state and utility to utility. Even keeping up with minimum standards—which are a floor, not a ceiling—can leave utilities exposed if the standards and practices are not rigorous enough.
Regardless of size, an inadequately secured utility of any type represents a potential access point to the grid that could be targeted and exploited by malicious actors.
That isn’t to say the industry hasn’t worked to address these issues on its own. Many utilities rely heavily on national associations to improve cybersecurity. The Edison Electric Institute, American Public Power Association and National Rural Electric Cooperative Association have all worked to improve cybersecurity protections for their members.
States have also been active in addressing the issue, mostly from the perspective of preparing for and reacting to emergencies. Governors have moved to define roles in preparing for and responding to emergencies, encouraged state agencies to participate in cyber response exercises, and have started to incorporate cybersecurity into electricity infrastructure risk assessments. A number of states, including Oregon and Vermont, have developed comprehensive plans and task forces to define roles and coordinate between state agencies. The nation’s network of 79 fusion centers—which gather intelligence on a variety of threats, including cyberthreats—can bolster information-sharing between state agencies and utilities. The National Guard is also a valuable asset to states, with around 3,800 service members in 59 units across 38 states trained in cybersecurity—a number of which are focused on protecting state-level assets.
State legislatures, through oversight of state utility commissions, have the ability to shape cybersecurity for their utilities through state law. They can bolster state oversight, require increased information-sharing between utilities and utility commissions, and establish minimum cybersecurity standards. For example, Connecticut and New York have authorized utility regulators to conduct cyber audits of utilities and make recommendations.
One of the most pressing issues for utilities of all types can be enabling more responsive financing to support cybersecurity operations, which has largely gone unaddressed. In order to recover investments in cybersecurity from customers, regulated utilities must get approval from utility regulators to raise rates through processes that are often cumbersome and lengthy. A number of recent reports have highlighted this as a pressing issue that should be addressed to enable a more agile cybersecurity posture.