State policymakers are facing up to a growing array of cyberthreats targeting vital services, including increasingly penetrative attacks on critical energy systems. The nature of these threats—including their rapid evolution and complexity—can make them daunting.
That’s why NCSL has developed two educational videos focused on energy sector cybersecurity from the state legislative perspective. The videos provide an accessible and quick-hitting review to contextualize this rapidly developing topic.
State leaders really need to think about prioritizing the safety and the protections of their energy systems. —Kate Marks, CESER
“State leaders really need to think about prioritizing the safety and the protections of their energy systems, because that’s really the critical infrastructure on which all other critical infrastructures rely,” says Kate Marks, deputy assistant secretary at the U.S. Department of Energy’s Office of Cybersecurity, Energy Security and Emergency Response, in the video series.
NCSL teamed up with CESER, as the office is known, and the utility regulation and policy publication Public Utilities Fortnightly to speak with experts in the cybersecurity field. The first video, published in December, puts the current situation into context, addressing what state legislators need to know about this emerging threat, along with steps being taken by the energy sector and federal government.
The latest video, titled “What States and Legislators Should Know About Utility Cybersecurity, Part 2,” considers more directly the policy actions state legislators might consider taking to help their state agencies, regulators and utilities address these growing concerns.
“States have a very significant role in helping to mitigate cyberthreats in the electric distribution grid within a state,” says Lynn Costantini, deputy director of the Center for Partnerships and Innovation at the National Association of Regulatory Utility Commissioners. “If utilities aren’t cyber-secure, then the risk of those utility services being unavailable to the consumer are very high.”
Costantini notes the importance of recent state legislation that prevents the public disclosure of utility cybersecurity vulnerabilities through open records laws, which prevents system vulnerabilities from being revealed to adversaries. This is just one of a slew of policies that states have pursued in recent years, as outlined in NCSL’s 2020 report “Cybersecurity and the Electric Grid: The State Role in Protecting Critical Infrastructure.”
“We’ve seen a number of states taking progressive action to bolster their cyber-protections in the energy sector for the grid assets that are outside of the bulk power system, which is managed by [the Federal Energy Regulatory Commission],” Marks says.
In addition to the open records exemptions, these policies establish state-level cyber task forces, directing the development of cyber-reporting and information-sharing requirements for utilities, and authorizing governors or state agencies to prepare for and respond to emergencies.
“Once we see it as a whole picture, then we can find out where the gaps are,” Washington Rep. Matt Boehnke (R) says. “And future legislation is then seeing where cybersecurity can (become) a priority.”
Dan Shea is a program principal in NCSL’s energy program.