I would like to end by saying that this was a document that could never fully please everyone, and if we remember it's a 1.0 version, then in that context it's an ambitious and excellent start. Let's start providing feedback now so that 2.0 can be even better.Well guess what readers? Some of you and maybe some others provided feedback, so well and fully in fact that we find ourselves fewer than 9 months later with a new and improved 2.0 version, just released by NARUC after announcing it at its Winter Meetings (note sublime, almost hypnotic snowflake animation on landing page).
After reviewing the new document myself, and getting some input from the authors, while there are numerous small changes that help, the main difference seems to be an emphasis on having regulators develop an overarching strategy before diving into more granular elements like orders, requirements and rules.
To me this is creates a nice parallel to what some of the more forward leaning utilities are doing when they work to create security architectures. In both cases, whether on the regulator or the regulated side, the enabling concept is to craft a coherent larger plan before making point enforcement decisions or deploying point security solutions. Unquestionably sound stuff.
But still there's this (a holdover from version 1.0). Question 28 under Personnel and Policies invites commissioners to ask: "Do you have a Chief Security Officer and do they have explicit cybersecurity responsibilities?"
I would arm the commissioners with the knowledge that while many utilities will reflexively say they have a CSO, that he or she is neither a true C (chief) nor a true O (corporate officer). When there are more true executive level security chiefs out there, empowered to develop and enforce cybersecurity policy enterprise-wide (IT, Smart Grid and OT) then that will clearly mark a departure from status quo and the beginning of a more proactive, cyber risk management-based utility culture.
And maybe we'll see that called out in NARUC's 3.0 version. But for the moment, I think these folks deserve a pause to refresh. They've been producing high quality guidance at a very rapid pace ... kudos.
* For those unfamiliar with this acronym, it stands for the National Association of Regulator Utility Commissioners. This is the national body that represents the electric, telecom and water regulating interests of the 50 US states. From a security point of view, NARUC and the state commissioners primarily watch the distribution elements of the grid, whereas the NERC CIPs in North America focus on large generation and transmission assets. You can check out the NARUC site by clicking HERE.