But now I'm going to tell you about my part of the world: New England. Last fall the organization that brings the six northeastern PUCs together, NECPUC, put out an RFP for security consulting for the six and some of their utilities. Won by EnergySec, I've heard only positive news about what that six month engagement has produced. In addition, the Massachusetts AG recently released an RFP seeking 3rd part evaluations of cybersecurity preparedness of the distribution companies serving the state.
Now comes this comprehensive, 30-page report this from Connecticut's Public Utilities Regulatory Authority (PURA): "Cybersecurity and Connecticut's Public Utilities," released earlier this week. While giving credit to the two regulated electric utilities in its jurisdiction for doing a good job on cybersecurity so far, it also tackles head on key challenges and next steps, including:
- Setting performance criteria (hmmm, sounds like measurement maybe)
- Seeking concurrence regarding the role of regulators
- Establishing consistent regulation
- Identifying reporting goals and standards
- Sharing information and best practices
- Maintaining confidentiality of sensitive cyber information
- Rethinking procedures for ensuring personnel security
- Defining appropriate cost thresholds and cost recovery guidelines
- Identifying effective training and situational exercises
- Integrating public utility cyber issues into Connecticut's emergency management operations.
Before the report wraps up, it presents regulators and other stakeholders with a few questions (in third person) to be asked about utility cyber preparations:
- Do the leaders in the public utilities serving Connecticut and their boards pay appropriate attention to risk management in general and cyber as part of that challenge?
- Do they have skilled personnel and necessary hardware and software? Are their budgets for cybersecurity adequate?
- Do they train and keep up with the constantly evolving set of threats?
- Do they run mock drills with outside assistance to test the strength of their deterrence?
- Do they have access to outside consultants and experts to stay up to date and to fill in gaps not covered by their own personnel?
- Are they active participants in trade association activities geared toward sharing best practices?
There's more to say, but you're better off reading the report in full when you have a chance.
You'll find it HERE.