New England (and Connecticut in Particular) Showing PUC Leadership on Security

NARUC has been issuing cybersecurity guidance to the 50 US public utility commissions (PUCs) since 2010. And NASEO's been guiding other state government orgs.  California's PUC has been very active, showing leadership with its multiple publications on security and privacy. Until recently, PUC Texas had a true cybersecurity pro on staff.

But now I'm going to tell you about my part of the world: New England.  Last fall the organization that brings the six northeastern PUCs together, NECPUC, put out an RFP for security consulting for the six and some of their utilities. Won by EnergySec, I've heard only positive news about what that six month engagement has produced. In addition, the Massachusetts AG recently released an RFP seeking 3rd part evaluations of cybersecurity preparedness of the distribution companies serving the state.

Now comes this comprehensive, 30-page report this from Connecticut's Public Utilities Regulatory Authority (PURA): "Cybersecurity and Connecticut's Public Utilities," released earlier this week.  While giving credit to the two regulated electric utilities in its jurisdiction for doing a good job on cybersecurity so far, it also tackles head on key challenges and next steps, including:

• Setting performance criteria (hmmm, sounds like measurement maybe)
• Seeking concurrence regarding the role of regulators
• Establishing consistent regulation
• Identifying reporting goals and standards
• Sharing information and best practices
• Maintaining confidentiality of sensitive cyber information
• Rethinking procedures for ensuring personnel security
• Defining appropriate cost thresholds and cost recovery guidelines
• Identifying effective training and situational exercises
• Integrating public utility cyber issues into Connecticut's emergency management operations. 

All good stuff.  However, the report notes that municipal utilities, while providing essential services, are not regulated by PURA. This is true across all 50 states and presents a massive power sector security regulatory blindspot.

Before the report wraps up, it presents regulators and other stakeholders with a few questions (in third person) to be asked about utility cyber preparations:

• Do the leaders in the public utilities serving Connecticut and their boards pay appropriate attention to risk management in general and cyber as part of that challenge? 
• Do they have skilled personnel and necessary hardware and software? Are their budgets for cybersecurity adequate? 
• Do they train and keep up with the constantly evolving set of threats? 
• Do they run mock drills with outside assistance to test the strength of their deterrence? 
• Do they have access to outside consultants and experts to stay up to date and to fill in gaps not covered by their own personnel? 
• Are they active participants in trade association activities geared toward sharing best practices? 

There's more to say, but you're better off reading the report in full when you have a chance.

You'll find it HERE.