The National Association of Regulatory Utility Commissioners (NARUC) recently released Cybersecurity Baselines for U.S. Distribution and Clean Energy Systems in partnership with the U.S. Department of Energy (DOE). The baselines are intended as a resource for state Public Utility Commissions, electric distribution utilities and distributed energy resources (DER) operators and aggregators and complements the 2023 National Cybersecurity Strategy which directed the DOE to promote cybersecurity for electric distribution systems and for DER infrastructure.
The baselines - developed in two phases with the assistance of a Steering Group of regulatory, cyber, and industry experts - provide a common starting point for reducing cyber risk and enhancing grid security. This is a particularly important initiative as cyber-attacks grow more sophisticated and increasingly target energy infrastructure. While in parallel, electric distribution systems grow increasingly complex with new technologies and operational models which create new vulnerabilities.
The release of the Cybersecurity Baselines represents Phase 1 of the initiative. The baselines can be used as a framework by regulatory bodies, utilities, and DER operators and aggregators to develop their own cybersecurity requirements.
Phase 2 will provide Implementation Strategies and Adoption Guidelines to be used in conjunction with the Phase 1 baselines. These guidelines will provide recommendations for assessing cybersecurity risk, prioritizing the assets the baselines might apply to, and prioritizing the order of baseline implementation based on cyber risk assessments. It is expected that Phase 2 will be completed over the next year.
While it’s important that the Phase 1 Cybersecurity Baselines be used in conjunction with the Phase 2 Implementation Strategies and Adoption Guidelines, having published the Phase 1 Cybersecurity Baselines will provide awareness of the initiative and an opportunity for discussion among key stakeholders.
Stakeholders, including state Public Utility Commissions, electric distribution utilities, and DER operators, can use these baselines to mitigate cybersecurity risks and align efforts across states. The development process involved a Steering Group of experts and multiple stakeholder reviews to ensure diverse perspectives were considered.
Phase 1 tailored existing Department of Homeland Security (DHS) and Infrastructure Security Agency’s (CISA) Cybersecurity Performance Goals (CPGs) for electric distribution systems and DERs. These baselines address critical areas, including:
- Asset inventory
- Cybersecurity leadership designation
- Vulnerability mitigation
- Third-party validation
- Supply-chain security disclosures
- Vendor and supplier cybersecurity requirements
- Access control
The complete NARUC Phase 1 Cybersecurity Baselines can be found here. By establishing these cybersecurity baselines, NARUC and DOE are setting a foundation for a more secure and resilient electric distribution system. Implementing these measures will help protect critical infrastructure from cyber threats and ensure the reliable delivery of electricity to consumers. We recently published a blog Experts - Cloud Provides Cost, Security & Reliability Benefits to Grid which details the security benefits that can be provided by cloud solutions, as well as the specific best-in-class security benefits which are built into Energy Exemplar's PLEXOS Cloud solution.
We will also be publishing a series of blogs on cloud solutions and cybersecurity, including a comprehensive overview of best security practices, inclusive of the NARUC baselines. Subscribe to our newsletter so you don't miss out on any of these upcoming resources!