On September 19th, the CPUC released a Grid Policy and Planning Paper titled, “Cybersecurity and the Evolving Role of State Regulation: How it Impacts the California Public Utilities Commission.”
In the paper, the CPUC noted that estimates suggest that NERC’s CIP protections failed to cover the vast majority of grid assets notably distribution facilities and “smart” devices.
The paper states:
the NERC-CIP framework has important limitations. First, NERC-CIP primarily covers only generation and transmission assets that qualify as “critical assets” or “critical cyber-assets.” With grid modernization, this identification is becoming increasingly problematic as many assets, such as advanced meters, do not fall under NERC-CIP but can have a major impact on grid reliability, safety and customer privacy … Second, NERC-CIP is primarily a compliance-based policy. Compliance is an important component of addressing cybersecurity, but it is not enough to ensure that the rapidly evolving risks are adequately considered and acted upon effectively.
State regulators have not traditionally played a large role in cybersecurity. However, this is beginning to change with the recognition that Federal compliance-based models may not be sufficient to ensure grid resiliency, reliability and safety, as well as customer data privacy. With grid modernization on the way, there is an important role that State regulators need to step into.
The CPUC offers the following recommendations:
• The CPUC should open an Order Instituting Rulemaking (OIR) to explore cybersecurity best practices and develop a cybersecurity approach for the investor-owned utilities in California.
• The CPUC should consider safe harbor protections to encourage utilities to share information regarding security breaches and attacks.
• CPUC should evaluate the skill-sets and resources needed for CPUC Staff to adequately address cybersecurity.
It is clear from this paper that the CPUC is quite concerned about the cybersecurity of energy infrastructure. What is unclear at this point is what will the state ultimately decide to do about it. It appears that the CPUC will focus primarily on building a greater understanding on the nature of cyber threats, risk-management, and information sharing.