US developing uniform guidance on distribution cybersecurity

In the US, cybersecurity baselines have been developed to support state-level regulatory oversight of electric distribution systems and the distributed energy resources (DERs) that connect to them.

North America’s National Association of Regulatory Utility Commissioners (NARUC) partnered with the US Department of Energy’s Office of Cybersecurity, Energy Security and Emergency Response (CESER) to develop a set of cybersecurity baselines.

Coupled with forthcoming implementation guidance, the baselines are intended as resources for state public utility commissions, utilities and DER operators and aggregators, encouraging alignment across US states on energy cybersecurity.

Regulatory oversight of electric distribution systems and DERs occurs at the state level in the US. The guidance developed by NARUC through CESER’s funding, will help provide states with uniform cybersecurity baselines instead of a patchwork of cybersecurity requirements across the country.

Further, the baselines will enable electric companies and DER providers to work with state utility commissions and energy offices, boards and communities to prioritise cybersecurity investments across the US.

The guidelines, to be developed in 2024, will include recommendations for assessing cybersecurity risks and prioritising assets the baselines might apply to.

“Safeguarding America’s energy infrastructure and advancing US cybersecurity capabilities is critical to achieving President Biden’s ambitious climate goals,” said US Deputy Secretary of Energy David M. Turk in a DOE-issued release.

“Today’s announcement underscores the Biden-Harris Administration’s commitment to working with key partners, like NARUC, to develop vital cybersecurity solutions and strengthen the resilience of America’s electric systems.”

Have you read:
Energy cybersecurity in 2024: Building accountability and responsibility
Cybersecurity standards to be developed for EU distribution systems

The growing cyber threat

The baselines represent the growing urgency of cybersecurity across sectors in the US.

In the DOE’s statement on the baselines, they state that cyber threats have been increasingly sophisticated and target critical energy infrastructure more frequently than ever before.

Earlier in February, the US Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and Federal Bureau of Investigation (FBI) released a cybersecurity advisory on the threat posed specifically by cyber actors sponsored by the People’s Republic of China.

The advisory assessed that these Chinese state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against US critical infrastructure, including energy, in the event of a major crisis or conflict with the country.

The assessment was based on observations from incidents at critical infrastructure organisations compromised by the cyber group known as Volt Typhoon, warning infrastructure organisations, such as the DOE, of the threat.

According to the advisory, agencies observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years, conducting pre-exploitation reconnaissance to learn about the target organisation.

According to NARUC, the initiative recognises that cybersecurity is an integral underpinning of power system resilience and builds on work that states have undertaken over the last decade to mitigate risk across their critical infrastructures.

The cyber baselines are based on DOE’s work on energy sector cybersecurity and the US Department of Homeland Security’s Cybersecurity Performance Goals (CPG).

NARUC convened a steering group of industry and government subject matter experts, including electricity sector owners and operators, state regulatory agencies, cybersecurity experts and others to inform the baselines.