Core Sector: Critical Infrastructure and Cybersecurity

Cybersecurity for Utility Regulators

Accelerated by advances in technology and modernization efforts, cyber attacks on critical infrastructure in the U.S. and around the world are growing in frequency and potential for disruption. Cybersecurity risk management has become a top priority for industry and policy makers alike. NARUC CPI works to provide state regulators with strategies, tools, and expertise to engage utilities in discussions about cybersecurity preparedness, response, and recovery planning, policies, and practices. These initiatives, coupled with training and technical assistance, support PUCs in their mission to ensure safe, reliable, and resilient energy infrastructure at reasonable rates.

Through its International Programs, NARUC also provides energy regulators around the world with resources they can use to help manage cyber risk, assess utilities’ cyber hygiene and preparedness, ensure the prudency of cyber investments, and promote grid resilience.

NARUC staff experts who support these activities include Lynn P. Costantini, Deputy Director - CPI; Jody Raines, Senior Cybersecurity Policy Specialist - CPI; and Erin B. Hammel, Senior Director - International Programs.

  • Cybersecurity Baselines for Electric Distribution Systems and DER
    NARUC and DOE CESER developed a set of cybersecurity baselines for the electric distribution systems and distributed energy resources (DER) that connect to them. These baselines, coupled with the forthcoming implementation guidance, are intended as resources for state public utility commissions, utilities, and DER operators and aggregators. Learn more
  • Emerging Issues Brief: Volt Typhoon
    This brief describes the threat to critical infrastructure posed by the cyber threat actor group known as Volt Typhoon. It contains questions PUCs may consider asking utilities about their actions to identify and mitigate malicious Volt Typhoon-related activity on their critical systems. Download
  • On-Demand Cybersecurity Training Modules
    The Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response in partnership with NARUC have produced a set of on demand cybersecurity training modules. Much of the content included in the training is based on NARUC's Cybersecurity ManualLearn More
  • Cybersecurity Advisory Team for State Solar (CATSS)
    Created by the National Association of State Energy Officials and NARUC, the CATSS Toolkit provides State Energy Offices and public utility commissions with actionable information on cybersecurity for solar power and supports state cybersecurity enhancements for solar and other distributed energy resources. Learn More
  • Compendium of Cyber Incident Notification Requirements for Critical Infrastructure Utilities by State
    This resource details state-by-state requirements for utiltiies to report cybersecurity incidents. Links to statutes and orders are included. Download
  • Issue Brief: Log4j Vulnerability
    This one pager describes the recently discovered Log4j vulnerability, which affects millions of applications world wide. The brief contains questions PUCs may consider asking utilities about their actions to identify and mitigate the vulnerability on thier systems. Download
  • A Guide for Public Utility Commissions: Recruiting and Retaining a Cybersecurity Workforce
    This paper serves as a reference guide for PUCs trying to develop or expand their cybersecurity proficiency. It describes the role of cybersecurity personnel within a PUC and a range of cybersecurity skill sets that may fit a PUC’s needs, as well as avenues for recruiting, retaining, and growing cybersecurity expertise. Appendices provide lists of cybersecurity training resources, recruitment pipelines, and a compendium of sample cybersecurity job descriptions for PUC consideration. Download
  • Cybersecurity for the Smart Grid: Questions for Utilities
    This paper introduces cybersecurity topics relevant to the smart grid. It also suggests questions PUCs might ask utilities to better understand how they are assessing and mitigating the new risks associated with advancing technologies that comprise the smart grid. Concepts in this paper draw from seminal works by the National Institute of Standards and Technology (NIST) as well as topics introduced in NARUC’s Cybersecurity Manual. This paper is a complement to Understanding Cybersecurity Preparedness: Questions for Utilities, one component of the manual. Download

  • Cybersecurity Manual
    NARUC has developed a comprehensive suite of resources, collectively referred to as the Cybersecurity Manual, to help public utility commissions gather and evaluate information from utilities about their cybersecurity risk management practices. These evaluations facilitate well-informed PUC decisions regarding the effectiveness of utilities’ cyber security preparedness efforts and the prudence of related expenditures. Learn More

    • Cybersecurity Strategy Development Guide
      This document aims to guide commissions’ interactions with their utilities on issues related to cybersecurity, drawing from the experiences of federal, state, and private-sector stakeholders, including state PUCs themselves. Further, it provides guidance and practices for regulators to consider as they develop and implement their strategies. Commissions that have already developed a strategy can use this guide to review and enhance their current strategy.
    • Understanding Cybersecurity Preparedness: Questions for Utilities
      This resource provides a set of comprehensive, context-sensitive questions that PUCs can ask of a utility to gain a detailed understanding of its current cybersecurity risk management program and practices. The questions build upon and add to those included in prior NARUC publications.
    • Cybersecurity Preparedness Evaluation Tool (CPET)
      The CPET provides a structured approach for PUCs to use in assessing the maturity of a utility’s cybersecurity risk management program and gauging capability improvements over time. The CPET is designed to be used with the Questions for Utilities on an iterative basis to help PUCs identify cybersecurity gaps, spur utilities’ adoption of additional mitigation strategies, and inform cybersecurity investment decisions.
    • Cybersecurity Tabletop Exercise Guide
      This guide details the steps that PUCs can take to design, execute, and evaluate a cybersecurity-focused tabletop exercise (TTX). An exercise could examine utilities’ and other stakeholders’ readiness to respond to and recover from a cybersecurity incident or analyze the PUC’s internal capabilities. This guide includes example scenarios and customizable templates.
    • Cybersecurity Glossary

      This glossary contains cybersecurity terms used throughout the Cybersecurity Manual, as well as “terms of art” that utilities may use during discussions with PUCs. It also contains a list of cybersecurity related events that demonstrate the growing threats and vulnerabilities against critical infrastructure sectors.

    • Modernized Grids Can Increase Security Risks

This infographic contains helpful information for regulators to enhance cyber preparedness. It also contains links to relevant USAID and NARUC resources.

  • Cybersecurity Baselines Steering Group for Phase 2: Implementation Guidance
    NARUC, and DOE are launching phase 2 of the Cybersecurity Baselines Initiative: developing implementation strategies and guidelines for stakeholders interested in applying the new baselines. This resource will include recommendations for assessing cybersecurity risks, prioritizing the assets to which the cybersecurity baselines might apply, and prioritizing the order in which the baselines might be implemented, based on cyber risk assessments. 

  • Advanced Cybersecurity Training for Commission Staff
    NARUC, with funding from the Department of Energy, Office of Cybersecurity, Energy Security, and Emergency Response, is offering a limited number of scholarships for advanced cybersecurity training. Training will be provided by the renowned SANS Institute and focus on cybersecurity of operational technologies.

    Please note that the application window for this training opportunity has closed. 

  • Regional Cybersecurity Training for Regulators
    NARUC conducts in-person training events that focus on cybersecurity topics through the lens of a public utility regulator. Subject matter experts, recruited from around the country, make presentations, lead discussions, and offer topical and timely “boots on the ground” perspectives.

    Past training events have been held in the following locations:

    • September 2024 - Philadelphia, PA
    • April 2024 - New Orleans, LA
    • September 2023 - Phoenix, AZ
    • March 2023 - Indianapolis, IN
    • March 2022 - Denver, CO
    • September 2021 - Virtual
    • February 2021 - Virtual
    • September 2020 - Virtual
    • September 2019 - Austin, TX
    • July 2019 - Chicago, IL
    • October 2018 - Beverly, MA
  • Webinars
    • Cybersecurity Baselines Phase 1 Introduction Webinar, March 2024
      During this webinar, NARUC and DOE provided an overview of the Cybersecurity Baselines Phase 1 that was released in February 2024. Recording
    • Initiative on Cybersecurity in Solar Projects: Cybersecurity Advisory Team for State Solar (CATSS), April 15, 2021
      This webinar explored the drivers accelerating solar adoption, the new cybersecurity risk landscape for solar and efforts underway to address the challenges, and the roles that state commissions and energy offices play in shaping the future of grid reliability, security, and resilience. Recording
    • Cyberspace Solarium Commission Report: An Update for State Regulators, April 24, 2020
      NARUC, in collaboration with Protect Our Power conducted this webinar to review key pillars of the Cyberspace Solarium Commission report and the role state regulators could play to enact key provisions. Two Cyberspace Solarium Commissioners, Tom Fanning, CEO of Southern Company, and Chris Inglis, former Deputy Director of the National Security Agency, presented. Recording
    • The 411: Cybersecurity Fundamentals that Drive Infrastructure Resilience, July 9, 2019
      This webinar highlighted key cybersecurity principles and how electric and gas utilities implement them to enhance resilience. Recording
    • Blockchain 101, June 23, 2017
      An introduction to Blockchain. Recording

NARUC is grateful to the U.S. Department of Energy, Office of Cybersecurity, Energy Security, and Emergency Response for funding that enables the resources and activities described on this webpage.