The National Association of Regulatory Utility Commissioners has partnered with the U.S. Department of Energy, Office of Cybersecurity, Energy Security, and Emergency Response (CESER) to develop a set of cybersecurity baselines for electric distribution systems and distributed energy resources (DER) that connect to them. This initiative recognizes that cybersecurity is an integral underpinning of power system resilience and builds on work that states have undertaken over the last decade to mitigate cybersecurity risk across their critical infrastructures.
These baselines, coupled with the forthcoming implementation guidance, are intended as resources for state public utility commissions, utilities, and DER operators and aggregators. These resources encourage alignment across states who choose to adopt the baselines to mitigate cybersecurity risk and enhance grid security. NARUC convened a steering group of regulatory, cyber, and industry experts from across the sector to ensure a wide range of perspectives were considered.
The Cybersecurity Baselines are a vetted set of recommendations for electric distribution systems and the distributed energy resources (DER) that connect to them. These baselines define the minimum set of cybersecurity controls that should be considered, without defining any specific procedures or technologies on how any specific baselines might be met. These baselines may be used by regulatory bodies, electric distribution utilities, and DER aggregators as a potential framework for developing their own cybersecurity requirements in conjunction with Phase 2 implementation strategies. Download
Phase 2 includes preparation of implementation strategies and adoption guidance to support electric distribution system stakeholders as they continue to develop and refine their cybersecurity requirements. These implementation guidelines will include recommendations for assessing cybersecurity risks, prioritizing the assets to which the cybersecurity baselines might apply, and prioritizing the order in which the baselines might be implemented based on cyber risk assessments. The guidance will also address risk-based implementation timelines. The implementation guidelines are aimed at Public Utility Commissions, utilities, and DER operators who wish to adopt the baselines. Phase 2 is expected to be completed over the course of the next year.
During phase 2, the Cybersecurity Baselines will be mapped to existing cybersecurity standards and practices. Mapping work has already begun and will be completed during this phase of the Cybersecurity Baselines Project. The work in progress is available for review, however content will change throughout the year. Updated versions will be posted here as they are available. Download draft mappings
This work is a joint undertaking of NARUC and the U.S. Department of Energy, Office of Cybersecurity, Energy Security, and Emergency Response. Please direct questions or comments on these work products to cyberbaselines@naruc.org.