NARUC partnered with the U.S. Department of Energy, Office of Cybersecurity, Energy Security, and Emergency Response (CESER) to develop a set of cybersecurity baselines for electric distribution systems and distributed energy resources (DER) that connect to them. This initiative recognizes that cybersecurity is an integral underpinning of power system resilience and builds on work that states have undertaken over the last decade to mitigate cybersecurity risk across their critical infrastructures.
The Cybersecurity Baselines, coupled with guidance on how to implement them, are resources for state public utility commissions, utilities, and DER operators and aggregators. These resources encourage alignment across states who choose to adopt the baselines to mitigate cybersecurity risk and enhance grid security.
NARUC convened a steering group and smaller work teams (”tiger teams”) consisting of state utility regulators, distribution system and DER owners and operators, industry trade organizations, and energy cybersecurity experts from across the sector and the country, to assist in the development of the Cybersecurity Baselines and the companion Implementation Guidance.
The Cybersecurity Baselines are a vetted set of recommendations for electric distribution systems and the distributed energy resources (DER) that connect to them. These baselines define the minimum set of cybersecurity controls that should be considered, without defining any specific procedures or technologies on how any particular baselines might be met. These baselines may be used by regulatory bodies, electric distribution utilities, and DER aggregators as a potential framework for developing their own cybersecurity requirements in conjunction with Phase 2 implementation strategies.
This implementation guidance is intended to assist entities wishing to adopt the Cybersecurity Baselines as the foundational requirements of a cybersecurity risk management program. These entities may be electric distribution system and/or DER asset owners, operators, and aggregators; state public utility commissions (PUCs) and other oversight bodies; state energy offices; or state legislators.
It addresses two specific topics for entities wishing to implement the baselines:
The guidance in this document is interim, meaning that additional content will be added and refined. Topics such as engagement strategies, compliance approaches, and resource requirements will be included. Guidance will consider both voluntary and mandatory settings and include considerations for stakeholders of differing ownership models, sizes, and maturity levels. Case studies will be included.
A final version of the Implementation Guidance for Cybersecurity Baselines for Distribution Systems and DERs will be released later in 2025.
Mapping the Cybersecurity Baselines to existing cybersecurity standards and practices is helpful for entities who already have a cybersecurity risk management program. Mapping work has already begun and will be completed in 2025. The work in progress is available for review, however content will change throughout the year. Updated versions will be posted here as they are available.
This work is a joint undertaking of NARUC and the U.S. Department of Energy, Office of Cybersecurity, Energy Security, and Emergency Response. Please direct questions or comments on these work products to cyberbaselines@naruc.org.