The following is a contributed article by Mark James, assistant professor and senior research fellow at Vermont Law School’s Institute for Energy and the Environment, and Richard Mroz, senior advisor, state and government relations, for Protect Our Power.
The threat of cyberattack looms continuously over our nation’s electric grid. What was once viewed as a low probability event is now viewed by many experts in the intelligence and defense communities as a likely occurrence that can happen anywhere.
The interconnected nature of our electric grid means that adversaries do not care whether their point of entry is a Midwestern electric cooperative, an East Coast investor owned utility (IOU), or a Southern municipally-owned utility. And local distribution systems, which make up more than 80% of overall grid architecture and were once thought to be unlikely targets, are just as vulnerable as bulk power systems.
Responding to threats at the distribution level requires coordinated, dedicated action and consistent, annual investment to strengthen our defensive edge. Every utility, regardless of size, must improve its cybersecurity posture. Every state utility commission must consider how it evaluates, approves and measures utility investments in light of increasingly sophisticated threats.
Barriers to improvement
Vermont Law School’s Institute for Energy and the Environment, at the request of grid-focused nonprofit Protect Our Power, recently released a detailed report on barriers to improving distribution system cybersecurity and the best practices for overcoming them.
The team from Vermont Law School interviewed IOUs, electric membership corporations, public power utilities, trade organizations, former state utility commissioners and staff, industry CEOs, vice presidents, chief information security officers and directors of regulatory affairs. We read state commission dockets and orders, state statutes and regulations, and federal, state and trade organization cybersecurity policies.
Overall, our report found that barriers to information sharing, cost recovery options and improving system performance unnecessarily magnify risks to electric grid security. Taking concrete actions to reduce those risks will require better information sharing between utilities and their regulatory commissions, identifying and using appropriate and consistent cost recovery mechanisms, and ensuring that investments are producing benefits for ratepayers. Fortunately, we found examples of such activities in California, Connecticut, Florida, Michigan and New York, and they can provide models for other states.
Every utility commission should be actively engaged with its utilities, discussing threats, auditing responses, and helping develop plans to defend the electricity supply system. Unfortunately, our research found that utility concerns about sharing confidential information with regulatory commissions can limit a commissions’ ability to perform this crucial oversight. The good news is that our research also found that relatively simple solutions exist to address this challenge effectively.
Continual investment and quick response needed
Perhaps most importantly, dealing with cyberattack threats requires continual investment in upgrading and securing the grid. As new threats emerge and new vulnerabilities are identified, utilities must move quickly to respond, something that current regulatory oversight of their investments does not readily allow.
If utilities want their capital expenditures to be passed on to ratepayers, those expenditures have to be approved in advance in a ratemaking process, commonly referred to as a rate case. But the evolving security landscape means infrequent or irregular rate cases, which routinely take months or even years to resolve, are not well-suited to addressing rapidly changing hardware, software and personnel needs.
We also heard from utility companies that the method by which they will recover their costs can be as important to them as the ability to recover those costs. The timing of when a regulatory agency will allow the utility to recover its costs — sometimes referred to as regulatory lag — can drive the utility’s decision when to make the investment. The concern here is that necessary grid investments may not be proposed or made in the most timely and effective manner if the utility is concerned about regulatory lag and its economic drag on the company.
As cybersecurity threats and spending needs accelerate, it is critical to address cost recovery issues now. Our report identifies alternative ratemaking options, such as single-issue riders and adjustment clauses that, when deployed with careful attention and scrutiny, may provide appropriate mechanisms for utilities to more quickly recover prudent cybersecurity investments.
The other side of that coin is protecting ratepayers by making sure utility investments are working as intended. To ensure cybersecurity investments are working properly, and to manage grid resiliency to the full extent possible, regulatory commissions must employ resilience metrics that measure and improve utility management, and identify system vulnerabilities. However, our research found no consistent use of resilience metrics by regulatory commissions. Correcting this issue is critical to building a foundation of measurable, effective investment.
Our cybersecurity needs grow every day. Securing the electric distribution grid will require cooperation, timely government support and a massive investment of time and money. But as our report highlights, we have examples of foundational best practices that can help unlock those resources and greatly enhance our ability to successfully meet this threat to our national security.