- The Michigan Public Service Commission last week directed its staff to develop new rules focused on annual cybersecurity reporting, detailing utility efforts to guard against hackers that threaten data, finance or grid reliability, the Associated Press reports.
- Chairman Sally Talberg called the issue a "paramount concern," and said natural gas and electric utilities are facing hacking attempts almost daily.
- Cybersecurity is increasingly an area of concern for utilities, and federal regulators earlier this year directed the North American Electric Reliability Corp. (NERC) to improve cybersecurity protocols to guard against hackers.
At all levels of oversight, the utility sector is increasingly focused on guarding against a potentially devastating attack. Following a series of 2015 cyberattacks that caused widespread blackouts in Ukraine, there is growing concern that fallout from a successful intrusion could be widespread.
Last year, Lloyd's of London estimated potential impacts of a widespread attack on the U.S. power grid anywhere from $243 billion up to $1 trillion in the most damaging scenarios.
While the Federal Energy Regulatory Commission has directed NERC to bolster its security requirements, and a simulated attack last year found overall improvement, Michigan's move is a sign that states want to take a hands-on approach as well.
"It is of paramount concern to the MPSC that utilities and other energy providers protect their gas and electric systems, customers and the public at large from a cybersecurity attack," Chairman Talberg said in a statement. "With natural gas and electric utilities facing cybersecurity threats and attempted intrusions into computer systems on an almost daily basis it is a question of when - not whether - an attack will occur."
Talberg said federal and state governments need to work collaboratively with utilities to develop programs to keep networks secure.
The rules crafted by the Michigan PSC staff will include an annual report on electric or gas providers' cybersecurity program that will cover: a description of cybersecurity training and exercises employees have had; an explanation of any cybersecurity investments made; and a summary of related incidents that resulted in a loss of service, financial harm or a data breach.