The National Association of Regulatory Utility Commissioners has developed a comprehensive suite of resources, collectively referred to as the Cybersecurity Manual, to help public utility commissions gather and evaluate information from utilities about their cybersecurity risk management practices. These evaluations facilitate well-informed PUC decisions regarding the effectiveness of utilities’ cyber security preparedness efforts and the prudence of related expenditures. The Cybersecurity Manual is comprised of five complementary resources, two of which were released recently.

“The threat posed by cybersecurity incidents is very real, and it is essential that regulators have a clear understanding of the work being done by our utilities to safeguard vital systems and address current and future cyber threats,” said Chairman Gladys Brown Dutrieuille, Pennsylvania PUC and Chair of the NARUC Critical Infrastructure Committee. “The more our PUCs are educated on these issues, the better we are able to evaluate current issues and target future enhancements.”

NARUC’s newly released cybersecurity resources include Understanding Cybersecurity Preparedness: Questions for Utilities. This tool provides a set of comprehensive, context-sensitive questions that PUCs can ask of a utility to gain a detailed understanding of its current cybersecurity risk management program and practices. The questions build upon and add to those included in prior NARUC publications.

The other just-released resource, Cybersecurity Preparedness Evaluation Tool (CPET), provides a structured approach for PUCs to use in assessing the maturity of a utility’s cybersecurity risk management program and gauging capability improvements over time. The CPET is designed to be used with the Questions for Utilities on an iterative basis to help PUCs identify cybersecurity gaps, spur utilities’ adoption of additional mitigation strategies and inform cybersecurity investment decisions.

“Together, these tools will help state commissioners evaluate utility cyber preparedness more quickly and effectively. As regulators, we must assess utilities’ decisions to invest in risk-management tools and other protections for business and customer information, but we are not cybersecurity experts,” said Commissioner Ann Rendahl, Washington Utilities and Transportation Commission. “CPET will help us dive into risk-management and cybersecurity topics without each commission reinventing the wheel.”