The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) is a set of requirements designed to secure the assets required for operating North America’s bulk electric system. These regulations are mandated and enforced by the Federal Energy Regulatory Commission (FERC). All owners and operators of the bulk power system must meet the mandatory nine NERC CIP standards to avoid heavy fines for non-compliance. [A bulk power system (BPS) is a large interconnected electrical system made up of generation and transmission facilities and their control systems. A BPS does not include facilities used in the local distribution of electric energy.] Therefore, the NERC CIP requirements do not apply to every community-owned utility. However, whether or not your utility or city is required to comply with federal cybersecurity standards, it is highly recommended you use them as a starting point for creating your cybersecurity program. Requirements can change or new ones can be implemented at any time. While a requirement may not apply to you now, it may in the future.
In addition, the National Institute of Standards and Technology (NIST) Cybersecurity Framework provides controls to enhance the cybersecurity framework, risk posture, information protection, and security standards of all organizations.
The Fair and Accurate Credit Transactions Act of 2003 (FACT Act) was enacted to set standards for protecting consumer information. On November 1, 2007, the FACT Act was amended to include Red Flag guidelines or the Red Flags Rule, for the detection, prevention, and mitigation of identity theft. The Red Flags Rule is enforced by the Federal Trade Commission (FTC) and applies to “financial institutions” and ‘creditors” with “covered accounts.” Utility companies are considered creditors since service is extended prior to payment and, therefore, have two categories of “covered accounts”:
- Personal, family, or household purposes involving or designed to permit multiple payments or transactions.
- Accounts that carry a reasonably foreseeable risk of identity theft.
The Red Flags Rule specifies how businesses and organizations with “covered accounts” must develop, implement, and administer a written Identity Theft Prevention program. More information on this rule can be found at (Federal Register, Vol. 72. Pgs. 63718-74 (Nov. 9, 2007), 16 CFR, Part 681) or ecfr.gov.
If the federal cybersecurity regulations do not apply to our utility or city, what framework should we follow?
The NIST Framework for Improving Critical Infrastructure Cybersecurity provides a solid starting point for building your utility’s cybersecurity program. More than ever, organizations must balance a rapidly evolving cyber threat landscape against the need to fulfill business requirements. To help these organizations manage their cybersecurity risk, NIST developed a Framework that addresses threats and supports business. While the primary stakeholders of the Framework are U.S. private-sector owners and operators of critical infrastructure, its user base has grown to include communities and organizations across the globe.
The privacy and cybersecurity regulations vary by state, change often, and are becoming more stringent. An increasing number of state laws require measures to protect sensitive information from unauthorized access, destruction, use, modification, or disclosure. Some state laws address the security of health care data, financial or credit information, social security numbers, or other privacy-related data. Your utility’s general counsel should check with your state’s attorney general for the state requirements.
How do I find out if our city and/or utility network hardware and software is vulnerable to intrusion?
All network hardware and software is vulnerable to intrusion. If you’d like to look up certain systems, there is a database of Common Vulnerabilities and Exposures. However, the best strategy is to use vendor-neutral resources to determine your utility’s overall level of vulnerability, without focusing solely on hardware and software.
The Public Power Cybersecurity Scorecard is an online self-assessment tool for community-owned utilities to assess cyber risk, plan improvements, prioritize investments, and benchmark their security posture. Based on the DOE Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2), the scorecard provides utilities with a starting point to address cyber risks. You can start by completing a simple self-assessment of your cybersecurity program. From there, get guidance, reports, and tools to help improve your cybersecurity plan.
There are additional industry resources available. For example, Hometown Connections, Inc., the non-profit organization dedicated to supporting community-owned utilities, provides a low-cost Cybersecurity Assessment to identify the organization’s cyber vulnerabilities and design a detailed cyber defense program based on industry standards and best practices. AESI-US, Inc., a consulting services partner of Hometown Connections, provides the Cybersecurity Check Up service that includes a customized cybersecurity program survey; comprehensive review pf policies, standards, and procedures; and remote testing of high risk applications.
A cyber-attack can threaten the entire operation of your utility or city. A common misnomer is cybersecurity is an IT issue, when it is actually a function of Risk Management. Every city employee, utility employee, and governing official plays a key role in maintaining a cyber defense that protects business operations. It’s challenging for any IT staffer or third-party provider to stay current on cyber threats and mitigation strategies. To avoid the operational, financial, and reputational harm of a debilitating cyber-attack, use one or more of the neutral resources listed above (Cybersecurity Scorecard by the American Public Power Association, Cybersecurity Assessment by Hometown Connections, and Cybersecurity Check Up by Hometown Connections/AESI-US, Inc.] to assess on a regular basis the state of your cybersecurity defenses. This article explains why creating a cybersecurity program is easier than you think, when you follow the Cybersecurity Action Plan for community-owned utilities and city governments.
Because the organization must establish and maintain a culture that prioritizes cybersecurity across the enterprise, there must be an executive sponsor from the C suite/senior management. Often the general counsel or chief financial officer takes charge of the cybersecurity program development—someone of a very senior rank who must own the strategy and drive cultural change. However, even if the general counsel or CFO takes charge of the cybersecurity effort, the utility general manager or the city manager must maintain overall accountability for the cyber program to ensure effective governance and roles/responsibilities remain clear.
Yes. Working at home expands the utility/municipality attack surface. Employees may be working from unsecure Wi-Fi connections and apps, rather than virtual private networks. Additionally, bad actors may eavesdrop on video calls. Therefore, sensitive customer data and utility information may be at greater exposure for theft or destruction.
Yes. Ransomware attacks are happening every day to organizations like yours. Any organization that maintains an information network on which its operations depend is vulnerable. If the members of your governing board or city council haven’t come to you yet about cybersecurity, they will soon. They are following the ransomware news stories and will ask what the city or utility is doing about cyber risk.
Remember that ransomware attacks are the tip of the iceberg. Cyber criminals are sending out “phishing” attacks that lure your employees to click on malicious links or files. Disgruntled former employees and other bad actors have accessed outage management, 911, text messaging, and other services to send fraudulent messages to customers. Insurance providers are looking more closely at the controls and recovery systems utilities and cities have in place, as they evaluate your level of cybersecurity risk and potential insurance coverage options.
Do I take a different approach to cybersecurity for my operational environments and IT environments?
For utilities, operations technology (metering, SCADA, GIS, outage management, etc.) can have different cybersecurity requirements than IT security. But you should establish a single framework that addresses managing cyber risk across the enterprise.
It’s vital to never underestimate the human factor in cybersecurity. Developing appropriate policies and procedures for employees and contractors is just as important as making equipment or software improvements.
Cybersecurity insurance policies fill the gap in traditional business insurance policies, to cover liabilities and costs associated with the impact of a cyber event that impacts the confidentiality, integrity, or availability of data or technology. Key to analyzing the purchase of cyber insurance is knowing how to quantify risk. Marsh Wortham, the insurance partner of Hometown Connections, has developed a proprietary loss estimate calculator exclusively for members of the American Public Power Association. Marsh Wortham can input into its predictive model utility revenue and number of customers to estimate their cost of both a data breach (including ransomware) and business interruption loss following a cyber-attack.
Cybersecurity is a continuous process. Bad actors never rest in their search for information system weaknesses. Employees and contractors come and go. Therefore, your organization must maintain cybersecurity vigilance, training, and a culture of cybersecurity at all times.