NARUC on cyber sec: maintaining vigilance
- November 3, 2012
- 87 views
We spoke at length last week with Terry Jarrett, a member of the Missouri Public Service Commission who also chairs the Committee on Critical Infrastructure for the National Association of Regulatory Utility Commissioners or NARUC.
Intelligent Utility: What's the mission of the NARUC critical infrastructure committee?
Terry Jarrett: We were established as an ad hoc committee on a temporary basis after the Sept. 11, 2001 terrorist attacks. It became a permanent committee when NARUC realized that natural disasters, terrorism and related concerns required ongoing attention. Our mission is to provide state regulators with a forum to analyze solutions for utility security and infrastructure concerns. The committee offers regulators the opportunity to share best practices and collaborate amongst themselves and their federal counterparts.
Intelligent Utility: When did you join the committee and what drove your interest?
Jarrett: I joined the committee soon after becoming a commissioner in September 2007. Infrastructure protection had already been an area of interest for me. I had served Missouri Governor Blunt as chief legal counsel and one of my roles was to serve as liaison to the state's Department of Public Safety. So disaster preparedness, relief and response was part of my job. It was a natural segue for me as a commissioner to continue to participate in those issues.
Intelligent Utility: In an EnergyBiz article (July/Aug 2012) you wrote this past summer, you stated that balancing the state regulators' responsibility for "safe, reliable" electricity with cyber security measures that are "prudent and necessary" is a "daunting task." What are the top resource needs that state regulators could use to meet this challenge?
Jarrett: I'd say knowledge and training are our top needs. State regulators and their staff need to be able to assess their utilities' performances in meeting cyber security, so they've got to have some expertise. They have to ask the right questions of their utility and understand what constitutes economical and effective cyber security programs and practices.
NARUC's recent publication of "Cybersecurity for State Regulators" is a great way for regulators to learn the basics. Regulators need staff trained to understand cyber security tools so that they're able to evaluate the effectiveness of protections as well as prudence of cost.
State regulators will never be cyber security experts but we need to know enough to ask good questions and have a general sense that our utilities are building and maintaining good and cost-effective cyber security programs. We also need to assess cyber security needs in our own commissions. Our staff collects a great deal of confidential information from utilities in the process of regulatory oversight. And we have to ensure that our systems are protected as well.
Intelligent Utility: My sense is that qualified cyber security people are in short supply. What's your sense, as you reach for this goal?
Jarrett: Great question. Obviously our utilities are responsible for building their own cyber security, so it is critical that they have adequately trained cyber security personnel. And at the PUCs we need to have trained staff to effectively evaluate what utilities are doing. I also hear that qualified cyber security people are in short supply. Therefore, under the law of supply and demand, qualified people will command fairly high salaries, if you can get them. It's important as a state regulator to understand that these folks are in short supply and it's going to cost the utility to hire them, and take that into account when reviewing prudent expenditures.
At NARUC's summer meetings in Portland this past July, we discussed this very topic. How do we attract and retain new talent for the utility industry? We had Barbara Endicott-Popovsky from the University of Washington and Jan Beecher from Michigan State University describe their programs for training students for the utility industry, including cyber security. They both said it's about how you sell it to young people. Both professors said that cyber security interests college students who might otherwise not be interested in utility work. The cloak-and-dagger aspect of the subject—protecting the grid from bad guys—have great appeal with young people. As students are made aware of interesting opportunities, we'll see them gravitating towards those areas.
Intelligent Utility: We just ran an interview with Patrick Miller, principal at EnergySec and lead investigator at the National Electric Sector Cybersecurity Organization, who suggested that a state-level repository for incident data should be established. Is that a role for your NARUC committee?
Jarrett: Patrick Miller is a regular contributor to the critical infrastructure committee, we consider him a great resource. He's always willing to talk to us on cyber issues. To answer your question, the committee's role is to provide resources for state regulators; it's an organization by, of and for state regulators. As such, the best practices for which we're a hub are those that assist regulatory oversight.
NARUC's new primer on cyber security is a good example. The chapter with 47 sample questions covers planning, standards, procurement practices, personnel and policies, systems and operations. These questions are general in nature so as not to elicit confidential information on utilities' cyber security practices, because we don't want that confidential information. We just need a general sense that they're engaged in effective cyber security practices.
As more state PUCs gather this type of information from their utilities, I can see greater information sharing about what seems to be working, and what's not working. Certainly our committee can act as a hub for that type of information.
The more technical information that Patrick is talking about probably has a home somewhere, in either an existing organization or one needs to be set up. But I would leave that to the cyber security professionals.
Editor's note: Please join us tomorrow for the conclusion of this two-part interview.
Intelligent Utility Daily