The power sector and its infrastructure face a number of cyber security threats and, in turn, significant regulatory obligations and challenges. A hypothetical cyber attack scenario on the nation’s power grid presented in a 2015 Lloyd’s report highlighted the potential economic impact to be between $250 billion and $1 trillion. Granted the grid is getting more secure, but the hackers are also getting more sophisticated. Despite the current regulatory compliance framework and significant investment in cyber security by the industry, reliability and security gaps still exist. While entities that operate Bulk Electric System assets are well versed in the mandatory NERC Critical Infrastructure Protection (or “CIP”) Standards, the current framework does not adequately support cyber security: 1. While CIP requirements have matured, they generally fail to capture the assets of distribution-level utilities that deliver power to local customers, leaving these entities exposed to cyber vulnerabilities. 2. A proposed new CIP Standard aimed at mitigating supply chain risks would require new procurement, legal, and technical controls-despite some industry opposition and potential implementation challenges. 3. Driven by the fear of non-compliance, entities subject to CIP Standards may focus solely on their jurisdictional assets rather than maintain a more holistic view of their overall system in order to better ensure security. 4. State utility commissions are taking different approaches to strengthen cyber protections. Such efforts at the state level will continue to be productive with collaboration among regulators and the industry to develop effective, reasonable requirements in response to emerging threats. While prescriptive regulations and standards may form the basis of an energy company’s cyber security program, they are likely insufficient to truly provide enterprise-wide protection from the emerging threats to the sector. This paper will (1) provide an overview of the current and potential regulatory challenges facing the power sector and (2) examine best practices, case studies, and voluntary frameworks that entities may use to bridge any divide between the realities of cyber security and current regulation of the power sector.
展开▼
