Dive Brief:
- Cybersecurity requirements and questions for vendors should be included in utilities’ procurement processes, state regulators and the U.S. Department of Energy recommended Thursday in a set of “cybersecurity baselines” aimed at improving the security of distribution systems and distributed energy resources.
- The National Association of Regulatory Utility Commissioners and DOE’s Office of Cybersecurity, Energy Security, and Emergency Response collaborated to develop the baselines and are planning to publish implementation guidelines later this year.
- The baselines are intended to be a resource for state public utility commissions, utilities and DER operators and aggregators and “provide a common starting point for cyber risk reduction activities,” said NARUC Executive Director Greg White.
Dive Insight:
The electric grid is increasingly distributed and cybersecurity “is an integral underpinning of power system resilience,” DOE and NARUC said.
“Addressing cybersecurity is essential as electric distribution systems continue to evolve, spurred by new technologies and operational models, as well as the ever-increasing threat of cyberattacks,” White said. The baselines are “tailored for electric distribution systems and the DER that connect to them.”
NARUC and DOE will host a pair of webinars to discuss the baselines, on March 14 and March 19. The recommendations include:
- As new devices or services are procured, utilities should make a “good-faith effort to negotiate procurement documents and contracts” stipulating information sharing requirements around security incidents;
- Utilities should develop policies requiring a minimum password length of 15 or more characters “for in-scope IT and OT assets that are not otherwise protected” behind multifactor authentication or other authentication mechanisms;
- Departing employees should lose access to physical and online critical resources within 24 hours of a separation;
- Split up IT and OT networks and utilize “an appropriate network security device to enforce a deny-by-default policy on communications between networks,” only permitting explicitly-allowed connections; and,
- Multifactor authentication should be required for remote access to assets “using the strongest available method for that asset.”
NARUC and DOE are now launching the second phase of the cybersecurity baselines initiative, to develop implementation strategies and adoption guidelines which they said will include “recommendations for prioritizing assets to which the cybersecurity baselines might apply, as well as prioritizing the order in which the baselines might be implemented based on cyber risk assessments.”