Bringing Utilities to the Table to Talk About Cybersecurity

December 18, 2018

The Seven Principles and Five Areas defined in the CT Cybersecurity Action Plan | Takeo Kuwabara

Fostering collaboration on cybersecurity between private energy utilities and state governments can be challenging. Utilities are hesitant to disclose vulnerabilities for fear of being compromised or penalized in the future. However, utilities’ experiences are invaluable for developing effective state-wide cybersecurity strategies. Engaging them in the very early stages of plan development can help overcome the usual obstacles, generate rapport, and produce plans that are robust and well received.

Arthur House, Connecticut’s inaugural Chief Cybersecurity Risk Officer, shared his experiences developing Connecticut’s new Cybersecurity Strategy. From 2012 to 2016, House served as Chairman of the Connecticut Public Utilities Regulatory Agency (PURA). In addition to the normal regulatory work of utility commission oversight, he sought to understand how utilities managed cybersecurity threats.

During House’s time as Chairman of PURA in Connecticut, he wrote both a cybersecurity strategic plan and an action plan for the state’s public utilities.  He shared both with the utilities, and responded to the points they raised.  Some utilities questioned the need for a new plan, but given the combination of political support from Connecticut’s Governor Dannel Malloy and extensive technical input from a variety of sources, the utilities and House were able to reach consensus on both the strategy and action plans.

The action plan results from a collaboration between PURA and the electricity, water, and natural gas utilities. The process involved informal, “technical meetings” with each sector.  Rather than imposing a final document — and penalizing utilities for non-compliance — Connecticut created a collaborative framework for annual review of cybersecurity defense capabilities.  The technical meetings enabled both the utilities and the regulators to resolve their differences as they designed the plan together.

Key issues included how often cybersecurity systems would be reviewed, how many individuals would conduct each review, what review standards would be applied, and whether the findings of each report would remain confidential. House noted that by interacting across a conference table instead of from the dais, points of disagreement were more easily resolved. 

The first assessment following the adoption of the action plan was released in October 2017. The second annual report was made easier by the rapport that utilities and the state had built during the first go-around. House noted that both the state and the utilities saw the plan and the arrangements as workable, had confidence in each other’s good will, and strongly preferred a non-binding plan rather than new laws and regulations. 

Both parties wanted to succeed, and the utilities were glad to have a role in the process. A senior representative from Eversource, a large electricity utility, participated in the press conference when the second review was released in 2018. House noted, “They own this process now just as much as we do.” 

In his new role as Chief Cybersecurity Risk Officer, House was pleased with the statewide  Cybersecurity Action Plan that was released in May 2018. It is based on seven principles of cybersecurity that are applied to five critical sectors, including municipalities. Connecticut’s experience highlights the potential of a collaborative approach to overcoming some of the obstacles to effective cybersecurity defense and to protecting critical infrastructure from cyberattack. While states vary widely in their approaches to strengthening cybersecurity, trust is an essential ingredient whatever approach is adopted