Part of Grid Network »

The Grid Professionals Group covers electric current from its transmission step down to each customer's home. 


How Do the Biden Administration's Planned Cybersecurity Performance Goals Affect Utilities?

image credit:
Rakesh  Sharma's picture
Journalist, Freelance Journalist

I am a New York-based freelance journalist interested in energy markets. I write about energy policy, trading markets, and energy management topics. You can see more of my writing...

  • Member since 2006
  • 1,019 items added with 741,914 views
  • Aug 5, 2021

In a bid to improve cybersecurity infrastructure, the Biden administration issued a memo last week to set up the Industrial Control Systems Cybersecurity Initiative – a voluntary, collaborative effort between the U.S. government and the critical infrastructure community to significantly improve cybersecurity. The initiative is voluntary and the administration plans to   suggest cybersecurity performance goals on Sep 22. The goals will be finalized a year later.


Two things are interesting about this development.


First, it clears the pathway for possible updating NERC’s CIP standards and possible migration to the NIST framework. During the press briefing, the administration’s officials said the government’s current posture towards cybersecurity initiatives has been “woefully insufficient”. “The administration is committed to leveraging every authority we have, though limited, and we’re also open to new approaches, both voluntary and mandatory,” the administration official said. Of course, as Richard Brooks pointed out in his link about the topic, the question of aligning NERC’s rudimentary CIP standards with the more expansive NIST 41-page guidelines will still be determined through an open FERC proceeding.


Second, the administration’s cybersecurity goals might help propel a cybersecurity insurance market aimed at utilities. During the press briefing, officials from the administration said they were considering reworking incentives to ensure that utilities comply with the “voluntary” initiative. “We have been investing a lot of time in understanding the incentives and understanding the barriers and looking at what can be done across grants, across potential tax credits, across, potentially, you know performance incentive mechanisms. Cyber insurance mechanism is a really interesting mechanism as well,” he said.


The last option has been under consideration for some time now. A 2014 report by the Bipartisan Policy Center discussed the Obama administration’s efforts to kickstart a market for cybersecurity insurance. According to the report’s authors, cybersecurity insurance would limit potential economic losses at individual entities experiencing a cyberattack or event. “At present, cybersecurity insurance does exist; however, coverage for utility companies is limited and often expensive,” the authors wrote.


I am not sure if the market has grown since then. Considering the frequency and extent of attacks since then, chances are high. Large utilities do disclose the threat of losses due to cybersecurity attacks in their annual reports. Previous reports have made it clear that there is no clarity about the terms of insurance.


Meanwhile, the New York Public Services Commission rejected a cybersecurity insurance requirement for third-party entities access utility services and data in 2019. Instead, the commission adopted new security requirements for these entities to access the grid.

Richard Brooks's picture
Richard Brooks on Aug 5, 2021

Thanks Rakesh, with regard to NERC; when it comes to grid operations and planning guidelines and standards - there are none better than NERC. When it comes to cybersecurity, there are entities, other than NERC, that are more proficient at providing effective guidelines and standards, NIST and CISA are prime example of entities that are true cybersecurity experts with the knowledge, experience, guidance and standards that are far superior to NERC. It's time we put our best foot forward on cybersecurity across all critical infrastructures, especially electricity.

Here is my suggestion:

Remove cybersecurity from NERC's plate and let it focus its energies on administering grid reliability for operational and planning purposes - that's our best foot forward on these matters. Put CISA in charge of Cybersecurity across the board for all critical infrastructure because we need a coordinated, consistent and effective cybersecurity and information sharing capability across all critical infrastructures. The interdependence that exists within this infrastructure, i.e., some pipeline Gas compressors run on electricity and many electric generators rely on Natural Gas as a fuel, both Natural Gas and electricity are vital and need to be protected equally.  CISA can make that happen, not NERC.

Thanks for sharing your insights and analysis.

Get Published - Build a Following

The Energy Central Power Industry Network® is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »