In November 2018, the Research Institute on Sustainable Economic Growth of the National Research Council of Italy (Cnr-Icres) signed a contract with the National Association of Regulatory Utility Commissioners of the United States (Naruc), for the development of guidelines aimed at addressing the cybersecurity of electrical systems in Countries of the Black Sea area: Armenia, Georgia, Moldova, and Ukraine. The contract is funded by the US Agency for International Development (Usaid).
Since December 2016, Naruc has been working with regulators from Armenia, Georgia, Moldova, and Ukraine, and later on from the Balkans area, as part of the USAID-supported Europe and Eurasia Cybersecurity initiative. This partnership aimed to help regulators and electricity operators develop a cybersecurity policy framework that establishes baseline standards and sets in place minimum defense capabilities and good practices at utilities.
In this context, the development of cybersecurity tariff guidelines is intended to provide the regulators with a means of cost-effectively improving energy sector security and resilience against the emerging threat of cyberattacks. As power systems modernize, digitize, and integrate, they are increasingly exposed to additional vulnerabilities that can be exploited by cyberattacks. Attacks on the power grid can have devastating effects on a nation’s security, economy, and public welfare, and are a potent threat to all nations worldwide.
Energy regulators have a unique role to play in the field of cybersecurity. While the implementation of cybersecurity measures is typically the responsibility of power system operators, regulators have an obligation to ensure that investments made in the name of cybersecurity and funded through tariffs are reasonable, prudent, and effective.
Regulators both in the Europe and Eurasia region and across the globe have struggled with understanding and quantifying the degree to which the power grid is better protected based on utility investments made in the name of cybersecurity. In the Europe and Eurasia region, especially the Black Sea countries of Armenia, Georgia, Moldova, and Ukraine, this is an issue of considerable importance given consumers’ sensitivities to rate hikes.
Cnr-Ircres cooperated to this project on the basis of decades of experience in the study of the economics of the power system, with a more recent focus on the specific theme of cybersecurity. In particular, the ESSENCE project (Emerging Security Standards to the EU power Network controls and other Critical Equipment, 2011-2014, funded by the EU CIPS Programme) carried out an exercise estimating the cost and the benefits of implementing security measures to protect critical infrastructures from cyber-attacks that has never been repeated later on. Then, it represents a unique background for the guidelines, both for the methodological approach and as a source of empirical evidence.
The development of the guidelines was carried out with the constant involvement of regulators, operators and experts, as well as melting skills and knowledge from different disciplines. The project includes also a final assistance activity directly involving the regulators to personalise the results and to pave the way for a practical implementation.
The guidelines "Evaluating the Prudency of Cybersecurity Investments: Guidelines for Energy Regulators" (by Elena Ragazzi (editor), Alberto Stefanini, Daniele Benintendi, Ugo Finardi, Dennis K. Holstein) are intended to assist regulators in defining tariffs by establishing a regulatory approach to enhance the cybersecurity stance of their power systems, and are based on literature and current practices. They attempt to answer the following questions:
- Which regulatory frameworks are best suited to evaluate the prudency of cybersecurity expenditures?
- How can regulators identify and benchmark cybersecurity costs?
- How can regulators identify good countermeasures for cybersecurity?
- How can regulators assess the reasonableness of the costs associated with these countermeasures?
- Is it possible to evaluate the effectiveness of cybersecurity investments?
- Who should identify, benchmark, measure and evaluate the countermeasures in different regulatory frameworks?
In conclusion, these guidelines provide tools and approaches, often discussing several alternatives for each action. Often the philosophy behind their application is discussed as well, but never unique turnkey solutions are suggested because the regulatory strategies are deeply linked to a country’s values and objectives.
These guidelines are a first-of-their-kind resource to empower energy regulators to support and encourage grid resilience by ensuring prudent and effective investments in cybersecurity by their regulated entities. The guidelines, melting skills and knowledge from different disciplines, strive to provide space for concepts, processes and methods rather than prescriptive lists or ready-to-use formulas.
While these guidelines were developed for the Europe and Eurasia region, much of their content can be applied universally.
- The guidelines on Cnr-Ircres website
- "Evaluating the prudency of cybersecurity investments: Guidelines for Energy Regulators", Elena Ragazzi (ed.), Alberto Stefanini, Daniele Benintendi, Ugo Finardi, and Dennis K. Holstein (2020). NARUC, Washington DC
- "Costs and benefits of cybersecurity regulation. The terms of a complex assessment", Appendix 1
- "Summary of the main results of the ESSENCE project", Appendix 2
- "EPRI cybersecurity metrics", Appendix 3
- "Implementing a cybersecurity regulation: the OFGEM approach", Appendix 4