NRRI 14-12-Cybersecurity-Issues

Download 257
Total Views 220
File Size 436.95 KB
File Type pdf
Create Date December 1, 2014
Last Updated December 1, 2014

The United States’ critical infrastructure sectors face the risk of cyber attacks on a frequent basis, with potential impacts that could cause damage to vital systems, expose customer information to theft, or severely limit necessary safety activities. To get a better understanding of those issues, the Middle Atlantic Cybersecurity Collaborative (MACC)1 directed the National Regulatory Research Institute (NRRI) to study the cybersecurity responsibilities and practices of state utility commissions across the nation as well as the roles of numerous other state, federal, and private sector organizations. This study describes the relationship of cybersecurity issues to some basic commission responsibilities and the associated challenges in cybersecurity regulation. Then, the study compiles actions taken by various commissions, including ongoing dockets that may result in further rules or orders, and how cybersecurity expenses have been treated within some rate cases. The study then examines actions taken by other organizations such as federal agencies, state
legislatures, and industry organizations, and concludes by identifying trends in state utility commission actions. One of the prime responsibilities of a commission is to ensure safe and reliable service. A cyber attack represents a threat to the system reliability of each utility sector, and could impact a system in a number of ways. Furthermore, the integration of utility systems has wide-reaching effects on public health and safety; i.e., without electricity, communications systems, gasoline pumps, water purification systems, and other utility systems would not be able to function. Each utility sector offers invaluable support to other utility sectors, and the cascading effects of a cyber attack would be extreme. While each attack can have a different target and method, they ultimately impact system reliability and customer service.
Utilities hold and store valuable customer information, including financial information, usage data, and physical information. Information systems have the ability to efficiently store this data and provide utilities the ability to offer innovative new services. However, they also create risk for ratepayers. The breach of a utility’s information technology systems, the standard networks used to complete business processes, could allow access to customer information, business practices, or security information related to control systems. A utility operating these systems without consideration for cybersecurity opens its ratepayers to dangerous cyber attacks, including identity theft and the compromise of privacy. Commissions ultimately have a responsibility to allow cost recovery of prudent expenses within just and reasonable rates. All utility ratepayers benefit from prudent cybersecurity measures due to their impact on reliability, safety, and consumer protection. Utilities are therefore entitled to recover the cost of prudent cybersecurity expenses from their rate-base.