From March 30-31, 2017, the United States Agency for International Development (USAID) in partnership with the U.S. National Association of Regulatory Utility Commissioners (NARUC) conducted the second technical workshop on cybersecurity for Black Sea electric utility regulators in Tallinn, Estonia. The workshop was hosted by the Estonian Competition Authority, in coordination with the U.S. Embassy Tallinn under the auspices of the 2013 U.S.-Estonia Cyber Partnership Statement. Commissioners and staff from regulatory agencies in Armenia, Georgia, Moldova, and Ukraine convened with U.S. and EU regulatory experts, as well as U.S. and Estonian government officials, to discuss best practices to construct regulatory cybersecurity strategies, engage with utilities, and evaluate effective utility cybersecurity performance.
The two-day workshop featured representatives from the NARUC, the European Agency for the Cooperation of Energy Regulators (ACER), the Idaho National Laboratory, the State Commissions of Illinois (ICC) and Connecticut (PURA), and Iowa State University. Representatives of the Estonian Ministry of Foreign Affairs and the Ministry of the Interior also participated in the workshop.
Led by NARUC’s Research Lab, the workshop focused on developing regulators’ capacity to ask the right questions of utilities and evaluate their performance on key cybersecurity issues such as procurement, personnel, governance, risk management, incident response and coordination, and planning among other topics.
An ACER representative shared recent developments on the EU’s Directive on Security of Network and Information Systems (NIS) that build on U.S. experience in cybersecurity regulation. He praised the comprehensiveness of U.S. research on cyber security, procurement best practices and NARUC’s 2017 Cybersecurity Primer for Regulators. The NARUC’s Primer was presented to and discussed in detail with the Black Sea regulators.
Background: NARUC’s Work on Cybersecurity
Through its Research Lab, NARUC has conducted nearly 50 technical workshops across the United States and internationally to train regulators on cybersecurity and to build regulatory cyber-strategies. Specifically, NARUC has been instructing U.S. Public Utility Commissions on the fundamentals of cybersecurity, as well as the risk management tools that can be used to face these emerging challenges, such as: 1) encouraging utilities to take steps to protect the electric grid and to work closely with the appropriate government agencies to prevent, detect, and respond to cyber threats; 2) issuing regulatory compliance rules and allowing utilities to recover prudent and reasonable investment costs through rates and tariffs; and 3) building and developing partnerships between public and private actors to tackle major cybersecurity issues.
With the support of the USAID, NARUC is organizing activities that leverage the U.S. regulatory experience to assist Black Sea regulators in understanding the dimensions of cybersecurity and in developing each Commission’s country-specific cybersecurity strategy.