JANUARY | 2020

Cybersecurity and the Electric GridThe state role in protecting critical infrastructure

ENERGY

BY DANIEL SHEA

IntroductionThe nation’s energy infrastructure is under a growing cyberthreat as business and operational capabilities are increasingly targeted by malicious actors. While the federal government is taking action to help utilities and operators of critical infrastructure defend against the persistent barrage of cyberattacks, state policymakers are pur-suing additional measures to establish security requirements and bolster cyber-protections.

The vulnerabilities of the energy sector are of particular concern to national security due to its enabling function across all critical infra-structure systems—with electricity and fuels used to power trans-portation, water facilities, hospitals and communications. A suc-cessful attack on the nation’s energy sector could snowball to affect many of these other systems.

At the same time, the electric grid is under additional scrutiny due to the way grid modernization efforts have increasingly bridged the gap between the physical, operational technology and information technology systems used to operate the grid. Previously, operation-al technology was largely isolated from information technology. But this separation has narrowed as grid operators incorporate new grid management systems and utilities install millions of smart meters and other internet-enabled devices on the grid. While these ad-vanced technologies offer significant improvements in grid opera-tions and real-time system awareness, they also increase the num-ber of points on the grid that malicious actors can target in order to gain access and compromise larger systems.

The issue is further complicated by the decentralized nature of the grid. There are around 3,000 electric utilities of various sizes op-erating on the U.S. grid under a variety of regulatory jurisdictions and business models. The Federal Energy Regulatory Commission

Between $243 billion and $1 trillion

Estimated cost of a successful cyberattack on the Northeastern U.S. power grid that takes weeks to recover from, according to the insurance firm Lloyd’s of London.

NATIONAL CONFERENCE OF STATE LEGISLATURES 2

(FERC) has jurisdiction over the reliability of the bulk power grid—which mostly includes transmission and generation—and has pro-mulgated cybersecurity standards for companies that fall under its jurisdiction. However, portions of the distribution grid fall outside federal jurisdiction.

This is where state policymakers come into play, because much of the distribution grid is overseen by state regulators and municipal or cooperative governance. These entities operate under the con-structs established by state legislators.

A number of states have already taken action to bolster cyber-pro-tections for the grid assets outside of the bulk power system, in ad-dition to other energy systems and critical infrastructure. In partic-ular, state legislatures have grown increasingly active in addressing these issues over the past several years. These actions have largely fallen into four categories:

• Establishing state-level cybersecurity task forces and committees.

• Establishing cybersecurity standards and reporting requirements.

• Expanding state open records exemptions to include cyber vulnerabilities.

• Directing and authorizing governors and state agencies to take certain actions to prepare for and respond to cyber emergencies.

During the 2019 legislative session, at least 16 states considered almost 50 measures intended to address the cybersecurity of the electric grid and other critical infrastructure—an increase of around 30% over the previous year. Of the bills introduced in 2019, at least 11 states passed over a dozen measures, most of which fell into the categories outlined above.

One important issue that continues to go largely unaddressed is how to pay for these cybersecurity programs. In order for utilities to address cybersecurity in a robust manner, it will require continu-ous investment in software and hardware, in addition to personnel and training. Many utilities have reported that current cost-recov-ery mechanisms make it difficult to maintain an agile cybersecurity posture, with regulatory processes used to approve those expendi-tures often lasting several months. In other cases, smaller utilities have said their size has limited their ability to invest in cybersecu-rity in a meaningful way. Most state utility commissions fall under the jurisdiction of state legislatures, and lawmakers may need to ad-dress this disconnect in the coming years.

Federal RoleThe U.S. Department of Homeland Security (DHS) published reports tracking cyberattacks for six years. In that time, the energy sector was the most-targeted subsector of all U.S. critical infrastructure, with more than half of all reported incidents being classified as ad-vanced persistent threats from sophisticated actors. Physical im-

pacts of cyberattacks have been observed internationally. Hackers from Russia disrupted power operations in Ukraine in 2015, and a series of attacks on petrochemical facilities in Saudi Arabia caused damage to systems and nearly resulted in a significant explosion in 2017. In 2019, unknown assailants launched a ransomware attack against a South African electricity company resulting in blackouts. As the frequency, scale and sophistication of cyberthreats increase, cybersecurity has become one of the most essential new frontiers for critical infrastructure.

The electric grid is fundamental to the systems that make modern life possible. It is used to power everything from wastewater treat-ment facilities and pipelines to health care and financial systems. A risk report from Lloyd’s of London suggested that a successful cy-berattack on the Northeastern U.S. power grid that takes several weeks to fully recover from could come at a cost of between $243 billion and $1 trillion.

The electric grid is the only critical infrastructure sector with manda-tory and enforceable security standards. FERC has authority, through the Energy Policy Act of 2005, to oversee the reliability and security of the bulk power grid. FERC has designated the North American Electric Reliability Corporation (NERC) with the authority to set and enforce standards in this area, including cybersecurity.

NERC has developed guidelines and standards for critical infrastruc-ture protection (NERC-CIP), and has been actively updating and bolstering cybersecurity protections over the past several years. Those updates intend to identify weaknesses in the supply chain and increase mandatory reporting requirements to provide nation-al authorities with greater situational awareness and threat assess-ments. Over the past year, NERC has shown an increased appetite to enforce its standards by handing down a record $10 million fine to an electric utility, followed by several substantial but lesser fines for cybersecurity lapses and violations.

The security of the nation’s network of natural gas, oil and hazard-ous materials pipelines is overseen by the Transportation Security

HI

ID

MT

WY SD

NM

IA

WI

MO

LA

IL

AS

KY

MS

IN

GU

TN

MI

AL

OH

MP

NC

GA

PR

SC

DC

VI

MA

CT

NHVTAK

OR NV CO

AZ

MN

WV

WA ND

NE

OK

KS

TX

AR

FL

CA UT

VA

PA

NY

NJ

MD

DE

RI

ME

Source: NCSL, 2020

2019 Cybersecurity Legislation

Considered cybersecurity measuresEnacted cybersecurity measures

NATIONAL CONFERENCE OF STATE LEGISLATURES 3

Administration (TSA), which maintains voluntary cyber and physi-cal defense guidelines. However, the strength of TSA’s oversight has been called into question. In a December 2018 report to Congress, the Government Accountability Office reported “significant weak-nesses” in TSA’s oversight of these energy facilities, with its Pipeline Security Branch, which is responsible for both physical and cyberse-curity, regularly understaffed and limited in its ability to conduct se-curity reviews.

There are several other federal agencies at work in other capacities. The National Cybersecurity and Communications Integration Cen-ter (NCCIC), housed under DHS, is responsible for reducing cyber-security risks nationwide. It is the central hub for cyber-monitoring activities and communications information, consolidating and an-alyzing reports from across the nation on cyber intrusions. It also houses technical expertise and operates around-the-clock situa-tional awareness and emergency response capabilities. Along with FERC and DHS, the National Security Agency and the U.S. Depart-ment of Energy (DOE) are also working on the issue. DOE’s Office of Cybersecurity, Energy Security and Emergency Response (CES-ER) is the designated sector-specific agency for energy. Among oth-er tasks, CESER coordinates efforts across the federal government and among stakeholders to increase the energy sector’s cybersecu-rity posture. The CESER office works closely with the DOE’s national labs, states, industry and other stakeholders to mitigate the threat posed by cyber incidents.

In collaboration with national associations, the nation’s utilities work directly with their federal partners on many of these issues. However, given that NERC-CIP standard are applicable only to utili-ties and companies that operate on the bulk power system, it is in-creasingly falling on state officials to address issues that fall outside those boundaries.

State Role Electric distribution systems fall largely under state jurisdiction. These systems are owned and operated by investor-owned utilities, public power utilities and electric cooperatives. There are nearly 2,000 public power utilities that provide service in 49 states and five territories, serving 15% of customers. Another 800 electric coopera-tives serve 13% of customers, but own and maintain around 42% of electric distribution lines in the U.S. Investor-owned utilities (IOUs) are smaller in number—around 170—but larger in size and opera-tions, serving the lion’s share of customers.

State utility commissions, which regulate rates and are authorized to impose certain requirements on electric utilities, often fall un-der the jurisdiction of state legislatures. Therefore, state legisla-tures may determine the breadth of the authority utility commis-sions have—and whether that authority extends to the realm of cybersecurity.

State utility commissions have regulatory oversight of IOUs. In some states, utility commissions also regulate consumer-owned utilities, such as electric cooperatives and public power utilities. However, in most states, the regulation of consumer-owned utilities is left to

local government bodies and elected cooperative utility boards. In addition, any utility, whether investor-owned or consumer-owned, may operate facilities that are subject to FERC regulations because they are part of the bulk power system.

In the absence of state or federal oversight, public power utilities and cooperatives are subject to self-regulation, with governing boards made up of members or elected officials. These systems are often smaller, with limited operating budgets that don’t enable the type of investments in cybersecurity afforded to larger systems. A study conducted by the DOE’s National Renewable Energy Labora-tory (NREL) found that, among a sample of distribution utilities, the resources available to fund cybersecurity programs varied substan-tially, with smaller utilities often struggling to adequately address the issue through base rates. The issue was especially prevalent for cooperatives, while IOUs and public power utilities often found it easier to fund cyber initiatives through their base rates, according to the study’s findings.

That doesn’t mean that smaller utilities or cooperatives are inher-ently less secure. Due to the fragmented nature of the electric net-work, the robustness of cybersecurity programs varies significantly from state to state, and utility to utility. Even keeping up with mini-mum standards—which are a floor, not a ceiling—can leave utilities exposed if the standards and practices are not rigorous enough.

Regardless of size, an inadequately secured utility of any type rep-resents a potential access point to the grid that could be targeted and exploited by malicious actors.

That isn’t to say industry hasn’t worked to address these issues on its own. Many utilities rely heavily on national associations to im-prove cybersecurity. The Edison Electric Institute, American Public Power Association and National Rural Electric Cooperative Associa-tion have all worked to improve cybersecurity protections for their members.

State legislatures, through oversight of

state utility commissions, have the ability

to shape cybersecurity for their utilities

through state law. They can bolster state

oversight, require increased information-

sharing between utilities and utility

commissions, and establish minimum

cybersecurity standards.

NATIONAL CONFERENCE OF STATE LEGISLATURES 4

States have also been active in addressing the issue, mostly from the perspective of preparing for and reacting to emergencies. Gov-ernors have moved to define roles in preparing for and responding to emergencies, encouraged state agencies to participate in cyber response exercises, and have started to incorporate cybersecurity into electricity infrastructure risk assessments. A number of states, including Oregon and Vermont, have developed comprehensive plans and task forces to define roles and coordinate between state agencies. The nation’s network of 79 fusion centers—which gather intelligence on a variety of threats, including cyberthreats—can bol-ster information-sharing between state agencies and utilities. The National Guard is also a valuable asset to states, with around 3,800 service members in 59 units across 38 states trained in cybersecuri-ty—a number of which are focused on protecting state-level assets.

State legislatures, through oversight of state utility commissions, have the ability to shape cybersecurity for their utilities through state law. They can bolster state oversight, require increased infor-mation-sharing between utilities and utility commissions, and es-tablish minimum cybersecurity standards. For example, Connecti-cut and New York have authorized utility regulators to conduct cyber audits of utilities and make recommendations.

One of the most pressing issues for utilities of all types can be en-abling more responsive financing to support cybersecurity opera-tions, which has largely gone unaddressed. In order to recover in-vestments in cybersecurity from customers, regulated utilities must get approval from utility regulators to raise rates through process-es that are often cumbersome and lengthy. A number of recent re-

ports have highlighted this as a pressing issue that should be ad-dressed to enable a more agile cybersecurity posture.

State Legislative TrendsIn recent years, state legislatures have increasingly taken action to help address this issue in a variety of ways. In 2019, at least 16 states considered almost 50 measures intended to address the cybersecu-rity of the electric grid and other critical infrastructure.

The most commonly introduced bills seek to establish a state-level committee dedicated to studying the issue and providing policymak-ers with recommendations. Restricting public disclosure of cyberse-curity vulnerabilities through the Freedom of Information Act (FOIA) has been another common measure.

More recently, state legislatures have started to address the issue in more substantial ways. In some cases, they are outlining utility cybersecurity planning or information-sharing requirements. In oth-ers, they are adding cyber-related offenses to the criminal code, supporting small and rural cooperatives with cybersecurity pre-paredness, and bolstering cybersecurity training and civilian cyber-security reserves.

State-Level Committees and Task ForcesSince 2017, at least nine states—California, Delaware, Kansas, Mary-land, Nevada, New Jersey, New York, Texas and Washington—con-sidered legislation to create a state-level committee or task force to, among other things, address cybersecurity issues related to the ener-

NATIONAL CONFERENCE OF STATE LEGISLATURES 5

gy sector and to advise policymakers on the subject. Other states have established legislative committees to review and track the subject.

In California, the legislature regularly directs state agencies to devel-op programs that bolster cybersecurity or create new agencies to address perceived shortcomings—though it has benefitted from its size and that of the utilities under its jurisdiction. Most recently, AB 2813 (enacted in 2018) established the California Cybersecurity In-tegration Center within its Office of Emergency Services. The state center is essentially a state-level version of the U.S. Department of Homeland Security’s NCCIC, and is similarly responsible for monitor-ing threats, consolidating and analyzing reports on cyberattacks, and maintaining situational awareness. It also has its own cyber incident response team and is responsible for interfacing with NCCIC. In addi-tion, the new state entity has been directed to develop a statewide cybersecurity strategy based on recommendations from the Califor-nia Task Force on Cybersecurity.

Texas SB 475 (enacted, 2019) created the Electric Grid Security Coun-cil to mitigate the risk of cyber and physical attacks on the state’s electric system. The council is tasked with developing and commu-nicating “best security practices” to the electric industry, developing educational programs to promote workforce development in these areas, and collaborating with relevant stakeholders to prepare for events that could threaten grid security. Meanwhile, Kansas’ SB 69 (enacted, 2019) created an energy policy task force to study how utility cybersecurity programs, among other things, will affect elec-tricity rates.

Arkansas took a slightly different approach with SB 632 (enacted, 2019), which authorizes the state Economic Development Commis-sion to create a cyber initiative to mitigate cyberrisks to the state by increasing education about threats and defense, providing threat as-sessments to private and public sectors, and fostering the growth of cybersecurity technology and information technology development in the state.

The Iowa legislature created the Iowa Energy Center to, among oth-er things, support cybersecurity preparedness at the state’s smaller, rural utilities. Finally, Massachusetts and Missouri have created com-mittees with a broader focus on disaster and emergency prepared-ness, which include cybersecurity.

Planning and Reporting RequirementsOver the past couple of years, state legislatures have taken a more proactive role in outlining what is expected of their electric utili-ties with regard to cybersecurity planning and reporting. Utility re-porting requirements are viewed as important measures for track-ing attempted and successful cyberattacks and ensuring widespread threat awareness.

Connecticut was an early actor in this space when the General As-sembly enacted its Comprehensive Energy Strategy in 2013, which recognized the electric grid’s physical safety and cybersecurity as priorities for the state utility commission. Ultimately, the utility commission issued a Connecticut Public Utilities Cybersecurity Ac-

tion Plan. The plan required electric utilities to communicate regu-larly with the commission on the subject and authorized the com-mission to conduct cyber reviews of regulated utilities to assess their capabilities and make recommendations. The state utility commission also engaged with its natural gas utilities, which agreed to adopt and participate in the state’s process. New York and Texas have also established monitoring programs to audit utilities and as-sess their practices.

The Pennsylvania legislature passed requirements (Pa. Code 52 § 101) for its utilities to develop and maintain written physical and cybersecurity, emergency response and business continuity plans. The cybersecurity plans must include critical functions that re-quire automated processing, backups for software and data, alter-nate methods for maintaining critical functions in the absence of IT systems, along with scenarios and time frames at which point utilities would no longer be able to operate. These plans must be updated annually.

Texas SB 936 (enacted, 2019) authorized the state utility commission to contract with an entity to run a Cybersecurity Monitor Program to oversee and work with the state’s electric sector. The monitor is ex-pected to regularly meet with utilities to discuss emerging threats, best practices and training opportunities. The monitor also will re-view utility self-assessments and keep the utility commission updat-ed on the electric sector’s cybersecurity preparedness.

Colorado, New Hampshire, Virginia and Washington have all estab-lished various cybersecurity requirements of their electric utilities. Maryland has enhanced the level of reporting required of its utilities with over 30,000 customers, which are now required to periodically report on all unauthorized acts that result in confirmed access to the utility’s internal operating systems.

Open Records ExemptionsNebraska and North Dakota are the latest states to pass an open re-cords exemption for information related to critical infrastructure cy-bersecurity systems. These laws prevent public access to information that could potentially be used to map and compromise the systems of critical infrastructure owners and operators. These states tend to exempt any information that could compromise a utility’s or critical infrastructure operator’s ability to prevent, mitigate or recover from a cyberattack, or expose cyber-vulnerabilities.

Open records exemptions for critical infrastructure are relatively common—over half of states have some type of open record exemp-tion on the books for critical infrastructure vulnerabilities. Many of these were passed in the wake of the 9/11 terrorist attacks, when additional safeguards were considered prudent measures against re-vealing physical vulnerabilities or emergency response plans.

However, in recent years, a number of states with these laws in place have moved to include information related to cybersecurity under the same logic. These exemptions are considered important ele-ments to establishing trust between critical infrastructure operators and the state agencies that oversee them. Critical infrastructure op-

NATIONAL CONFERENCE OF STATE LEGISLATURES 6

erators are more likely to voluntarily comply with information-shar-ing requirements regarding their cybersecurity programs and emer-gency planning when they know that information will not reach the public sphere, potentially exposing vulnerabilities and compromising their operations.

In 2019, Colorado, Nebraska and North Dakota passed open record exemptions related to critical infrastructure cybersecurity, while Iowa and Virginia also passed similar exemptions in recent years.

Financing MechanismsThe issue of how to finance cybersecurity programs for electric utili-ties is beginning to emerge as a critical component to strengthening the electric sector’s cybersecurity posture. In some ways, a serious cyberattack can be considered in the same realm as other high-con-sequence, low-frequency events—much like a 100-year weather or an electromagnetic pulse (EMP) event. Historically, utilities have ex-perienced some difficulty in financing programs to address these threats because they’re asking to raise costs on customers for ben-efits that may—or may not—be realized. Determining the cost-ben-efit of resiliency investments is much harder to demonstrate than more straightforward investments in improved infrastructure or en-ergy efficiency programs.

However, with the frequency at which many electric utilities are experiencing attempted cyber-intrusions, the calculus has shifted slightly and at least one study on the subject now suggests that cy-berattacks should be considered “highly probable” events.

Adding to its complexity is that cybersecurity programs need to be agile and ever-changing in response to the nature of the adversary. These programs require continuous investments in software and hardware, personnel and training, which challenge the tradition-al cost-recovery mechanisms used in many states. This may require more flexible and responsive regulatory approaches to funding cy-bersecurity programs.

While the traditional rate case can yield substantial long-term in-vestments in cybersecurity, some states have also deployed funding mechanisms that allow for the incremental recovery of investments. For example, single-issue riders have been used in Ohio and Texas to allow for rapid consideration and incremental cost-recovery for cer-tain investments. But utility commissions often must be authorized to approve these riders under state law.

This is what the Texas Legislature did when it passed SB 936 earli-er this year. In addition to creating the state’s Cybersecurity Monitor Program, new law authorizes utilities to recover the costs of cyber-security activities required under the law, explicitly authorizing the state regulatory commission to approve such investments.

More often, states have allocated broader cybersecurity funding, rather than addressing how utilities finance these investments. In Minnesota, the legislature has provided grid modernization funding to utilities that can go toward cybersecurity and a long list of other grid modernization efforts.

In California, the legislature allocated $35 million to a five-year co-operative research project between the state’s three IOUs and two of DOE’s national laboratories. The California Energy Systems for the 21st Century (CES-21), which ended in 2019, had a dual focus of de-veloping resources to help model and simulate cybersecurity threat and response scenarios, and researching reliability assumptions with increased renewable integration. In particular, the project’s work on a Machine-to-Machine Automated Threat Response is intended cre-ate a grid architecture that’s capable of making time-critical deci-sions through automated responses to increase system survivability and resiliency.

Other InitiativesA number of states have considered several other initiatives as well, including adding cyber-related offenses to the criminal code, financ-ing cybersecurity workforce development programs and establishing cybersecurity response units that would be mobilized in the event of a disaster. Some of the highlights include:

• Florida SB 2500 (enacted, 2019) appropriates funding to the state Department of Education to establish workforce devel-opment and training programs in a variety of areas, including cybersecurity.

• Illinois SB 3203 (pending, 2018) would add the offense of cy-berterrorism to the criminal code.

• Illinois HB 3017 (pending, 2019) would create the Veterans Cy-ber Academy Pilot Program, which would create certifications, apprenticeships and additional resources to encourage military veterans to enter the cybersecurity field.

• New Mexico SB 380 (enacted, 2017) authorized the activation of the National Guard in response to a cybersecurity threat un-der various circumstances, including the protection of critical infrastructure.

• Ohio HB 747 (pending, 2018) would establish a civilian cyberse-curity reserve force.

• Utah HJR 14 (passed, 2019) urges Utah and the United States to harden the electric grid against cyberthreats.

ConclusionGiven that electric distribution systems fall largely under state juris-diction, state legislators are particularly well positioned to oversee cybersecurity efforts over large swaths of the electric system. State legislatures, through oversight of state utility commissions, have the ability to shape cybersecurity for their utilities through state law. In recent years, state legislators have been working to address growing concerns over the cybersecurity of the electric grid, energy sector and critical infrastructure. They have done so most often through measures that bolster state oversight, require increased informa-tion-sharing between utilities and utility commissions, and establish minimum cybersecurity standards.

NATIONAL CONFERENCE OF STATE LEGISLATURES 7

AppendixThe following table includes bills and statutes referenced in the report, along with relevant bills from re-cent legislative sessions.

State Bill Year Status Summary

Arkansas SB 632 2019 Enacted Authorizes the state Economic Development Commission to create a cyber initiative to mitigate cyberrisks to the state by increasing education about threats and defense, providing threat assessments to private and public sectors, and fostering the growth of cybersecurity technology and information technology development in the state.

California SB 49 2019 Enacted Requires the California Energy Commission to consider the National Institute of Standards and Technology’s (NIST) reliability and cybersecurity protocols, and adopt, at a minimum, the North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC-CIP) standards.

California SB 676 2019 Enacted Requires the California Energy Commission to consider incorporating the NIST reliability and cybersecurity protocols, or other equal or more protective cybersecurity protocols, into the electric vehicle grid integration strategies.

Colorado SB 236 2019 Enacted Requires utilities to create a distribution system plan that includes a high-level summary of their planning process for addressing cyber and physical security risks. Confidential, proprietary, or otherwise compromising information that could decrease the utility’s ability to prevent, mitigate or respond to a potential cyber, physical or weather disruption is not required to be included in the report.

Florida SB 2500 2019 Enacted Makes appropriations for the fiscal year, including for cyber incident response equipment, and to universities and schools that are participating in programs like the Florida Cybersecurity initiative, which reward school programs that help students earn industry certifications in fields like cyber security.

Illinois HB 3017 2019 Pending Would create the Veterans Cyber Academy Pilot Program, which would create certifications, apprenticeships and additional resources to encourage military veterans to enter the cybersecurity field.

Kansas SB 69 2019 Enacted Authorizes a study of the retail rates of Kansas electric public utilities, to include an assessment of how cybersecurity, physical security and grid stabilization efforts have affected, or are projected to affect, electric public utility rates.

Minnesota HB 2208 2019 Enacted Adds improvements to the security of the electric grid, including against cyber and physical threats, under the list of grid modernization efforts that may be funded through the special revenue fund called the Renewable Development Fund.

North Dakota SB 2340 2019 Enacted Exempts public utility cybersecurity preparedness and recovery plans from being disclosed in public records. Prevents records and internal public utility reports shared during emergency response situations from being publicly released after the conclusion of the emergency situation.

NATIONAL CONFERENCE OF STATE LEGISLATURES 8

State Bill Year Status Summary

Nebraska LB 16 2019 Enacted Unless publicly disclosed in an open court, open administrative proceeding, or open meeting, or disclosed by a public entity pursuant to its duties, records relating to the physical and cyber security of critical energy infrastructure are not to be disclosed. Information is not to be publicly reported or released if a reasonable person, knowledgeable of the energy industry, would conclude that public disclosure of the information could create a substantial likelihood of risk to physical and cyber assets.

Texas SB 475 2019 Enacted Establishes the Texas Electric Grid Security Council as an advisory body to facilitate the creation, aggregation, coordination and dissemination of best security practices for the electric industry in order to mitigate the risk of potential cyber and physical security attacks that may affect the Texas electrical systems.

Texas SB 936 2019 Enacted Requires the Texas Public Utilities Commission to contract with an entity to act as the commission’s cybersecurity monitor. Authorizes an electric utility, municipally owned utility or electric cooperative to participate or discontinue participation in the state’s Cybersecurity Monitor Program.

Utah HJR 14 2019 Enacted Encourages Utah’s state and congressional delegations to continue supporting legislation and practices that enhance electrical grid security against natural, accidental or intentional occurrences that could potentially interrupt reliable electricity services, including cybersecurity.

Virginia SB 966 2019 Enacted Includes cybersecurity measures in the definition of “electric distribution grid transformation project.” In addition, allows a utility to petition the commission for approval of a rate adjustment for recovery from customers of the costs of one or more electric distribution grid transformation projects.

Washington HB 1126 2019 Enacted Any distributed energy resources planning process that a utility engages in should include a high-level discussion of how the electric utility is adapting cybersecurity and data privacy practices to the changing distribution system. Included in this discussion should be an assessment of the costs associated with ensuring customer privacy.

California AB 2813 2018 Enacted Establishes the California Cybersecurity Integration Center (Cal-CSIC) whose primary mission is to reduce the likelihood and severity of cyber incidents that could damage California’s economy, its critical infrastructure, or public- and private-sector computer networks in the state. Cal-CSIC shall: serve as the central organizing hub of the state’s cybersecurity activities, coordinate information-sharing, provide warnings, assess current risks and develop a statewide cybersecurity strategy.

Illinois SB 3203 2018 Pending Would add the offense of cyberterrorism to the criminal code.

Ohio HB 747 2018 Pending Would establish a civilian cybersecurity reserve force.

Iowa SB 513 2017 Enacted Created the Iowa Energy Center to, among other things, support cybersecurity preparedness at the state’s smaller, rural utilities.

NATIONAL CONFERENCE OF STATE LEGISLATURES 9

State Bill Year Status Summary

New Mexico SB 380 2017 Enacted Authorizes the activation of the National Guard in response to a cybersecurity threat under various circumstances, including the protection of critical infrastructure.

Texas Admin. Code 16 § 25.243

2011 Enacted Allows for cost-recovery through a Distribution Cost Recovery Factor that allows electric utilities to recover costs on appeal with the commission that are deemed prudent, reasonable and necessary. Could be reasonably expanded or construed to include costs associated with electric utility cybersecurity needs.

Ohio SB 221 2007 Enacted An electric security plan shall include provisions relating to the supply and pricing of electric generation service. If the proposed plan is for a term longer than three years, it may include provisions to permit the commission to test the plan. Plan may include provisions regarding single-issue ratemaking. As part of the determination whether to allow an electric security plan, the commission shall examine the reliability of the electric distribution utility’s distribution system and ensure customer and utility expectations are aligned.

Pennsylvania Pa. Code 52 § 101

2005 Enacted Requires utilities to develop and maintain written physical and cyber security, emergency response and business continuity plans. Cybersecurity plans must include: list of critical functions requiring automated processing, appropriate backup for application software and data, alternative methods for meeting critical functional responsibilities in the absence of information technology capabilities, and a recognition of the critical time period for each information system before the utility could no longer continue to operate.

Tim Storey, Executive Director

7700 East First Place, Denver, Colorado 80230, 303-364-7700 | 444 North Capitol Street, N.W., Suite 515, Washington, D.C. 20001, 202-624-5400

www.ncsl.org© 2020 by the National Conference of State Legislatures. All rights reserved.

NCSL Contact:

Daniel Shea Senior Policy Specialist, Energy

303-856-1534Daniel.Shea@ncsl.org

Acknowledgment This paper was developed under an agreement with the Department of Energy’s Office of Cybersecurity,

Energy Security, & Emergency Response under award number DE-OE0000819. NCSL gratefully acknowledges the U.S. Department of Energy’s support in developing this publication.

Disclaimer This report was prepared as an account of work sponsored by an agency of the United States

Government. Neither the United States Government nor any agency thereof, nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents

that its use would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not

necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or any agency thereof. The views and opinions of authors expressed herein do not

necessarily state or reflect those of the United States Government or any agency thereof.