Laws, Regulations, and Standards
Laws and regulations are enacted by governments to specify certain standards of behavior for individuals, corporations, or other entities. Laws are enacted by a legislative body (or other authorized bodies). Regulations are enacted by government agencies to specify the implementation of a law. Laws and regulations that apply to electric utilities are meant to advance grid reliability, safety, affordability, and security (Keogh and Stack 2017).
Regulations sometimes incorporate standards—best practices that have been assembled and vetted by a trusted organization. For instance, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have jointly published the ISO/IEC 27000 series of standards, which address information security. When standards are incorporated into regulations, regulatory compliance naturally includes compliance with the standards. Organizations (including utilities) may choose to comply with certain standards, even if they are not compelled to do so by regulations. This can provide assurance to internal stakeholders (e.g., executive management) that the organization is implementing prudent security measures.
Government agencies in different nations take different approaches to cybersecurity laws and regulations. The laws of different nations may be structured to result in very dissimilar styles of regulation. In addition, the agency tasked with developing and enforcing regulations for the energy sector also varies, and this can have an impact on how regulations are enforced. In the United States, the North American Energy Reliability Corporation establishes reliability standards that include cybersecurity. In Great Britain, the Office of Gas and Electricity Markets establishes regulations that include cybersecurity. In India, the Central Electricity Regulatory Commission performs this function. No country has the perfect solution to the challenge of how best to regulate cybersecurity—this is an area where learning from the variety of approaches around the world can be instructive.
Three Types of Standards
The word “standards” actually has multiple meanings in the cybersecurity domain. Besides “best practice” standards (such as ISO/IEC 27000), there are “technical standards,” such as IEEE 802.11, which defines wireless protocols used on Wi-Fi networks. A third meaning for “standards” refers to the rules that an organization might develop and enforce internally. (e.g., how often employees need to change their passwords.) All meanings are correct, and the intended meaning is usually apparent from the context (Harris and Maymi 2016).
Importance
Laws and regulations provide incentives for utilities to adopt effective cybersecurity measures (Ragazzi et al. 2020). This motivation may include incentives for strengthening cybersecurity or repercussions for failing to do so. A well-structured regulation will balance the cybersecurity benefit of compliance against the cost to the utility. However, creating a “well-structured” regulation can be tricky, and the consequence of getting it wrong can be dire. A poorly structured regulation could force utilities to expend their resources on compliance with little actual cybersecurity benefit. This could result in an electric grid that is even less secure than if no regulation had been implemented. In other words, the organization might have achieved more effective cybersecurity if it had invested its resources as it saw fit, rather than spending to comply with poorly structured regulations.
Internationally recognized standards are valuable because the best practices they embody go through an extensive vetting process. They also provide a “common language” for security professionals.
Intersections With Other Building Blocks
Laws and regulations are implemented by governments to define required behaviors. Standards may be implemented by many types of organizations (including international standards bodies) and define recommended behaviors. The compliance effort within the utility strives to interpret and enact those behaviors, as well as document the utility’s adherence to the regulations and standards.
Figure 5. Information passed from the laws, regulations, and standards building block
Processes and Actions
The items below are adapted and abridged from Evaluating the Prudency of Cybersecurity Investments: Guidelines for Energy Regulators, which expands on each of the items presented.
Government agencies seeking to implement or revise a cybersecurity regulation framework should first consider which type of regulatory framework will be most effective for their purposes.
Performance-Based Regulation Framework
In performance-based regulation, regulators define security objectives and the indicators (metrics) to be used for validating compliance (through audits or inspections). The utility determines how to meet these objectives.
The process for establishing a performance-based regulation framework begins with defining a cybersecurity strategy. This is followed by defining objectives that fit within the strategy. Then, indicators of the objectives are defined along with economic incentives for achieving the objectives. The regulator conducts audits or inspections to determine compliance. Over time, the regulator should update the framework based on feedback from the utilities or their own observations about the effectiveness of the framework.
Cost-of-Service Framework
In cost-of-service regulation, regulators define the objectives and how to meet those objectives. The regulator also identifies and benchmarks the costs of the security efforts. This regulatory framework is also called “cost plus.”
The process for establishing a cost-of-service framework begins with defining a cybersecurity strategy—similar to the performance-based regulation framework. However, the second step jumps to defining the actual countermeasures to be used within the strategy. The regulator then determines the expenses associated with those countermeasures. Accountability procedures are developed by the regulator, who then verifies that the utility has complied with the prescribed countermeasures. Over time, the regulator should update the framework based on feedback from the utilities or their own observations about the effectiveness of the framework.
Cost-Effectiveness
Key to any framework is the ability to compare the cost of a particular security control (also called a countermeasure) with the benefit provided by that countermeasure. In this regard, it is helpful to consider alternate scenarios where a utility is regulated versus not regulated, and then calculate a variety of costs under both normal operating conditions and cyberattack. The costs of implementing the regulation requirements and the avoided costs of a cyberattack are then weighed for each of these conditions. This exercise is discussed in detail in Evaluating the Prudency of Cybersecurity Investments: Guidelines for Energy Regulators.
To be truly cost-effective, the regulation should be developed jointly by the regulatory agency and those being regulated—the utilities. Regulation should not be unilateral or adversarial. Rather, it should proceed from the assumption that all parties have the same objective—improved security for the electric sector—and unique, valuable insights into how best to achieve that objective.
Regardless of the type of framework used, government agencies may choose to incorporate one or more international standards for best practices into their regulations. This provides a starting point for both regulators and utilities, because for any widely recognized standard there will be guidance for effective implementation.
Essential Data
Agencies that wish to create or amend a regulatory framework should collect the following information:
- A complete understanding of the current applicable regulatory framework (cyber and otherwise)
- Information about the utilities that will be subject to the new or revised regulations. This information should include details about the system itself (generation size and type, loads, and so on), economic information about the utility’s current cost recovery framework, and the cyber preparedness of the utility’s equipment and personnel.
- Points of contact within the utility or utilities that will be subject to regulation
- Threats likely to affect utility operations (both cyber and otherwise) and the likely economic impact of such threats.
Recommended Reading
Additional Resources
Findlaw. “What’s the Difference Between Laws and Regulations?”