United States: U.S. Department Of Energy Releases Cybersecurity Baselines For Utilities And DERs

As part of the Biden Administration's efforts to align energy cybersecurity efforts across the country, the U.S. Department of Energy ("DOE") has funded the release of a set of energy distribution cybersecurity baselines for entities participating in the nationwide grid transition.

On February 22, 2024, the DOE announced its support for the release of cybersecurity baselines for electric distribution systems and distributed energy resources ("DERs"). The initiative was funded by the DOE's Office of Cybersecurity, Energy Security, and Emergency Response ("CESER") in partnership with the National Association of Regulatory Utility Commissioners ("NARUC"). The baselines name minimum voluntary standards that DER operators, utilities, and other electric distribution systems should meet to help mitigate cybersecurity risk and enhance grid security. The announced baselines conclude "Phase 1" of a two-phase initiative, with "Phase 2" set to advise entities of strategies for implementing and adopting the baselines over the next year.

The National Cybersecurity Strategy, issued in 2023, identified energy cybersecurity as an area for the DOE's attention as the grid becomes increasingly distributed and vulnerable to both physical and cyber-attacks. The current regulatory approach, which entails state-level oversight of energy cybersecurity for DER operators and utilities, puts the grid at risk due to a lack of alignment across states. Phase 1 of this initiative provides states with uniform nationwide cybersecurity baselines that they may meet to become aligned with the U.S.' energy cybersecurity approach, rather than relying on the existing patchwork regulatory framework.

Phase 1 of this initiative is merely a singular step in what should be a nationwide effort to secure the grid as it becomes integrated with DERs, including wind and solar energy. The National Cybersecurity Strategy is expected to produce additional federal initiatives around energy cybersecurity in light of increased threats to the energy sector.

Takeaways:

• Though the baselines are voluntary, states that adopt them will be in greater alignment with nationwide efforts to secure the electric grid and better positioned to collaborate across the public and private sectors.
• The baselines are also best practices for entities' individual cybersecurity efforts, including securing the supply chain, implementing strong IT practices, detecting threats, and detecting and reporting incidents.
• In the near term, utilities and DER providers should review their current compliance with the announced baselines and prepare initial strategies to meet them ahead of the Phase 2 announcement in the coming year.
• In the long term, such entities should focus on meeting or exceeding the baselines, bearing in mind that future DOE initiatives may enforce stronger mandates than those currently in effect.