National Association of Regulatory Utility Commissioners (NARUC) and the U.S. Department of Energy (DOE) have introduced voluntary cybersecurity baselines aimed at bolstering the security of distribution systems and distributed energy resources within the utility sector. These guidelines, developed in response to the evolving landscape of the electric grid, emphasize the integral role of cybersecurity in ensuring power system resilience. As the sector undergoes transformations driven by new technologies and operational models, the need to address cybersecurity becomes increasingly paramount due to the growing threat of cyberattacks.
The baselines, intended as a resource for state public utility commissions, utilities, and operators of distributed energy resources (DER), provide a common starting point for cyber risk reduction activities. Recommendations outlined in the baselines include incorporating cybersecurity requirements and inquiries into utilities’ procurement processes. This ensures that as new devices or services are acquired, there is a commitment to negotiating procurement documents with information-sharing requirements related to security incidents. The baselines also advocate for policies such as a minimum password length of 15 characters, multifactor authentication for remote access, and the segregation of IT and OT networks to enforce a deny-by-default policy on communications between them.
