2023 Energy Cybersecurity Resources For Governors’ Advisors

This resource guide provides an overview of federal and state cybersecurity standards for the energy sector as well as a collection of energy cybersecurity resources from NGA, the federal government, and other state focused organizations.


Background and Regulatory Authority

As malicious actors increasingly target energy infrastructure with cyber-attacks, it’s important that Governors’ advisors understand the risks to energy infrastructure in their states and territories, and the roles state and territory leaders can play to address those risks. A cyber-attack on critical infrastructure in the United States, including on energy infrastructure, poses a significant threat and could cause major disruptions to day-to-day life, endanger public safety and health, and result in millions of dollars in economic losses. In May of 2021, a ransomware attack on the information technology (IT) systems of the Colonial Pipeline led operators to shut down the pipeline for multiple days out of an abundance of caution, resulting in fuel shortages and consumer panic.

In 2023, President Biden released the National Cybersecurity Strategy to establish a framework to protect critical infrastructure from cyberattacks. In addition, President Biden penned a letter to governors encouraging the adoption of state cybersecurity standards to protect critical energy infrastructure. As the leaders of their states, Governors are ultimately responsible for preparing for and responding to energy emergencies. Governors can defend critical infrastructure from cyber threats by taking a proactive approach to assess cybersecurity resilience, identify gaps, and plan for emergencies. The purpose of this resource guide is to provide an overview of federal and state cybersecurity standards for the energy sector as well as a collection of energy cybersecurity resources from the National Governors Association (NGA), the federal government, and other state focused organizations.

Electric Sector

Federal Standards

Cybersecurity standards for the bulk power system in the United States are governed by the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) Reliability Standards. NERC is a not-for-profit international regulatory authority whose mission is to “assure the effective and efficient reduction of risks to the reliability and security of the grid.” Its standards are enforced in the United States and Canada; portions of Mexico have also adopted NERC standards. In the U.S., NERC derives its authority from the Federal Energy Regulatory Commission (FERC) as the designated Electric Reliability Organization tasked with developing and enforcing mandatory reliability standards. Cybersecurity is covered under NERC’s CIP Reliability Standards. NERC CIP Standards are separated into several topic areas, detailed below. NERC performs periodic audits of grid operators and can levy financial fines for non-compliance. The NERC CIP standards ensure a minimum level of cybersecurity best practices are maintained.

NERC CIP Mandatory Enforced Standards:

  • CIP-002-5.1a   Bulk Electric System (BES) Cyber System Categorization
  • CIP-003-8        Security Management Controls
  • CIP-004-6        Personnel & Training
  • CIP-005-7        Electronic Security Perimeter(s)
  • CIP-006-6        Physical Security of BES Cyber Systems
  • CIP-007-6        System Security Management
  • CIP-008-6        Incident Reporting and Response Planning
  • CIP-009-6        Recovery Plans for BES Cyber Systems
  • CIP-010-4        Configuration Change Management and Vulnerability Assessments
  • CIP-011-2        Information Protection
  • CIP-012-1        Communications between Control Centers
  • CIP-013-2        Supply Chain Risk Management
  • CIP-014-3        Physical Security

State-level Authorities

While few states maintain cybersecurity standards for the distribution system, those that are in place are typically overseen by the public utility commission (PUC). Public utility commissions regulate the rates and services of electric and gas utilities, which also includes jurisdiction over reliability from physical and cyber events. Authorities vary from state to state but most Commissions have authority to review the cybersecurity practices of utilities under their jurisdiction and compel utilities to disclose major cyber breaches that have an impact on meeting electricity demand.

Many public power utilities and rural electric cooperatives are outside of regulatory oversight of states and NERC, and therefore subject to self-regulation. The degree to which they can be regulated by states varies state-by-state. A 2017 study by the National Renewable Energy Laboratory found that the cybersecurity capacity of these smaller utilities varies, with some lacking the resources to facilitate a robust cybersecurity program. In 2022, President Biden penned a letter to Governors encouraging the adoption of state cybersecurity standards for critical energy infrastructure. On behalf of the Council of Governors, Minnesota Governor Tim Walz and Ohio Governor Mike DeWine reinforced the importance of cybersecure energy infrastructure and a whole-of-government approach to cybersecurity in a May 4, 2022 response to the President. The letter recommended a consistent, federally-coordinated approach to cyber standards for the energy sector.

Recognizing the importance of a standardized approach to cybersecurity standards, DOE CESER is currently working with the National Association of Regulatory Utility Commissioners (NARUC) to “establish a set of cybersecurity baselines that states can consider and adopt for distribution systems and distributed energy resources.”

Pipeline Owners and Operators

Federal Standards

On the federal level, cybersecurity standards for pipeline owners and operators are overseen by the Department of Homeland Security Transportation Security Administration (TSA). Prior to the Colonial Pipeline attack, TSA advocated voluntary pipeline cybersecurity standards for two decades. Initial mandatory cybersecurity rules for owners and operators of pipelines were issued in July of 2021 and were updated on July 21, 2022. The 2022 security directive has been deemed sensitive and is not available to the public, but builds upon the initial 2021 directive which requires pipeline owners to:

  • Report confirmed or potential cybersecurity incidents to CISA,
  • Designate a Cybersecurity Coordinator to be available 24 hours a day, 7 days a week,
  • Review current cybersecurity practices, and
  • Identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days.


NGA Center Energy Cybersecurity Resources

  • Opportunities for Cybersecurity Investment in the Bipartisan Infrastructure Investment and Jobs Act (IIJA) – This commentary, published by NGA in 2022, discusses the opportunities for states to invest in cybersecurity using funding in the Bipartisan Infrastructure Investment and Jobs Act (IIJA) passed into law in 2021. The IIJA contains about $1.2 trillion in funding towards nearly 400 new and existing infrastructure programs and includes a number of cybersecurity-specific programs, as well as allowing spending from numerous other programs on cybersecurity preparedness and response, which can be integrated into other infrastructure investments.
  • States’ Role in Addressing Foreign Threats in U.S. Critical Energy Infrastructure Sectors (2022) – This issue brief examines the vulnerabilities of critical energy infrastructure sectors and assets to foreign threats and identifies possible actions Governors can take to address those vulnerabilities. Critical energy infrastructure systems, including electric power, natural gas, and petroleum, are the backbone of all other critical infrastructure systems, meaning that an energy supply failure triggered by a cyber-attack could have cascading effects on transportation, water, telecommunications, finance, healthcare and other sectors.
  • Addressing Cybersecurity for Critical Energy Infrastructure through State Governing Bodies (2021) – This paper reviewed eight state efforts to address cybersecurity vulnerabilities of critical energy infrastructure by establishing effective statewide cybersecurity governance bodies.
  • State Energy Toolkit: Addressing Cyber and Physical Threats (2019) – The toolkit offers ideas to help Governors respond to trends as they act in their states to address cyber and physical threats. The guide includes an overview of the technologies and key policy trends; a summary of opportunities, challenges, and key state solutions; and a menu of state policy solutions, spotlighting examples from leading states.
  • State Protection of Critical Energy Infrastructure Information (2019) – This policy scan explores state laws that protect critical energy infrastructure information (CEII) from public disclosure. It also addresses court rulings protecting sensitive data for other infrastructure types and explores how states are protecting shared critical data from cyberattacks and cyber theft. 
  • Smart & Safe: State Strategies for Enhancing Cybersecurity in the Electric Sector (2019) – This white paper outlines seven actions governors can take in order to protect electricity infrastructure and personally identifiable information from cyberattacks. The paper also details roles and responsibilities for key state, industry and federal entities and catalogues important resources.

External Energy Cybersecurity Resources for States

Federal and Industry Websites and Resources

Technical Assistance

The NGA Center for Best Practices will continue to track key energy cybersecurity trends and updates for Governors and their advisors. As this field continues to evolve, NGA Center staff are available to respond to quick turnaround technical assistance requests through policy memos or connections with experts to answer urgent questions. For any energy security, emergency preparedness and cybersecurity technical assistance requests, please contact Dan Lauf (dlauf@nga.org), Jessica Davenport (jdavenport@nga.org), or Steve Fugelsang (sfugelang@nga.org).

This material is based upon work supported by the Department of Energy, Office of Cybersecurity, Energy Security, & Emergency Response under Award Number DE-CR0000011.

This report was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor any agency thereof, nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or any agency thereof. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or any agency thereof.