Addressing Cybersecurity for Critical Energy Infrastructure through State Governing Bodies

This paper addresses practices Governors can follow to establish effective cybersecurity governance bodies that support critical infrastructure cybersecurity, with a focus on the energy sector.


Executive Summary

This paper reviews eight states that have made a concerted effort to address vulnerabilities facing the cybersecurity of the critical energy sector through a statewide governance body. These statewide governance bodies are tasked with developing recommendations for policymakers on a host of issues; identifying best practices; providing strategic direction on cybersecurity plans for state agencies; recommending training for state employees; and addressing cybersecurity workforce or professional development issues in the state. This paper addresses practices Governors can follow to establish effective cybersecurity governance bodies that support critical infrastructure cybersecurity, with a focus on the energy sector.

Governors may want to consider the below practices when they are expanding or creating a governance body to focus on critical infrastructure cybersecurity:

  • Include critical infrastructure agencies and owners/operators on the board;
  • If the body is in perpetuity, regularly conduct environment surveys and analyze trends related to the cyber posture of the critical infrastructure landscape to stay abreast of the latest threats;
  • Collect and share best practices with critical infrastructure owners and operators in the state;
  • Consider reviewing emergency response or business continuity plans for utility companies;
  • Consider interdependencies among critical infrastructure sectors; and
  • Consider interdependencies between neighboring states or countries.

Cybersecurity Governance Bodies: Common Approaches to Address Critical Energy Infrastructure

Governors have the authority to set their states’ cybersecurity strategies and often delegate that responsibility to a central governance body. The type of body a Governor creates should account for state needs and typically include holistic representation from sectors that have a stake in the state’s cybersecurity governance ecosystem. An examination of existing bodies indicates that Governors incorporate a mix of three approaches when creating a governance body, tasking them to:

  1. Develop a strategic plan that either improves the state’s cybersecurity posture generally or addresses specific cybersecurity challenges within the state;
  2. Develop recommendations and continuously advise the Governor on cybersecurity issues.
  3. Assess the cybersecurity preparedness of state agencies or industries within the state; or identifying and detecting threats and implementing recommendations.

Experts recommend a cross-functional approach to improve cybersecurity governance for a state’s critical energy infrastructure, with representation from pertinent agencies. Cyber governance bodies may include representatives from state information technology departments, homeland security offices, emergency management agencies, the National Guard, state fusion centers, state energy offices, utility companies, public utility commissions, state departments of transportation, the education community, commerce departments, tax commissioners, and others. In addition to state representatives, states may include members from the private sector, federal agencies (e.g., FBI, DHS), local governments, critical infrastructure owners and operators, and other experts.

Governors base their cyber governance bodies’ roles and responsibilities on the needs of the state and may consider specific needs of critical energy infrastructure as they assign them. To improve critical infrastructure security, Governors typically task these bodies with:

  • Incorporating utilities into state emergency response planning efforts;
  • Recommending how to manage cyber risks to critical infrastructure assets and data;
  • Formalizing strategic cybersecurity partnerships across the public and private sectors;
  • Improving threat information sharing between private and public critical infrastructure owners and operators;
  • Recommending and promoting cyber awareness training for the state’s electric sector;
  • Identifying best practices on trainings and cyber exercises; and
  • Evaluating existing statutes – such as open records exemptions or cybercrime enforcement – for needed updates given cyber risks.