The National Cybersecurity Strategy, issued in 2023, directed the U.S. Department of Energy (DOE) to “promote cybersecurity for electric distribution and distributed energy resources (DERs) in partnership with industry, states, federal regulators, Congress, and other agencies.” Because the responsibility for regulating electric distribution utilities lies with the states, DOE partnered with the National Association of Regulatory Utility Commissioners (NARUC) to prepare a set of cybersecurity baselines for electric distribution systems and distributed energy resources that connect to them. This initiative is intended to identify cybersecurity practices that demonstrably reduce cyber risk to electric distribution systems. Recognizing that states are continuously exploring ways to enhance the reliability, resilience, and security of their critical infrastructures, this initiative also addresses implementation. Such guidance encourages alignment across states who chose to adopt the cybersecurity baselines for their electric distribution utilities. DOE and NARUC formed a steering group comprised of regulators, utility and DER representatives, cyber experts, and other stakeholders, to assist in the development of the cybersecurity baselines and the implementation guidance.
This initiative is a divided into two phases:
- Phase 1: vetted set of Cybersecurity Baselines for Electric Distribution Utility systems and the DER that connect to them. Phase 1 is expected to be completed in January 2024.
- Phase 2: comprehensive Implementation Strategies and Adoption Guidelines that include expert-informed recommendations for prioritizing the assets to which the cybersecurity baselines might apply, based on cybersecurity risk, as well as prioritizing the order in which the baselines might be implemented, based on cyber risk reduction assessments. The guidance will also address risk-based implementation timelines. Phase 2 is expected to be completed in December 2024.