States can play greater role in shaping grid cybersecurity, NGA says

Many states have created dedicated task forces and other bodies focused on protecting power utilities from cyberattacks, a new NGA report shows.
electrical substation
(Getty Images)

State governments can improve the resiliency of grid operators and other utilities against cyberattacks by forming policy committees and advisory boards that bring together policymakers, technology and emergency management officials and industry representatives, according to a paper published this week by the National Governors Association.

Many states have already started taking these steps, creating governance bodies that develop strategic plans for dealing with cyberthreats, advising governors and assessing the preparedness of agencies and critical infrastructure facilities. By roping in multiple sectors, these groups help advance the “whole-of-state” approach that the NGA has been promoting over the past few years.

NGA’s report highlights eight states that have either created dedicated energy-sector working groups or subcommittees in existing cybersecurity boards as models of this behavior. NGA press secretary James Nash told StateScoop the report shows that cybersecurity isn’t strictly an IT concern.

“Cyber is no longer an IT issue alone, if it ever really was,” he said. “A cyberattack that would disable electrical system would have an order of magnitude greater than one targeting state computers or the private sector.”


Indiana, one of the states highlighted in the report, added an energy committee to its Executive Council on Cybersecurity. Since 2017, the committee has created a database of energy companies operating in the state, relevant contacts at their facilities and how they manage cybersecurity. That database, which is shared with the Indiana Public Utility Commission, includes more than 85% of the state’s utility companies and is also used to conduct an annual survey of the industry to assess overall risk.

The Indiana committee also shares information continuously with both the Multi-State Information Sharing and Analysis Center — the cybersecurity network for state and local governments — and the industry-specific E-ISAC.

Other states’ efforts date back even further, according to the NGA report. Washington state in 2011 created an Energy Coordinating Council as part of a state committee on homeland security. Over the years, the council — which includes representatives from electric and gas utilities, as well as officials from state commerce, transportation and public utilities agencies — has sponsored activities like penetration testing and tabletop exercises that draw in the participation of other agencies, including the Washington National Guard.

The council disbanded in 2015, but much of its work has continued to evolve under the National Guard and local public utility districts, including in Snohomish County outside Seattle, which operates the state’s largest publicly owned power system. Last year, the Snohomish PUD and National Guard launched a pilot program to increase cybersecurity awareness in local governments and provide risk assessments and vulnerability remediation to those organizations, according to the NGA report.

The report went on to praise similar efforts in Iowa, Louisiana, Maryland, Missouri, Texas and South Carolina, all of which have standing task forces or other bodies focusing on grid cybersecurity. Several more include utility industry representatives in their statewide cybersecurity councils.


The NGA paper’s release comes a few days after the North American Electric Reliability Corp., which regulates the grid in the United States and Canada, said one-quarter of the roughly 1,500 utilities that share data with it installed a malicious backdoor for SolarWinds software, which the U.S. government said was the work of Russian intelligence agents.

While none of those utilities reported any malfunctions due to the SolarWinds campaign, Nash, the NGA press secretary, said it reinforces the attention state governments need to give to their local infrastructure operators’ security.

“You have to be aware of any disruption in the power supply,” he said. “Cyber encompasses not just prevention but minimizing the severity on the public. Make sure there are no weak links.”

Latest Podcasts