U.S. NATIONAL ASSOCIATION OF REGULATORY UTILITY COMMISSIONERS
The USAID-NARUC Cybersecurity Evaluative Framework for Black Sea Regulators is an easy-to-use tool designed to help regulators evaluate utilities' cybersecurity preparedness.
2017 · 26 pages

Abstract
The framework is a structured mechanism for Black Sea regulators to assess utilities' answers and make holistic judgments about their preparedness and areas for improvement. Regulators play a crucial role in aligning cost-recovery with the public interest, ensuring that investments made by traditionally monopolistic companies align with various policy objectives, such as affordability, reliability, safety, and security. In the context of cybersecurity, regulators will continue to be "before" and "after" people, setting targets in line with policy objectives and periodically evaluating utilities' performance. The framework aims to help regulators perform basic quantitative assessments of utilities in core cybersecurity categories, such as planning, procurement, personnel, and policies, by using largely qualitative responses from the Primer questions. The framework then allows regulators to synthesize each section into an overall evaluation highlighting strengths, areas for further development, areas of resistance, and areas for further exploration. The framework has been informed by the role of the economic regulator and is designed to provide an organized approach for regulators to take a utility's answers on a wide range and scope of questions and to consolidate them into a single and holistic analysis. Regulators should have a basic understanding of what good answers look like, including reviewing the NERC Critical Infrastructure Protection (CIP) Standards and the NIST Cybersecurity Framework. The framework is similar to the US Department of Energy's Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2), a self-evaluation tool used by utilities to measure and improve their cyber capabilities. While the framework will not produce a precise figure or allow for easy comparison across utilities, its function is to afford regulators a holistic assessment of how developed and sophisticated a utility's approach is with regard to cybersecurity. Regulators will use the framework to evaluate utilities' answers and make holistic judgments about their preparedness and areas for improvement. The framework will help regulators to identify areas where utilities need to improve their cybersecurity posture and to develop strategies to address these gaps. By using the framework, regulators can ensure that utilities are taking a proactive approach to cybersecurity and are prepared to address potential threats. The framework is designed to be a systematic and structured mechanism for Black Sea regulators to evaluate utilities' answers and make holistic judgments about their preparedness and areas for improvement. The framework has been tailored to the specific challenges of cybersecurity and the unique role of the economic regulator. By using the framework, regulators can ensure that utilities are taking a proactive approach to cybersecurity and are prepared to address potential threats.
Connected topics
Classification
USAID DEC