In a recent report, the National Governors Association (NGA) detailed what practices governors can follow to establish effective cybersecurity governance bodies that support critical infrastructure cybersecurity, with a specific focus on the energy sector.
The report was based on NGA’s review of eight states, which NGA says have made “a concerted effort to address vulnerabilities facing the cybersecurity of the critical energy sector through a statewide governance body.” The states reviewed in the report are Indiana, Texas, Missouri, Iowa, Louisiana, Maryland, South Carolina, and Washington.
NGA said that in those eight states the statewide governance bodies have been tasked with developing recommendations for policymakers; identifying best practices; providing strategic direction on cybersecurity plans for state agencies; recommending training for state employees; and addressing state-specific cybersecurity workforce or professional development issues.
From its review of the eight states, NGA identified practices that it says governors may want to consider as they look to expand or create their own governance body focused on critical infrastructure cybersecurity. The practices are:
- “Include critical infrastructure agencies and owners/operators on the board;
- If the body is in perpetuity, regularly conduct environment surveys and analyze trends related to the cyber posture of the critical infrastructure landscape to stay abreast of the latest threats;
- Collect and share best practices with critical infrastructure owners and operators in the state;
- Consider reviewing emergency response or business continuity plans for utility companies;
- Consider interdependencies among critical infrastructure sectors; and
- Consider interdependencies between neighboring states or countries.”
When examining existing governing bodies, NGA says that governors should incorporate a mix of three approaches that have proved successful in the states reviewed. The three approaches are:
- “Develop a strategic plan that either improves the state’s cybersecurity posture generally or addresses specific cybersecurity challenges within the state;
- Develop recommendations and continuously advise the Governor on cybersecurity issues; and
- Assess the cybersecurity preparedness of state agencies or industries within the state; or identifying and detecting threats and implementing recommendations.”
The report also argues in favor of taking a cross-functional approach to improving critical infrastructure cybersecurity. Specifically, NGA says that cyber governance bodies should likely include representatives from state information technology departments, homeland security offices, emergency management agencies, the National Guard, state fusion centers, state energy offices, utility companies, public utility commissions, state departments of transportation, the education community, commerce departments, and tax commissioners. In addition to state stakeholders, NGA said states may want to include members from the private sector, local governments, and Federal agencies, as well as critical infrastructure owners and operators.
The report also detailed what specific responsibilities the government bodies should be given. NGA says the governing bodies should be tasked with:
- Incorporating utilities into state emergency response planning efforts;
- Recommending how to manage cyber risks to critical infrastructure assets and data;
- Formalizing strategic cybersecurity partnerships across the public and private sectors;
- Improving threat information sharing between private and public critical infrastructure owners and operators;
- Recommending and promoting cyber awareness training for the state’s electric sector;
- Identifying best practices on trainings and cyber exercises; and
- Evaluating existing statutes – such as open records exemptions or cybercrime enforcement – for needed updates given cyber risks.
