Preparing For New York’s Electric Utility Cybersecurity Laws

What You Need To Do Now! Even if you aren’t in New York!

When New York Governor Kathy Hochul signed legislation to create cybersecurity protections for the state's energy grid at the end of 2022, she became the first in the nation to sign a measure this strong.

The new legislation, bill A.3904B/S.5579A, requires utility companies to secure critical infrastructure against cyberattacks and strengthens protections for the local distribution system. Additionally, it mandates that utilities include preparation for cyberattacks in their annual emergency response plans.

New York is considered an obvious prime target for potential threat actors because of its role as the financial capital of the world and a major population center. The governor said that she is taking the necessary steps to protect the energy grid, which is the backbone of the state's economy. “Millions of New Yorkers depend on reliable electric service, and this new legislation ensures a smooth transition to clean energy,” said Hochul.

The legislation was a response to President Joe Biden’s call for states to set minimum cybersecurity requirements for critical infrastructure, including the energy system. Many states are expected to follow in New York’s footsteps and pass similar legislation this year.

There are a wide range of known malware strains capable of taking down an electric grid. As SCADAfence reported before, Pipedream, or Incontroller, is a custom-made, modular ICS attack framework that could be leveraged to cause disruption, degradation, and possibly even destruction depending on targets and the environment. Several strains of malware, including BlackEnergy and NotPetya have been used against Ukraine going back as far as 2015.

Even before the legislation goes into effect, other states are planning to pass similar legislation of their own. In addition, a new national legislation is being proposed that would require any companies to report attacks against their electric grid to CISA within 72 hours. 

Six Steps To Implement Now

Preparing for the new legislation will take time. It's important for electric utilities to begin now to determine their current level of compliance with the new laws and enact a plan to increase their cyber security posture. 

SCADAfence recommends implementing or increasing a strong cyber security plan now, even if you are located outside of New York state. 

1. Create a comprehensive OT inventory

Step one to securing an electric grid, as it is for all critical infrastructure or industrial facilities, is to understand what it is that you are protecting. Therefore, it's important to gather a comprehensive, detailed inventory of every device on your OT/ICS network. This requires having a tool in place that gives you 100% visibility. 

2. Conduct a cybersecurity risk assessment

Electric companies should conduct a comprehensive cybersecurity risk assessment to identify vulnerabilities and assess risk exposure. This will help prioritize cybersecurity efforts and allocate resources to address the most critical risks. Tailored threat intelligence, that helps determine which known vulnerabilities are most likely to affect you, is a key component of assessing your risk.

3. Develop a detailed  response plan 

Once the cybersecurity risks have been identified, electric companies should develop a cybersecurity plan that outlines the steps they will take to mitigate those risks. This plan should be integrated into the company's emergency response plan and should include protocols for responding to a cybersecurity incident. Decide which known vulnerabilities require mitigating through patches or upgrades 

4. Train employees

Employees are often the weakest link in an organization's cybersecurity defenses. Electric companies should provide cybersecurity training to their employees to ensure they are aware of the risks and understand how to prevent cyberattacks. Enact policies throughout the organization such as no password-sharing, and enable Multiple Factor Authentication, to help prevent breaches. Teach employees how to spot phishing emails. Further, make sure employees understand how a malware that gains a foothold in the IT network can penetrate into the OT network to cause further damage.

5. Invest in an OT cybersecurity solutions:

Electric companies should invest in cybersecurity technology to protect their critical infrastructure against cyber threats. This may include firewalls, intrusion detection systems, and endpoint protection software. Again, gaining 100% visibility will be a key component of any strategy. SCADAfence has prepared a company-agnostic guide to choosing an OT security solution. Download it now. 

6. Conduct regular cybersecurity audits

To ensure that you are complying with the new legislation, and maintain the strongest possible cybersecurity posture, electric companies should conduct regular cybersecurity audits. These audits should evaluate the effectiveness of your current cybersecurity controls and identify areas where improvements can be made.

By taking these steps, electric companies can help to protect their critical infrastructure against cyber threats and comply with the new legislation in New York.

If you are interested in getting more information about how SCADAfence can help you improve your organization’s cybersecurity, request a demo today.