We read in the news weekly, sometimes daily, about advanced, persistent cybersecurity threats from nation-states, and we are constantly evolving our thinking to innovate against these threats. Cybersecurity is a critical component for the secure and reliable operation of electric power systems and an important priority for Congress. The Senate held a hearing two weeks ago on the status and outlook for cybersecurity efforts in the energy industry.

One of the issues most critical to the cybersecurity challenges we face in the energy industry today is the act of balancing regulation and innovation in addressing cybersecurity threats. There are clear and obvious needs for cybersecurity standards and regulation, but they can also create challenges for addressing cybersecurity threats.

Regulations are often implemented as a reaction to an undesired event. Developing a regulation may be fine to address static situations, but cyber is a dynamically changing environment. As soon as a regulation is enacted to address a specific issue or event, bad actors are already looking for other avenues of exploitation.

Regulations also have the capacity to limit how an institution may go about solving a problem. For example, if a new and innovative solution does not conform to regulations but is the best way to address a security element at a company, the company may choose not to employ the solution, or worse, be fined for noncompliance if they chose to use that solution. Further, regulations will never be able to anticipate new and innovative solutions. For example, NERC CIP-005-5 requires multifactor authentication for all Interactive Remote Access sessions. What happens when new and potentially more effective authentication methods are developed?

Innovation and regulation do not have to be at odds with each other. We need to work together to find ways to continue fostering critical innovation that outpaces our adversaries.