This draft Interim Implementation Guidance defines Scope and Prioritization of the Cybersecurity Baselines for the Distribution System and Distributed Energy Resources (DERs).
Office of Cybersecurity, Energy Security, and Emergency Response
January 17, 2025
minute read time
Together with state and industry partners, the Department of Energy (DOE)’s Office of Cybersecurity, Energy Security, & Emergency Response (CESER) has published a draft Interim Implementation Guidance that will assist states, utilities, and other distribution system owners and operators in adopting the Cybersecurity Baselines to further strengthen industry’s defense against cyber-attacks targeting critical infrastructure.
With the rise of increasingly sophisticated cyber threats, the National Association of Regulatory Utility Commissioners (NARUC) collaborated with CESER to create the Cybersecurity Baselines to offer guidance in cybersecurity best practices for the distribution system. As the second phase of the baselines, this interim draft guidance published today addresses two specific topics for entities wishing to implement the baselines:
- Scoping: considerations for the scope of assets to which the Baselines should apply, at a minimum, based on risk to the distribution system.
- Prioritization: an initial priority set of baselines that an asset owner or operator should meet first, if all baselines cannot be met at once, allowing states to design progressive implementation approaches.
A steering group and tiger teams consisting of state utility regulators, distribution system and DER owners and operators, trade organizations, and energy cybersecurity experts from across the sector and the country, assisted in the development of the baselines and Interim Implementation Guidance. The baselines effort was broken into two phases: Phase 1, published in early 2024, developed the Cybersecurity Baselines for the distribution system and DERs that connect to them.
CESER’s release of the Interim Implementation Guidance, today, is a stakeholder-led effort to focus implementation to the most critical assets and protects them via application of the highest-priority baselines. It also encourages states to consistently apply the baselines, harmonizing efforts across state lines to minimize potential security gaps or overlaps and reduce the potential costs that owners and operators would incur in meeting multiple, inconsistent requirements.
NARUC and DOE are creating this companion implementation guidance to assist entities wishing to adopt the baselines as the foundation of a cybersecurity risk management program. These entities may be distribution system and/or DER asset owners and operators, state public utility commissions (PUCs) and other oversight bodies, state energy offices, or state legislators.
Stakeholders should use a risk-driven approach to determine which assets should utilize the baseline requirements, balancing the cost, time, and resource requirements of implementing cybersecurity controls with the risks to the grid.
CESER leads the Sector Risk Management Agency (SRMA) work on behalf of DOE for the Energy Sector. In this role, CESER is responsible for coordinating risk management activities to help the sector assess and mitigate energy sector critical infrastructure risk. As an SRMA, DOE partners with the private sector and state officials in a voluntary capacity, to provide open communication and information. This baselines effort is another product of DOE’s SRMA responsibilities, providing the sector with voluntary guidance to help them mitigate the cyber risk of distributed energy resources.
The next step is for CESER, NARUC and stakeholders to develop more detailed implementation guidance for entities interested in adopting the Cybersecurity Baselines as foundational cybersecurity requirements. Guidance will consider both voluntary and mandatory settings and include considerations for stakeholders of differing ownership models, sizes, and maturity levels. Topics such as engagement strategies, compliance approaches, and resource requirements will be included.
A final version of the Implementation Guidance for Cybersecurity Baselines for Distribution Systems and DERs will be released later in 2025.