The California Public Utility Commissioner determines cost recovery and imposes regulations for the utilities under its remit, meaning that it can substantially influence critical infrastructure risk. To improve its role in safety, the Commission has been putting on Safety en Banc every year for the past few years. Each year is focused on a different subject; this year’s was on infrastructural dependencies and interdependencies as they pertain to safety. The event occurred on October 19th and included three breakout sessions: information and communication, technological change, and regulations. Each session was made up of a panel of experts who were asked a series of questions about their respective topics. Based on our research on the effectiveness of the electric sector’s federal cybersecurity regulations I was invited to participate in breakout session 3, interdependencies and regulation.
The meeting came at an opportune time, since we’re starting a project focused on the role of public utility commissioners in facilitating cyber-resilience (resilience against cyber-attacks and cyber-incidents), with a particular focus on regulatory and infrastructural interdependencies. We chose this focus based on our study findings. Study participants described commissions as powerful stakeholders in governing the electric grid. They also stated that coordinating across infrastructures and regulatory levels inhibited regulatory effectiveness, noting that the electric grid was dependent upon other critical infrastructures not covered by cybersecurity regulations (gas, communications, transport, etc.) and that the standards only covered electric generation and transmission, not distribution. Since commissioners have wide purview over multiple infrastructures they can potentially influence the cyber-resilience of multiple utilities and do so in a way that accounts for interdependences.
A lot was covered during the En Banc. Below are a few key takeaways:
- Safety is everyone’s business. The En Banc had broad representation from members of industry, government, and academia, and there seemed to be agreement that everyone had a role in addressing safety. Specifically, governmental organizations and industry need to work together to provide safety, and academia can provide secondary support in the form of studies and facilitation between stakeholders.
- Regulations are ‘spotty’ across infrastructures. Some industries are heavily regulated and others lightly. For example, the CPUC has regulatory authority over certain infrastructures (electricity) but not others (communications) and certain utilities (noncompetitive monopolies) but not others (competitive companies and those controlled by municipal authorities). Interconnections between infrastructures make this patchwork problematic because it means that risks can spill over from an unregulated industry to a regulated one. This patchwork also makes it very difficult to leverage regulatory capacities to reduce risk.
- Regulations can sometimes hinder safety. Certain regulations were found to hinder safety during emergencies. For example, utilities responding to emergencies across state lines faced burdensome permitting and tax requirements, which if waived could improve emergency response (there were discussions about waving certain regulations during emergencies). Private sector organizations were also afraid to discuss safety and collaborate with the utility commissioner on safety issues for fear that it would lead to increased regulations (this is also something we’ve seen in our research). Creating a safe, neutral space for discussion was floated as a way to alleviate such fears.
- Collaboration is critical but challenging. The need to enhance collaboration was perhaps the main theme to emerge of the meeting. Risks emerge ‘in the cracks’ between organizations and organizational silos, and a number of factors made filling in those cracks difficult. As mentioned previously, the private sector organizations feared that engaging further with regulators would lead to new rules and regulations. This demonstrates potentially competing interests between the two stakeholder groups, with regulators concerned more with safety and industry more with the bottom line. There were also questions about how to imbed safety and collaboration: should organizations create new departments for coordination and collaboration with specific safety focus, or should safety be mainstreamed across other departments? Language difficulties were also described as making communication difficult: each sector had its own (often foreign) jargon and organizational structure that made sector communication and cooperation challenging. Beyond this was also the simple fact that organizations rarely seemed to interact with each other; one stakeholder described interactions between regulated and non-regulated stakeholders as critical but noted that they happened “just once a year” at the En Banc. The incident command system (ICS) was highlighted as a good practice for bridging divides as it allows for a modular and standardized structure for emergency response (ICS is often described as an example of a high reliability organizational structure, but can also be difficult for external actors with which the public to engage). Joint exercises and simulations were also noted as helping to improve interactions and give a space to learn how to collaborate during non-emergency periods.
- There is a need to engage with emerging actors and technologies. Uber and Solar City participated in the En Banc. Both offer infrastructure services, yet before the meeting had not considered themselves critical infrastructure providers. Both can also be utilized to enhance safety: Uber can provide transportation during emergencies; Solar City is a distributed energy platform that could function during bulk power blackouts. These actors, however, do not align well with existing regulatory structures, meaning that structures must adapt to facilitate them. Cyber technologies are similar, since they can be employed to improve safety but could lead to disaster if compromised, and do not always match existing regulations. While there seems to be a need to develop regulations for these actors and technologies, some suggested that regulations could not keep up with these changing profiles.
- Organizations are working to address interconnections and cascade failures, but face challenges in understanding their systems. The president of Pacific Gas and Electric described how infrastructures had been constructed before there was a widespread awareness of infrastructural interdependencies. As a result, water lines were next to gas lines which were next to electricity lines, and a break in one line could compromise the others. PG&E is reducing these interdependencies by separating systems, and is improving infrastructural resilience as a result. Interdependencies can, however, be difficult to discern. A different organization was installing fiber optic cables; being aware of the potential for cascading failures it commissioned a study to determine the best possible route for the cables to minimize multiple concurrent failures. They ended up running three sets of cables in three different geographic locations. All three sets of cables were affected when an earthquake hit the area.
- Safety is just one of a number of competing infrastructure demands. Infrastructure is what keeps society functioning. We could not get to work or school without our transportation infrastructure, hospitals would not function without electricity, and coordination and communication would be seriously hampered without a robust IT and communications network. We also place incredible demands on our infrastructure: we want it cheap, we want it reliable, we want environmentally friendly, and we want it safe. These demands can conflict. At the end of the meeting one participant asked the how the CPUC would address the safety improvements suggested during the meeting. Would it increase its overhead or cut services in another area? There is a serious question of how much we, as a society are willing to pay for safer infrastructure. We need to figure out how to balance competing demands and understand an improvement in one area is facilitated by a sacrifice in another.
The En Banc was in many ways heartening. Organizations are already working hard to address interdependencies and improve safety, and there seem to be a number of relatively easy and low cost solutions to improve safety further, such as involving emergent industry actors in safety activities, developing a list of regulations that could be suspended during emergencies, and creating a neutral space for stakeholders to get together to discuss safety. However, some problems, like balancing safety against competing priorities and coordinating across a large and complex system, are difficult to address and have no clear solutions. These problems are similar to those that stakeholders in developing countries face trying to reduce natural disaster risk. In developing countries risk reduction competes with a host of other priorities; risks and their causes are interconnected, thus requiring coordinated support from all actors across levels and sectors; and those at risk tend not to be the ones creating risk. As in California, actors in developing countries are improving coordination (for example, most developing countries now have departments of disaster management that coordinate DRR across levels and sectors) and in investing in risk reduction (risk reduction is gradually gaining ground over response) but problems still remain and there are large and widespread vulnerabilities creating high levels of risk.