Cybersecurity Regulations in the Energy Industry: A Detriment or a Benefit?

Randi Tomasek; Yanzhen Qu

doi:10.24018/ejece.2025.9.3.709

Randi Tomasek

Yanzhen Qu

Abstract Views
151

Downloads
46

Citations

Share

Submitted Mar 16, 2025
Published May 30, 2025

10.24018/ejece.2025.9.3.709

Abstract viewed = 151 times

Abstract

Electrical entities are attractive targets for malicious actors given their significance and necessity in modern critical infrastructure. Maintaining reliability of the electric grid is essential, making good cybersecurity practices necessary within the energy industry to ward off potential cyberattacks and maintain the functionality of electric systems. The North American Electric Reliability Corporation (NERC), an international organization servicing the United States of America and parts of Canda and Mexico, is a regulatory authority that aims to reduce risks to the electric grid. To address security risks, the NERC created the Critical Infrastructure Protection (CIP) reliability standards, which is a series of legally enforceable security requirements that electrical entities must follow [1]. The opinions surrounding legal and regulatory involvement can be mixed, with the use of regulations to improve security being questionable. This qualitative study interviewed professionals within the energy industry to gather opinions and experiences involving the NERC CIP standards. Data was analyzed using the inductive content analysis approach to identify common themes and topics within the responses collected from participants during the interview process. The findings note areas where the NERC CIP regulatory standards excel in improving security, as well as areas where the interviewed professionals experienced issues or suggested potential improvements.

Keywords: Bulk Electric System cybersecurity regulations operational technology The NERC CIP Standards

Downloads

Download data is not yet available.

Introduction

Critical infrastructure industries are greatly relied upon to maintain modern society. The Cybersecurity & Infrastructure Security Agency (CISA) has identified 16 critical infrastructure sectors that are deemed so vital that if they were compromised it would pose a threat to national security, economic functions, and public health and safety. Of these 16 critical infrastructure sectors, four have been identified as lifeline functions, with water, communications, energy, and transportation [1]. Lifeline functions are critical infrastructure sectors that are deemed so critical that a loss of their functionality would compromise the functions and security of the other critical infrastructure sectors [2]. With energy being a lifeline function, maintaining security, reliability, and operability are paramount.

The Federal Energy Regulatory Commission (FERC) recognized the criticality of North American electrical infrastructure and created the North American Reliability Corporation (NERC) to act as a regulatory entity for the energy industry and to facilitate the exchange of security information and techniques between energy entities to better strengthen security within the industry. The NERC created the Critical Infrastructure Protection (CIP) standards to regulate and enforce security practices for the Bulk Electric System (BES). The CIP standards, consisting of 8 standards, became enforceable in 2008, with each standard containing its own unique requirements. Since then, the CIPs have been expanded to 13 standards [3].

While the NERC CIP standards have been widely implemented throughout the American energy industry, they are not without their flaws. This study aims to gather the perspectives and experiences of cybersecurity and compliance professionals within the energy industry to determine the effectiveness of the NERC CIP standards. Additionally, this study is concerned with the language, missing definitions, and inconsistent interpretations of the standards that can influence the implementation and enforcement of cybersecurity controls. By examining the experiences and perspective of cybersecurity and compliance professionals, challenging areas can be identified and improved to better secure the BES [4], [5].

When compared to the cybersecurity regulations of other critical infrastructure industries, the NERC CIP standards are much more well developed. For example, the American Water Works Association (AWWA) commissioned a report in 2021 to examine the effects of implementing industry wide cybersecurity standards within the water and wastewater industry. The report noted that the NERC CIP standards can act as a framework for developing cybersecurity regulations for the water industry [6]. With other critical infrastructure industries looking towards the NERC CIP standards for guidance, and the heavy reliance on the energy industry as a lifeline function, a further examination of the NERC CIP standards can offer further insight into improving existing cybersecurity regulations and for developing future regulations in other critical infrastructure industries.

Related Works

NERC CIP and BES Security

On November 9^th, 1965, 30 million people across New York, New Jersey, Pennsylvania, Connecticut, Massachusetts, New Hampshire, Rhode Island, Vermont, and Ontario were left without power for 13 hours, with this event being called the northeast blackout. With the effects of the northeast blackout being felt in many aspects of life, and another smaller blackout occurring on June 5^th, 1967, the Electric Power Reliability Act of 1967 was created. In 1968, the National Electric Reliability Council was formed and later renamed to the North American Electric Reliability Corporation (NERC), which was created to improve the reliability and resilience of the interconnected electric system [7].

The largest North American blackout occurred on August 14^th, 2003, affecting 50 million people across the northeast and Midwest United States as well as Ontario, Canada. The 2003 blackout led to the creation of the Critical Infrastructure Protection Committee in 2004, who created Version 0 of the Reliability Standards in 2005. Later in 2005, the Energy Policy Act would be created which made compliance with the reliability standards enforceable and mandatory. In 2008, the first version of the Critical Infrastructure Protection (CIP) standards was approved by the FERC [3].

Blackouts are not the only threats to the electric grid. Cyber-attacks have been used to cripple energy systems, such as the Black Energy 3 (BE3) attack. On December 23, 2015, the Ukrainian power system was compromised by BE3 through human machine interface (HMIs), which were used to send false commands to circuit breakers. The result of the BE3 attack was a 6-hour power outage for 225,000 Ukrainians. 50 substations were affected by the event and required technicians to be on site to manage the system through manual controls [8]. The 2015 Ukraine power grid attack was followed by another attack on December 17^th, 2016, utilizing malware known as Crashoverride or Industroyer. While the 2016 attack was not as impactful, leaving some Ukrainians without power for one hour, the attack raised further concerns. Instead of targeting HMIs like BE3, Crashoverride directly affected operational technology (OT) equipment by utilizing communication protocols specifically designed for the energy industry. The refinement of the 2016 attack demonstrated that attackers were gaining further knowledge on how the energy industry operates, leading to more refined strategies that could cause more damage to power systems [9], [10].

Cyberattacks can threaten the reliability and resilience of power systems, which is necessary to ensure the comfort and safety of millions of people. Major power outages can threaten lives and lead to catastrophic results for energy customers. For example, in February 2021, Texas experienced freezing temperatures for six days. Due to the unexpected and unusually cold temperatures, the Texan energy demand rose beyond what could be maintained by power generation systems, causing generation outages. With the integrity of the power system being threatened, the Electric Reliability Council of Texas (ERCOT) began executing load-shedding, which is purposeful power outages that are done to prevent the system from becoming overloaded or damaged. The result was a loss of power for 10 million people for up to 96 hours, contributing to at least 210 deaths [11]. The event caused a temporary surge in energy prices for those who still had power, leading to wholesale electricity costs increasing 100 times the usual rates, and natural gas prices to increase by 170 times the usual rates [12].

Regulations in Other Critical Infrastructure Industries

While the energy sector is one of the 4 lifeline sectors and one of the most important critical infrastructure industries, this does not discount the importance of the other 15 critical infrastructure sectors. The 16 critical infrastructure industries are all necessary elements that are needed to maintain modern society, and with their reliability and operability being necessary, cybersecurity plays a role in maintaining these functions.

Besides the NERC CIP standards, one of the most notable regulations is the Health Insurance Portability and Accountability Act (HIPAA) for the healthcare sector, which was enacted in 1996. HIPAA was created to improve information sharing between healthcare providers and insurers while maintaining patient confidentiality. Part 164 of HIPAA, Security and Privacy, provides security requirements that aim to maintain confidentiality, integrity, and availability of health information. The requirements address areas of general, administrative, physical, technical, and organization security which includes topics such as access management, security awareness training, risk management, password management, disaster recovery, device disposal, and identity verification [13], [14]. The opinions surrounding HIPAA are generally mixed, with some praising HIPAA for implementing new technology with the goal of better serving patients, while others argue that the heavy focus on data privacy and the potential monetary fine for noncompliance draws attention away from patient care [15], [16]. One study found that there was a higher mortality rate for patients with myocardial infarction if they were being treated in hospitals that had experienced data breeches [17].

The chemical sector in the United States has cybersecurity requirements set by the Chemical Facility Anti-Terrorism Standards (CFATS), which became effective on April 9^th, 2007. CFATS requires the creation of security policies and procedures to address security topics such as configuration change management, electronic access controls, security awareness training, network monitoring, incident response and reporting, and disaster recovery. While CFATS set requirements for security practices, policies, and procedures, it has been scrutinized for the lack of training and a heavy focus on physical security with little guidance for cyber security. A Congress sub-committee attempted to amend CFATS in July of 2023, but all amendments were rejected, leading to the CFATS program expire as of July 28^th, 2023 [18], [19].

The water and wastewater industry has also seen some attempts to implement cybersecurity requirements and regulations. Section 2013 of the America’s Water Infrastructure Act of 2018, water system entities that serve more than 3,300 people are required to maintain an emergency response plan that has “…strategies and resources to improve the resilience of the system, including the physical security and cybersecurity of the system [20].” The entity that oversees the water and wastewater industry is the U.S. Environmental Protection Agency (EPA). On Marth 3^rd, 2023, the EPA issued a memorandum stating that cyberattacks were increasing against water systems, leading to the decision to include cybersecurity evaluations of operational technology in sanitary surveys, which are audits that review a water entity’s system to ensure that they can produce clean drinking water [21]. The EPA’s initial memorandum led to a legal dispute, which eventually resulted in the EPA withdrawing the cybersecurity review on October 11^th, 2013 [22].

While the EPA’s introduction of cybersecurity evaluations failed, the industry is making progress towards industry-wide cybersecurity regulations. On April 14^th, 2014, the “To establish a Water Risk and Resilience Organization to develop risk and resilience requirements for the water sector” bill was proposed to Congress. The goal of the bill is to create a regulatory entity for the water industry known as the Water Risk and Resilience Organization (WRRO). The WRRO would act as a regulatory entity for the water industry, providing cybersecurity standards and guidance to water entities, like how the NERC operates for the energy industry [23].

Cybersecurity Awareness and Human Performance

While the U.S. electric grid is a technical marvel of the modern world, it is also a sociotechnical system that is impacted by the decisions and actions of individuals, groups, and the whole of society. Like the electric grid, cybersecurity controls are often technical, but social aspects can greatly impact the effectiveness of cybersecurity controls. Vulnerabilities and errors can be caused by poor behavior, bad security hygiene, human error, and lack-luster security training, which demonstrates a need to examine the potential influence of the human element [24].

Gaining managerial buy-in for cybersecurity programs can be difficult; however, the NERC CIP standards have been able to gain attention due to the hefty fines associated with noncompliance. The potential financial impact and negative publicity correlated with cyberattacks has led to corporate leadership investing more time, money, and effort into compliance with regulatory standards. Additionally, the NERC CIP standards have impacted on the structure of the physical grid. Some electrical entities have restructured their systems to reduce the number of assets that fall under the regulations. An example of this restructuring is that 25% of electrical entities removed black start systems, which are systems used to recover from partial or total shutdowns of transmission or generation systems, which can impact the reliability and operability of the BES [25].

There is also a gap between the technological requirements of IT and OT security within energy organizations. OT and ICS devices present new risks in terms of operability and safety. Additionally, some knowledge of electrical engineering may be required to fully understand a device’s purpose and its impact on the grid. This unique knowledge requirements for cybersecurity professionals working with the NERC CIP standards can make it difficult to find adequate talent, which is further exacerbated by a preexisting shortage of cybersecurity talent. With limited qualified professionals available to complete these tasks, current employees may feel risking pressure and workloads, leading to burnout, cybersecurity fatigue, and a reduction in performance quality [25], [26].

Problem Statement and Research Questions

Problem Statement

The problem this study addresses is that NERC CIP compliance professionals in the energy industry are hindered from effectively implementing cybersecurity controls required by the NERC CIP standards due to missing definitions of specific terminology and inconsistent interpretations of the standards [27].

Research Question

What are the common issues that hinder NERC CIP compliance professionals from effectively implementing cybersecurity controls required by the NERC CIP standards due to missing definitions of specific terminology and inconsistent interpretations of the standards?

Methodology

Method

The research method selected for this study is a qualitative exploratory approach. The exploratory approach allows for an examination of a topic that has little existing academic research or literature, which is the case for the topic of the NERC CIP standards. Exploratory research is also a flexible method that allows for new insights to be discovered, allowing for further extraction of new information from participant experiences. By using the exploratory research methodology, participants are free to discuss their perspective on the subjective matter of the NERC CIP standards with a thorough examination revealing common patterns, themes, and topics within participants’ responses [28].

Population and Sample

The population for this study includes those with extensive knowledge and experience with the NERC CIP regulations; however, the exact NERC membership numbers are not publicly available, making it difficult to obtain the population size. An estimate can be obtained by assuming that each entity under the NERC employs a minimum of one NERC CIP expert with an additional employee as a backup. The NERC membership list contains over 500 companies, making the minimum estimated population 1000 people [29]. The population was further refined by limiting participants to the Midwestern Reliability Organization (MRO) region, one of the six reliability regions under the NERC. The MRO reports a membership count of 97 electrical entities. By using the previous estimate of one primary and one backup NERC CIP knowledgeable employees, the population for this study within the MRO region is estimated to be a minimum of 194 people [30]. A sample size of 10 participants were selected, with each participant being employed in the MRO region and having a minimum of five years of experience working with the NERC CIP standards.

Data Analysis

The inductive content analysis method was used for this study. The inductive content analysis is used to identify patterns in qualitative data, which includes themes, terminology, and ideas. This method allowed for common challenges to be identified by those who work with the NERC CIP standards. Data was collected through interviews conducted through Zoom. Interviews were recorded and transcribed with transcriptions being made with Microsoft Word. Data analysis was then performed using a program called MAXQDA24. Following the inductive content analysis process, the transcripts were reviewed, allowing for initial codes to be defined. The transcripts were reviewed again, and further codes were created. This process is repeated following the inductive content analysis process. After coding has been completed, the coded segments are analyzed and correlated to their related NERC CIP standards. Themes and patterns are then identified, and finally, the results are visualized through a diagram of the codes and code frequency tables.

Results, Interpretation and Applications

Results

Prior to conducting the interviews for data collection, a mock interview was conducted with an operational technology systems analyst who met the requirements for participation. The mock interview was performed to test the interview and data collection procedures. The mock interview revealed that the interview was kept within an appropriate time frame, interview questions were relevant to the topic, and the selected technologies were functioning as intended, which included Zoom, Microsoft Word, and MAXQDA 24. The data collected from the mock interview was not included in the study and therefore is not part of the findings or results of this study.

During the data analysis process, the inductive content analysis method was followed, allowing for an iterative process to be followed where transcripts were reviewed, and further codes and sub-codes were defined. Fig. 1 shows the coding map and the interconnections between each code. Coding began with identifying four primary codes: security concepts, participant information, NERC CIP information, and audit concepts. Further codes were then classified as sub-codes to the primary codes.

Upon completion of the coding process, themes were identified based on the frequency of the primary codes and related sub-codes. Table I shows the list of identified themes which include the theme name, related sub-codes, number of times the codes were used, and the frequency of the codes. Theme 1 is titled NERC CIP Interpretations, which includes the codes Definitions and Terminology. This theme addresses participants’ interpretations of the NERC CIP standards, including their opinions on unique terminology. Theme 2 is titled Baseline Security Practices, which includes the codes Regulations in Other Industries and Performance vs. Goal Based Compliance. This theme addresses the applicability of the NERC CIP standards in other critical infrastructure industries as well as different compliance models, primarily performance-based and goal-based compliance. Additionally, this theme includes discussions of how the NERC CIP standards are used to set minimum expectations of security within the energy industry.

Table I. The List of Identified Themes
Theme #	Related codes	# of Used	Frequency
Theme 1:NERC CIPInterpretation	Definitions,Terminology	53	9.0%
Theme 2:BaselineSecurityPractices	Regulations in other industries,Performance vs.Goal BasedCompliance	46	7.8%
Theme 3:CIP-007	PatchManagement,Malicious CodeDetection	30	5.1%
Theme 4:SecurityConflicts	IT/OT Conflicts,ComplianceConflicts	28	4.8%

Theme 3 is titled CIP-007, which includes the codes Patch Management and Malicious Code Detection. This theme addresses security practices and controls used to meet CIP-007 requirements, such as the application of software and firmware patches as well as tools used to detect malicious code or programs. Theme 4 is titled Security Conflicts which includes the codes IT/OT Conflicts and Compliance Conflicts. This theme addresses conflicting concepts between IT and OT environments as well as security controls that electrical entities wish to deploy but cannot be due to conflicts with the NERC CIP standards.

Interpretation and Applications

Regarding the relation between the findings and the research question, as well as Theme 1, participant responses were mixed. Some participants believed that the terms are well defined while others saw them as vague, which can lead to subjective and conflicting interpretations from auditors and professionals within the industry. While there are issues with terminology and definitions, participants found these flaws understandable since looser definitions give room for some flexibility, allowing organizations to implement controls that best suit their ICS and OT environments.

Theme 2 greatly related back to the concepts discussed in the related literature, with participants agreeing that other industries are looking towards NERC CIP for guidance with cybersecurity regulations, such as the water and wastewater industry. Participants believed that that the NERC CIP standards offer a good framework for cybersecurity concepts in OT and ICS environments, and that since the standards became legally enforceable, they have seen significant improvements in their respective organizations. Participants also noted that the current compliance structure of the NERC CIP standards does little to promote further development and growth of security programs with its current performance-based compliance methodology. Multiple participants suggested that the standards should be moved to a goal-based compliance methodology, which would allow for unique goals to be set for each organization rather than a set list of metrics that need to be met. Based on these responses, a sound methodology can be developed to encourage further growth in the energy industry while also giving guidance to other critical infrastructure industries. The performance-based methodology can be used to review basic security controls, which can act as initial guidance for other industries, giving the minimum expectations for security. The goal-based methodology can then be used for organizations with developed security programs to promote further improvements and growth.

The most frequently discussed CIP standard was CIP-007, which is reflected in Theme 3 and is noted by the NERC with CIP-007 having the most reported cases of noncompliance during the first half of 2024 [31]. Participants noted the challenges associated with tasks related to CIP-007, specifically the large workloads that come with collecting documentation and the structured time frames allowed for patch implementation. Participants noted that due to the inability to deploy IT practices within their OT environments, a separation between the two business units was created. This led to professionals developing multiple skillsets to handle work associated with OT security and compliance tasks. With the same team working on a variety of tasks, it becomes questionable if either area is receiving the attention required to maintain a high level of excellence.

Additionally, and correlating with Theme 4, participants noted that many IT practices and solutions cannot be directly implemented in OT and ICS environments, with the malicious code requirements of CIP-007 being frequently mentioned. Unlike IT systems, which can often be patched with minimal down time or disruptions, OT and ICS environments have an interconnected relationship between security, safety, and reliability. Potential downtime of these systems could jeopardize the safety or reliability of the system, which can put people, assets, and communities at risk, meaning that the companies with OT and ICS environments aim for minimal system down time. To combat this concern, it is recommended to remove the timed patch cycle required by the NERC CIP standards in favor of a categorization proposed by Dragos, a prominent OT cybersecurity company. The categorization method for patches includes three categories:

• Install Now: A security patch addresses a critical vulnerability that poses a significant risk and should be installed as soon as possible.

• Install Next: A security patch addresses a vulnerability that poses a moderate risk, but the threat can be mitigated through defensible network architecture. This patch can be scheduled for installation later.

• Install Never: A security patch addresses a vulnerability with little to no risk to an organization’s system, or the patch is not applicable given the current configuration. The patch does not need to be installed.

Limitations

The key limitation to this study was related to participant recruitment. Participation was limited to those who work within the MRO region. The reason for this decision was to gather experiences from professionals who share similar experiences under the same auditing authority. While participants shared common ideas and concepts, their audit experiences varied greatly. With participants’ experiences being varied, the requirement for participants working in the MRO region could have been removed, which would have expanded the potential study population, alleviating the challenges that occurred with participant recruitment. While this limitation had an impact on recruitment, the individuals who were selected to participate met the study requirements, allowing the study to proceed and result in sound findings.

Recommendations

This study addressed the area of NERC CIP regulations, which is a topic with minimal existing academic literature examining this topic. By conducting this study, other areas for future research have become more accessible. One topic that can be researched further is a comparison between cybersecurity regulations in other critical infrastructure industries. With the water and wastewater industry actively working to employ further regulations, a study addressing this topic could identify security areas that need to be improved further. Differences in the deployment of cybersecurity measures between critical infrastructure industries could be examined and identified.

As stated previously, this study limited participants to those within the MRO region. Future studies could examine other regulatory regions to determine if similar opinions exist throughout the industry. Additionally, this study limited participation among those with a minimum of five years of experience with the NERC CIP standards. The experience requirement could be removed in future research to examine the NERC CIP standards from the perspective of those who do not possess great familiarity with the standards, which could assist in examining the approachability of cybersecurity regulations.

Conclusion

The problem this study addresses is that NERC CIP compliance professionals in the energy industry are hindered from effectively implementing cybersecurity controls required by the NERC CIP standards due to missing definitions of specific terminology and inconsistent interpretations of the standards [4]. The purpose of this study was to examine the experiences of professionals within the energy industry related to the interpretation, implementation, and enforcement of the NERC CIP standards to identify common issues that can hinder the effectiveness of cybersecurity controls. 10 participants were recruited using the snowball methodology, and data collection was performed through interviews with Zoom. Data analysis was performed using the inductive content analysis method, and coding was performed using MAXQDA 24. Using an iterative coding process revealed initial high-level codes with more detailed sub-codes being created with each iteration. Upon completion of coding, themes were identified based on code frequencies and the interconnections between codes.

The results indicated that participants found the NERC CIP standards to be an effective tool for maintaining the minimum requirements for good security practices. Participants’ opinions were divided regarding definitions and terminology, with some believing the terminology is adequate and others believing it’s too vague. While this sample of participants cannot speak for the energy industry at large, this study provides insight into the challenges associated with cybersecurity regulations in critical infrastructure industries and the challenges that may be faced as other industries seek to enact their own regulations.

References

Cybersecurity & Infrastructure Security Agency. Cyber Incident Reporting for Critical Infrastructure Act Of 2022 (CIRCIA) Fact SheET. ed: Cybersecurity & Infrastructure Security Agency; 2022.
Google Scholar

Sherman TW, Atwater B, Gamble C, Fejfar MC, Hauswirth E, Herring D, et al. CRITICAL INFRASTRUCTURE PROTECTION CISA Should Improve Priority Setting, Stakeholder Involvement, and Threat Information Sharing. March 2022. Available from: https://www.gao.gov/assets/gao-22-104279.pdf.
Google Scholar

Nevius D. The History of the North American Electric Reliability Corporation. North American Electric Reliability Corporation. 2020. Available from: https://www.nerc.com/news/Documents/March%202023%20NERC%20Timeline.pdf.
Google Scholar

Duffey HTJIV. Exploring the impact of NERC CIP regulatory compliance on risk and security for bulk electric system grid cyber-attacks: a qualitative phenomenological study, D.B.A., Northcentral University, United States–California, 13424701. 2018. Available from: https://coloradotech.idm.oclc.org/login?url=https://www.proquest.com/dissertations-theses/exploring-impact-nerc-cip-regulatory-compliance/docview/2176028631/se-2.
Google Scholar

Ladendorff MZ. The effect of North American Electric Reliability Corporation critical infrastructure protection standards on bulk electric system reliability. Ph.D., Capella University, United States–Minnesota, 3640275. 2014. Available from: https://coloradotech.idm.oclc.org/login?url=https://www.proquest.com/dissertations-theses/effect-north-american-electric-reliability/docview/1619581598/se-2.
Google Scholar

Stockton PN. Strengthening the Cyberresilience of America’s Water Systems: Industry-Led Regulatory Options, American Water Works Association. 2021. Available from: https://www.awwa.org/Portals/0/AWWA/Government/STRENGTHENINGTHECYBERRESILIENCEOFAMERICASWATERSYSTEMS-INDUSTRY-LEDREGULATORYOPTIONS.pdf.
Google Scholar

Nevius D. The History of the North American Electric Reliability Corporation. 2020. Available from: https://www.nerc.com/news/Documents/NERCHistoryBook.pdf.
Google Scholar

Whitehead DE, Owens K, Gammel D, Smith J. Ukraine cyber-induced power outage: analysis and practical mitigation strategies. 2017 70th Annual Conference for Protective Relay Engineers (CPRE), pp. 1–8, 2017 Apr 3–6. doi: 10.1109/CPRE.2017.8090056.
Google Scholar

Geiger M, Bauer J, Masuch M, Franke J. An analysis of black energy 3, crashoverride, and trisis, three malware approaches targeting operational technology systems. 2020 25th IEEE International Conference on Emerging Technologies and Factory Automation (ETFA), vol. 1, pp. 1537–43, 2020 Sep 8–11. doi: 10.1109/ETFA46521.2020.9212128.
Google Scholar

Rajkumar VS, ¸ Stefanov A, Presekal A, Palensky P, Torres JLR. Cyber attacks on power grids: causes and propagation of cascading failures. IEEE Access. 2023;11:103154–76. doi: 10.1109/ACCESS.2023.3317695.
Google Scholar

Chiara Lo P, Blumsack S. Enhancing the reliability of bulk power systems against the threat of extreme weather: lessons from the 2021 Texas Electricity Crisis, (in English). Econ Ener Environ Pol. 2023, 2023-10-17 2023;12(2):1–21. doi: 10.5547/2160-5890.12.2.clop.
Google Scholar

National Academies of Sciences, Engineering, and Medicine. The future of electric power in the United States. 2021. Available from: https://nap.nationalacademies.org/catalog/25968/the-future-of-electric-power-in-the-united-states.
Google Scholar

Kosseff J. Defining cybersecurity law, (in English). Iowa Law Review. Mar 2018 2023-12-15 2018;103(3):985–1031, U.S. Department of Health and Human Services Office for Civil Rights, “HIPAA Administrative Simplification. Available from: https://coloradotech.idm.oclc.org/login?url=https://www.proquest.com/scholarly-journals/defining-cybersecurity-law/docview/2187899333/se-2?accountid=144789, https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf.
Google Scholar

Martin K. Embracing compliance for the sake of cybersecurity: looking beyond legal requirements to find best practices: certified public accountant, (in English). The CPA Journal. Jun 2018 2024-01-05 2018;88(6):60–2. Available from: https://coloradotech.idm.oclc.org/login?url=https://www.proquest.com/scholarly-journals/embracing-compliance-sake-cybersecurity-looking/docview/2185467720/se-2?accountid=144789.
Google Scholar

Perakslis ED. Cybersecurity in health care, (in English). New England J Med. 2014 Jul 31 2023-11-30 2014;371(5):395–7. doi: 10.1056/NEJMp1404358.
Google Scholar

Choi SJ, Johnson ME, Lehmann CU. Data breach remediation efforts and their implications for hospital quality. Health Serv Res. 2019;54(5):971–80. doi: 10.1111/1475-6773.13203.
Google Scholar

House of Representatives. 118, 1 Session. 118-153, PROTECTING AND SECURING CHEMICAL FACILITIES FROM TERRORIST ATTACKS ACT OF 2023. 2023. Available from: https://www.congress.gov/118/crpt/hrpt153/CRPT-118hrpt153.pdf.
Google Scholar

Seifert JW. Title 6 Domestic Security. ed United States of America: National Archives Code of Federal Regulations; 2007.
Google Scholar

Congress, 2013 Session. America’s Water Infrastructure Act of 2018. 2018. Available from: https://www.epa.gov/ground-water-and-drinking-water/americas-water-infrastructure-act-2018-awia.
Google Scholar

Fox R. Addressing PWS Cybersecurity in Sanitary Surveys or an Alternate Process. ed: United States Environmental Protection Agency; 2023.
Google Scholar

Fox R. Withdrawal of cybersecurity memorandum of March 3, 2023. ed, 2023. Available from: https://nrwa.org/wp-content/uploads/2023/10/Action-Memo_Rescinding-Cyber-Memo_October-2023.pdf.
Google Scholar

Congress, 118 Session. To establish a Water Risk and Resilience Organization to develop risk and resilience requirements for the water sector. (2024, 2023-2024). Available from: https://www.congress.gov/bill/118th-congress/house-bill/7922/text.
Google Scholar

Yeng PK, Muhammad Ali F, Bian Y. A comprehensive assessment of human factors in cyber security compliance toward enhancing the security practice of healthcare staff in paperless hospitals, (in English). Information. 2022 2023-11-25 2022;13(7):335. doi: 10.3390/info13070335.
Google Scholar

Clark-Ginsberg A, Slayton R. Regulating risks within complex sociotechnical systems: evidence from critical infrastructure cybersecurity standards. Sci Public Policy. 2019;46(3):339–46. doi: 10.1093/scipol/scy061.
Google Scholar

Vielberth M, Menges F, Pernul G. Human-as-a-security-sensor for harvesting threat intelligence, (in English). Cybersecurity. Dec 2019 2023-11-23 2019;2(1):23. doi: 10.1186/s42400-019-0040-0.
Google Scholar

Dokter G. Exploratory research and its impact on problem identification. J Res Develop. 2023;11(2):1–2. doi: 10.35248/2311-3278.23.11.219.
Google Scholar

Burkholder GJ, Cox KA, Crawford LM, Hitchcock JH. Research Design and Methods. SAGE Publications, Inc. (US); 2019.
Google Scholar

North American Electric Reliability Corporation (NERC). NERC Membership List. 2023. Available from: https://eroportal.nerc.net/NERCMembershipList/.
Google Scholar

Midwest Reliability Organization (MRO). Membership. 2025. Available from: https://www.mro.net/about/membership/.
Google Scholar

North American Electric Reliability Corporation (NERC). Compliance Monitoring and Enforcement Program and Organization Registration and Certification Program Mid-Year Report. 2024. Available from: https://www.nerc.com/pa/comp/CE/ReportsDL/2024%20CMEP%20and%20ORCP%20Mid-Year%20Report.pdf.
Google Scholar

Dragos Inc. RISK-BASED VULNERABILITY MANAGEMENT FOR OPERATIONAL TECHNOLOGY. 2024. Available from: https://hub.dragos.com/hubfs/116-Datasheets/Dragos_Risk-Based_Vulnerability_Management_OT_Cybersecurity.pdf?hsLang=en.
Google Scholar

Most read articles by the same author(s)

1 2 > >>

Downloads

PDF
HTML
EPUB
JATS XML

How to Cite

[1]

Tomasek, R. and Qu, Y. 2025. Cybersecurity Regulations in the Energy Industry: A Detriment or a Benefit?. European Journal of Electrical Engineering and Computer Science. 9, 3 (May 2025), 9–15. DOI:https://doi.org/10.24018/ejece.2025.9.3.709.

Downloads

Download data is not yet available.

Authors

Randi Tomasek

Google Scholar
EJECE Journal

Yanzhen Qu

Google Scholar
EJECE Journal

Issue

Vol. 9 No. 3 (2025)

This work is licensed under a Creative Commons Attribution 4.0 International License.

[1] Cybersecurity & Infrastructure Security Agency. Cyber Incident Reporting for Critical Infrastructure Act Of 2022 (CIRCIA) Fact SheET. ed: Cybersecurity & Infrastructure Security Agency; 2022.
Google Scholar

[2] Sherman TW, Atwater B, Gamble C, Fejfar MC, Hauswirth E, Herring D, et al. CRITICAL INFRASTRUCTURE PROTECTION CISA Should Improve Priority Setting, Stakeholder Involvement, and Threat Information Sharing. March 2022. Available from: https://www.gao.gov/assets/gao-22-104279.pdf.
Google Scholar

[3] Nevius D. The History of the North American Electric Reliability Corporation. North American Electric Reliability Corporation. 2020. Available from: https://www.nerc.com/news/Documents/March%202023%20NERC%20Timeline.pdf.
Google Scholar

[4] Duffey HTJIV. Exploring the impact of NERC CIP regulatory compliance on risk and security for bulk electric system grid cyber-attacks: a qualitative phenomenological study, D.B.A., Northcentral University, United States–California, 13424701. 2018. Available from: https://coloradotech.idm.oclc.org/login?url=https://www.proquest.com/dissertations-theses/exploring-impact-nerc-cip-regulatory-compliance/docview/2176028631/se-2.
Google Scholar

[5] Ladendorff MZ. The effect of North American Electric Reliability Corporation critical infrastructure protection standards on bulk electric system reliability. Ph.D., Capella University, United States–Minnesota, 3640275. 2014. Available from: https://coloradotech.idm.oclc.org/login?url=https://www.proquest.com/dissertations-theses/effect-north-american-electric-reliability/docview/1619581598/se-2.
Google Scholar

[6] Stockton PN. Strengthening the Cyberresilience of America’s Water Systems: Industry-Led Regulatory Options, American Water Works Association. 2021. Available from: https://www.awwa.org/Portals/0/AWWA/Government/STRENGTHENINGTHECYBERRESILIENCEOFAMERICASWATERSYSTEMS-INDUSTRY-LEDREGULATORYOPTIONS.pdf.
Google Scholar

[7] Nevius D. The History of the North American Electric Reliability Corporation. 2020. Available from: https://www.nerc.com/news/Documents/NERCHistoryBook.pdf.
Google Scholar

[8] Whitehead DE, Owens K, Gammel D, Smith J. Ukraine cyber-induced power outage: analysis and practical mitigation strategies. 2017 70th Annual Conference for Protective Relay Engineers (CPRE), pp. 1–8, 2017 Apr 3–6. doi: 10.1109/CPRE.2017.8090056.
Google Scholar

[9] Geiger M, Bauer J, Masuch M, Franke J. An analysis of black energy 3, crashoverride, and trisis, three malware approaches targeting operational technology systems. 2020 25th IEEE International Conference on Emerging Technologies and Factory Automation (ETFA), vol. 1, pp. 1537–43, 2020 Sep 8–11. doi: 10.1109/ETFA46521.2020.9212128.
Google Scholar

[10] Rajkumar VS, ¸ Stefanov A, Presekal A, Palensky P, Torres JLR. Cyber attacks on power grids: causes and propagation of cascading failures. IEEE Access. 2023;11:103154–76. doi: 10.1109/ACCESS.2023.3317695.
Google Scholar

[11] Chiara Lo P, Blumsack S. Enhancing the reliability of bulk power systems against the threat of extreme weather: lessons from the 2021 Texas Electricity Crisis, (in English). Econ Ener Environ Pol. 2023, 2023-10-17 2023;12(2):1–21. doi: 10.5547/2160-5890.12.2.clop.
Google Scholar

[12] National Academies of Sciences, Engineering, and Medicine. The future of electric power in the United States. 2021. Available from: https://nap.nationalacademies.org/catalog/25968/the-future-of-electric-power-in-the-united-states.
Google Scholar

[13] Kosseff J. Defining cybersecurity law, (in English). Iowa Law Review. Mar 2018 2023-12-15 2018;103(3):985–1031, U.S. Department of Health and Human Services Office for Civil Rights, “HIPAA Administrative Simplification. Available from: https://coloradotech.idm.oclc.org/login?url=https://www.proquest.com/scholarly-journals/defining-cybersecurity-law/docview/2187899333/se-2?accountid=144789, https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf.
Google Scholar

[14] Martin K. Embracing compliance for the sake of cybersecurity: looking beyond legal requirements to find best practices: certified public accountant, (in English). The CPA Journal. Jun 2018 2024-01-05 2018;88(6):60–2. Available from: https://coloradotech.idm.oclc.org/login?url=https://www.proquest.com/scholarly-journals/embracing-compliance-sake-cybersecurity-looking/docview/2185467720/se-2?accountid=144789.
Google Scholar

[15] Perakslis ED. Cybersecurity in health care, (in English). New England J Med. 2014 Jul 31 2023-11-30 2014;371(5):395–7. doi: 10.1056/NEJMp1404358.
Google Scholar

[16] Choi SJ, Johnson ME, Lehmann CU. Data breach remediation efforts and their implications for hospital quality. Health Serv Res. 2019;54(5):971–80. doi: 10.1111/1475-6773.13203.
Google Scholar

[17] House of Representatives. 118, 1 Session. 118-153, PROTECTING AND SECURING CHEMICAL FACILITIES FROM TERRORIST ATTACKS ACT OF 2023. 2023. Available from: https://www.congress.gov/118/crpt/hrpt153/CRPT-118hrpt153.pdf.
Google Scholar

[18] Seifert JW. Title 6 Domestic Security. ed United States of America: National Archives Code of Federal Regulations; 2007.
Google Scholar

[19] Congress, 2013 Session. America’s Water Infrastructure Act of 2018. 2018. Available from: https://www.epa.gov/ground-water-and-drinking-water/americas-water-infrastructure-act-2018-awia.
Google Scholar

[20] Fox R. Addressing PWS Cybersecurity in Sanitary Surveys or an Alternate Process. ed: United States Environmental Protection Agency; 2023.
Google Scholar

[21] Fox R. Withdrawal of cybersecurity memorandum of March 3, 2023. ed, 2023. Available from: https://nrwa.org/wp-content/uploads/2023/10/Action-Memo_Rescinding-Cyber-Memo_October-2023.pdf.
Google Scholar

[22] Congress, 118 Session. To establish a Water Risk and Resilience Organization to develop risk and resilience requirements for the water sector. (2024, 2023-2024). Available from: https://www.congress.gov/bill/118th-congress/house-bill/7922/text.
Google Scholar

[23] Yeng PK, Muhammad Ali F, Bian Y. A comprehensive assessment of human factors in cyber security compliance toward enhancing the security practice of healthcare staff in paperless hospitals, (in English). Information. 2022 2023-11-25 2022;13(7):335. doi: 10.3390/info13070335.
Google Scholar

[24] Clark-Ginsberg A, Slayton R. Regulating risks within complex sociotechnical systems: evidence from critical infrastructure cybersecurity standards. Sci Public Policy. 2019;46(3):339–46. doi: 10.1093/scipol/scy061.
Google Scholar

[25] Vielberth M, Menges F, Pernul G. Human-as-a-security-sensor for harvesting threat intelligence, (in English). Cybersecurity. Dec 2019 2023-11-23 2019;2(1):23. doi: 10.1186/s42400-019-0040-0.
Google Scholar

[26] Dokter G. Exploratory research and its impact on problem identification. J Res Develop. 2023;11(2):1–2. doi: 10.35248/2311-3278.23.11.219.
Google Scholar

[27] Burkholder GJ, Cox KA, Crawford LM, Hitchcock JH. Research Design and Methods. SAGE Publications, Inc. (US); 2019.
Google Scholar

[28] North American Electric Reliability Corporation (NERC). NERC Membership List. 2023. Available from: https://eroportal.nerc.net/NERCMembershipList/.
Google Scholar

[29] Midwest Reliability Organization (MRO). Membership. 2025. Available from: https://www.mro.net/about/membership/.
Google Scholar

[30] North American Electric Reliability Corporation (NERC). Compliance Monitoring and Enforcement Program and Organization Registration and Certification Program Mid-Year Report. 2024. Available from: https://www.nerc.com/pa/comp/CE/ReportsDL/2024%20CMEP%20and%20ORCP%20Mid-Year%20Report.pdf.
Google Scholar

[31] Dragos Inc. RISK-BASED VULNERABILITY MANAGEMENT FOR OPERATIONAL TECHNOLOGY. 2024. Available from: https://hub.dragos.com/hubfs/116-Datasheets/Dragos_Risk-Based_Vulnerability_Management_OT_Cybersecurity.pdf?hsLang=en.
Google Scholar

Cybersecurity Regulations in the Energy Industry: A Detriment or a Benefit?

##plugins.themes.bootstrap3.article.sidebar##

##plugins.themes.bootstrap3.article.main##

Downloads

Introduction

Related Works

NERC CIP and BES Security

Regulations in Other Critical Infrastructure Industries

Cybersecurity Awareness and Human Performance

Problem Statement and Research Questions

Problem Statement

Research Question

Methodology

Method

Population and Sample

Data Analysis

Results, Interpretation and Applications

Results

Interpretation and Applications

Limitations

Recommendations

Conclusion

References

Most read articles by the same author(s)