Cybersecurity Regulations in the Energy Industry: A Detriment or a Benefit?

Electrical entities are attractive targets for malicious actors given their significance and necessity in modern critical infrastructure. Maintaining reliability of the electric grid is essential, making good cybersecurity practices necessary within the energy industry to ward off potential cyberattacks and maintain the functionality of electric systems. The North American Electric Reliability Corporation (NERC), an international organization servicing the United States of America and parts of Canda and Mexico, is a regulatory authority that aims to reduce risks to the electric grid. To address security risks, the NERC created the Critical Infrastructure Protection (CIP) reliability standards, which is a series of legally enforceable security requirements that electrical entities must follow [1]. The opinions surrounding legal and regulatory involvement can be mixed, with the use of regulations to improve security being questionable. This qualitative study interviewed professionals within the energy industry to gather opinions and experiences involving the NERC CIP standards. Data was analyzed using the inductive content analysis approach to identify common themes and topics within the responses collected from participants during the interview process. The findings note areas where the NERC CIP regulatory standards excel in improving security, as well as areas where the interviewed professionals experienced issues or suggested potential improvements.