The electric industry has developed the NERC CIPs to secure the bulk electric system from cyber attacks. The bulk electric system is another term for electric transmission. However, the electric system is composed of generation, transmission, and distribution. Without going into the adequacy (or lack thereof) of the NERC CIPs, the fundamental issue is that electric distribution which provides the power to the end-users (homes, hospitals, industrials, military bases, etc) are EXPLICTLY EXCLUDED from the NERC CIPs. Ironically, it is the distribution system that is undergoing the most technological upgrades (read cyber) such as substation automation, Automated Metering Infrastructure (AMI), and Smart Grid. SANS will be having a session about what to do in hearings about getting Public Utility Commissions (PUCs) to provide rate relief for cyber security upgrades. FERC provided a path for that immediately following 9/11 and at least utility has already taken advantage of that approach. The reason most others have not is because of the potential for reopening rate hearings which could cost the utilities tens of millions of dollars. Currently, most PUCs do not include cyber security as part of their regulatory portfolio. The real issue isn’t rate relief, but having the PUCs include security as part of their regulation of electric distribution or there will be no teeth to ensure we get power to our homes.