Pennsylvania Bulletin

PA Bulletin, Doc. No. 05-1119

RULES AND REGULATIONS

Title 52--PUBLIC UTILITIES

PENNSYLVANIA PUBLIC UTILITIES

[52 PA. CODE CH. 101]

[35 Pa.B. 3299]

[L-00040166]

Public Utility Security Planning and Readiness

   The Pennsylvania Public Utility Commission on March 3, 2005, adopted a revised final rulemaking order requiring jurisdictional utilities to develop and maintain written physical, cyber security, emergency response and business continuity plans. The contact persons are Kimberly A. Joyce, Law Bureau, (717) 705-3819 and Darren Gill, Bureau of Fixed Utility Services, (717) 783-5244.

Executive Summary

   Pursuant to 66 Pa.C.S. § 1501, public utilities must furnish and maintain adequate, efficient, safe, and reasonable service and facilities, and make changes, alterations, and improvements in or to such service and facilities as shall be necessary for the accommodation, convenience, and safety of its patrons, employees, and the public.

   The regulations require jurisdictional utilities to develop and maintain written physical security, cyber security, emergency response, and business continuity plans. In addition, jurisdictional utilities must file a Self Certification Form with the Commission documenting compliance with the above mentioned plans.

   These regulations will ensure that jurisdictional utilities are effectively equipped and prepared to provide safe and reliable utility service when faced with security concerns. In addition, jurisdictional utilities will be required to review and exercise their ability to detect, prevent, respond to and recover from abnormal operating conditions on an annual basis.

Regulatory Review

   Under section 5(a) of the Regulatory Review Act (71 P. S. § 745.5(a)), on June 3, 2004, the Commission submitted a copy of the notice of proposed rulemaking, published at 34 Pa.B. 3138 (June 19, 2004), to IRRC and the Chairpersons of the House Committee on Consumer Affairs and the Senate Committee on Consumer Protection and Professional Licensure for review and comment.

   Under section 5(c) of the Regulatory Review Act, IRRC and the Committees were provided with copies of the comments received during the public comment period, as well as other documents when requested. In preparing the final-form rulemaking, the Commission has considered all comments from IRRC, the House and Senate Committees and the public.

   Under section 5.1(j.2) of the Regulatory Review Act (71 P. S. § 745.5a(j.2)), on April 27, 2005, the final-form rulemaking was deemed approved by the House and Senate Committees. Under section 5.1(e) of the Regulatory Review Act, IRRC met on April 28, 2005, and approved the final-form rulemaking.

Public Meeting held
March 3, 2005

Commissioners Present: Wendell F. Holland, Chairperson; Robert K. Bloom, Vice Chairman; Kim Pizzingrilli

Rulemaking Re: Public Utility Security Planning and Readiness; Docket No. L-00040166

Revised Final Rulemaking Order

By the Commission:

   The intent of this rulemaking has always been to improve the security monitoring of our jurisdictional utilities. As mentioned in our prior orders, this rulemaking requires all jurisdictional utilities to develop and maintain written physical security, cyber security, emergency response and business continuity plans to protect the Commonwealth's infrastructure and ensure safe, continuous and reliable utility service. In accordance with the regulations, jurisdictional utilities will submit a Public Utility Security Planning and Readiness Self Certification Form (Self Certification Form) to the Public Utility Commission (Commission) attesting to compliance with the attached regulations.

Background

   In the past several years, the Commission has worked closely with its jurisdictional utilities to ensure the safe and reliable delivery of utility services to citizens in the Commonwealth and to refine the emergency management and response processes.

   Beginning in 1998, the Commission instituted a Year 2000 technology (Y2K) readiness formal investigation which examined the readiness of approximately 750 public utilities and conducted an assessment of Y2K readiness for twenty-three jurisdictional companies. As a result of the increased security threats across the nation, the Commission immediately surveyed its jurisdictional companies, the PJM Interconnection, and the Pennsylvania Rural Electric Association (PREA). Rail safety inspectors, gas safety inspectors and telecommunications staff were also contacted to assess their industries.

   In addition, the Commission began coordinating its security efforts with the state Office of Homeland Security and submitted several comprehensive reports to the House of Representatives and the state Office of Homeland Security. Through this process, the Commission developed a security self certification process for all Commission jurisdictional utilities. The Commission directed that the Self Certification Form be submitted to the Commission yearly as part of each utility's Annual Financial or Annual Assessment Report.

Procedural History

   The Physical and Cyber Security Program Self Certification Requirements for Public Utilities were issued by the Commission in a Tentative Order¹ entered on August 5, 2003 and published in the Pennsylvania Bulletin on August 16, 2003. Comments to the Tentative Order were due on September 5, 2003.

   Comments were filed by the Pennsylvania Telephone Association (PTA), the Energy Association of Pennsylvania (EAP), Pennsylvania-American Water Company (PA-American) and The Peoples Natural Gas Company d/b/a Dominion Peoples (Dominion Peoples). Columbia Gas of Pennsylvania, Inc. (Columbia) provided late comments on September 8, 2003.

   In an order entered on December 9, 2003, the Commission responded to the filed comments and determined that a self certification process for utility security programs should be instituted for the current and anticipated security compliance of all jurisdictional utilities. The Commission ordered that jurisdictional utilities complete and file with the Commission the Self Certification Form. Beginning on or after January 1, 2004,² utilities under the reporting requirements of 52 Pa. Code §§ 27.10, 57.47, 59.48, 61.28, 63.36, or 65.19 must file the Self Certification Form at Docket No. M-00031717, at the time each Annual Financial Report is filed. Beginning on or after January 1, 2004,³ utilities not subject to the reporting requirements above, but subject to the reporting requirements of 52 Pa. Code §§ 29.43, 31.10 or 33.103 must file the Self Certification Form at Docket No. M-00031717, at the time each Annual Assessment Report is filed.

   The December 9, 2003 Order requires all jurisdictional utilities (including railroads) to file the Self Certification Form. The December 9, 2003 Order was not challenged by any utility and all utilities must file the Self Certification Form informing the Commission as to whether or not they have a physical security, cyber security, emergency response, and business continuity plan in place.

   In the December 9, 2003, Order, the Commission further ordered the Law Bureau, in conjunction with the Bureau of Fixed Utility Services and the Bureau of Transportation and Safety, to initiate a rulemaking to include the requirement for jurisdictional utilities to develop and maintain appropriate written physical and cyber security plans, emergency response plans and business continuity plans as part of the Commission's regulations.

   To be clear, the rulemaking goes further than the December 9, 2003 Order and requires jurisdictional utilities to affirmatively state that they have the four plans in place, as described in the rulemaking. This rulemaking also includes the requirement that jurisdictional utilities submit the Self Certification Form to the Commission.

   On March 18, 2004, at Docket No. L-00040166, the Commission adopted the proposed regulations governing the security planning and readiness of Commission jurisdictional utilities in Pennsylvania. This Proposed Rulemaking Order was published in the Pennsylvania Bulletin on June 19, 2004 with comments due on July 19, 2004. After publication in the Pennsylvania Bulletin and service upon numerous associations including those that commented to HR 361, the Commission received timely filed comments from the following parties: the Pennsylvania Telephone Association (PTA), Allegheny Power Company (Allegheny Power), AT&T Communications of Pennsylvania, LLC (AT&T) and joint comments from United Telephone Company of Pennsylvania (United Telephone) and Sprint Communications Company L.P. (Sprint), collectively referred to as Sprint. The Commission also received comments on August 18, 2004 from the Independent Regulatory Review Commission (IRRC).

   On October 5, 2004, the Commission entered an Order considering the comments timely filed by all of the parties and IRRC. As a result of the comments, the Commission made several changes to the proposed regulations. The Final Rulemaking Order was then sent to IRRC for approval its public meeting, which was scheduled on November 18, 2004.

   On November 12, 2004, after the due date⁴ for comments had expired, Norfolk Southern Railway Company, CSX Transportation, Inc., Canadian National Railway Company, Canadian Pacific Railway, and Consolidated Rail Corporation (hereinafter referred to as Norfolk Southern, CSX, Canadian National, Canadian Pacific, and Consolidated Rail) sent comments via email and facsimile to the Commissioners of the PUC and its Chief Counsel regarding the Final Rulemaking Order previously entered on October 5, 2004.

   In their comments, Norfolk Southern, CSX, Canadian National, Canadian Pacific, and Consolidated Rail asserted that the Public Utility Security Planning and Readiness regulations attached to the Final Rulemaking Order should not apply to them. After a series of four Commission Orders, this was the first time that Norfolk Southern, CSX, Canadian National, Canadian Pacific, and Consolidated Rail had commented in this proceeding.

   In order to more fully understand Norfolk Southern, CSX, Canadian National, Canadian Pacific, and Consolidated Rail's concerns with the Final Rulemaking Order and their objection to filing the Self Certification Form pursuant to the Commission's regulation, the Commission withdrew the Final Rulemaking Order and issued a Secretarial Letter on December 29, 2004 providing notice of a revision to the Final Rulemaking Order.⁵

   In the Secretarial Letter, the Commission proposed an addition to the rulemaking limiting the applicability of the regulation for those entities regulated by the Federal Railroad Safety Act (FRSA), 49 U.S.C.A. §§ 20101--20153, and the Hazardous Materials Transportation Act (HMTA), 49 U.S.C.A. §§ 5101--5127. Second, the Commission sought comment on the Commission's rulemaking in relation to Act 183 (new Chapter 30), which applies to the telecommunication's industry. 66 Pa.C.S. § 3010--3019.

   Before discussing comments from the above mentioned parties, we note one change in the final form regulation. The Self Certification Form was attached to the proposed rulemaking for informational purposes. Comments made to this form by IRRC and the other parties will be addressed later in this order. However, the Self Certification Form will not be included as an Appendix in the final form regulation. As stated in the final form regulations, at § 101.3(d), the Self Certification Form is available at the Secretary's Bureau and on the Commission's website.

Discussion

   Upon due consideration of the comments, we make the following determinations regarding each proposed section at 52 Pa. Code §§ 101.1--101.6.

Proposed regulations at 52 Pa. Code §§ 101.1--101.7

§ 101.1. Purpose

   This section of the proposed regulation establishes the purpose of Chapter 101, relating to public utility security preparedness through self certification.

Positions of the Parties

   IRRC comments that the terms ''jurisdictional utility'' and ''infrastructure'' need to be defined or cross referenced as used in this section.

Disposition

   The Commission has authority to supervise and regulate certain utilities within the Commonwealth. 66 Pa.C.S. § 501(b). ''Jurisdictional utility'' refers to all of those utilities which fall within the Commission's jurisdiction to supervise and regulate. Those utilities that must comply with the subject regulations are listed in § 101.4. After reading § 101.4, a utility will be able to determine whether or not the subject regulations apply to it and will be able to discern if it falls under the Commission's jurisdiction. In order to further clarify, we will adopt IRRC's suggestion and define the term ''jurisdictional utility'' in Section 101.2 as ''[a] utility subject to the reporting requirements of § 27.10, § 29.43, § 31.10, § 33.103, § 57.47, § 59.48, § 61.28, § 63.36 or § 65.19.''

   The USA Patriot Act of October 24, 2001, defines critical infrastructure in Title X, Section 1016(e) as the ''systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.'' We will adapt the Patriot Act definition to define infrastructure for the purposes of this proposed regulation as ''the systems and assets so vital to the utility that the incapacity or destruction of such systems and assets would have a debilitating impact on security, economic security, public health or safety, or any combination of those matters.''

§ 101.2. Definitions.

Emergency response plan, business continuity plan, contingency planning and business resumption definitions

Positions of the Parties

   In its comments, IRRC states that the proposed regulation uses three phrases to describe potential service interruptions. These include ''change or unforeseen circumstances'' in the definition of business continuity plan and contingency planning; ''natural causes or sabotage'' in the definition of emergency response plan; and ''disaster'' in the definition of business resumption. IRRC suggests replacing theses phrases with the defined terminology ''abnormal operating conditions.''

Disposition

   We agree with the comments submitted by IRRC and will replace the three phrases described above with the defined terminology ''abnormal operating conditions.''

Physical and cyber security plans, emergency response plan and business continuity plan definitions

Positions of the Parties

   IRRC states that the physical and cyber security plans, emergency response plan and business continuity plan definitions all contain a brief description of the term and duties for jurisdictional utilities to perform. IRRC submits that the duties should not be included in the definitions, but rather, should be moved to § 101.3.

Disposition

   We agree with IRRC's comments and will place the jurisdictional utilities' duties in § 101.3.

Critical functions definition

Positions of the Parties

   IRRC states that the phrase ''several business days'' in the critical functions definition is vague and should be replaced with a specific time frame.

Disposition

   While we understand the nature of IRRC's concern, we believe that each utility should have the opportunity to discern the specific amount of time that it can maintain operations with the loss of a critical function. We emphasize that this rulemaking applies to jurisdictional utilities which vary in nature, including, inter alia, common carriers of passengers, telecommunications utilities, electric utilities, and railroad carriers. Therefore, the subject business activity or information for each utility that cannot be interrupted or unavailable without significantly jeopardizing operations of the utility will also vary. The language, as currently drafted, allows each utility to tailor its plan within this regulation depending on size and type.

Business recovery definition

Positions of the Parties

   IRRC submits that the phrase ''less time-sensitive business operations'' in the business recovery definition should be more fully described, including examples, in the preamble or the final-form regulation.

Disposition

   ''Less time-sensitive business operations'' include all other operations not subsumed under the critical functions definition. We believe that each utility should have the opportunity to discern what ''less time-sensitive business operations'' are, emphasizing that they may be different for the various utilities that must comply with the regulation. An example of a ''less time-sensitive business operation'' is billing.

Cyber security plan definition

Positions of the Parties

   IRRC submits that the phrase ''appropriate backup'' found in the cyber security plan definition should be defined in the final-form regulation or the Commission should provide examples of ''appropriate backup.'' IRCC also submits that the phrase ''a recognition of'' in paragraph (iv) is superfluous, and should be deleted.

Disposition

   We agree with the comment provided by IRRC and will provide an example of ''appropriate backup'' at § 101.3(a)(2)(II) that reads as follows: ''Appropriate backup may include having a separate distinct storage media for data or a different physical location for application software.''

   In response to IRRC's comment that the phrase ''a recognition of'' in paragraph (iv) is superfluous, we clarify that we are not requiring that a plan set forth a specific time period. Rather, we are directing utilities to consider this time period when writing their plan.

Emergency response plan definition

Positions of the Parties

   IRRC states that the phrase ''emergency management system'' used in the emergency response plan definition should be defined in the final-form regulation.

Disposition

   We agree with the comment provided by IRRC that the phrase ''emergency management system'' needs to be further defined. In order to add clarification to the proposed regulation, we will replace the phrase ''emergency management system'' with ''appropriate emergency services and emergency preparedness support agencies and organizations'' as it is now found in § 101.3.

Business continuity plan definition

Positions of the Parties

   The proposed definition of business continuity plan states that the written plan will ''ensure'' the continuity or uninterrupted provision of operations and services. Sprint is concerned with the reference to ''ensure'' in the definition. Sprint states that no plan can absolutely ''ensure'' uninterrupted operations and service 100% of the time regardless of the nature or gravity of the circumstances. Sprint submits that it is cognizant of its obligations under the Public Utility Code and will endeavor to implement a business continuity plan that reasonably ensures uninterrupted operations and services. Sprint recommends modification of the proposed definition of business continuity plan to state: ''A written plan that will reasonably ensure the continuity or uninterrupted provision of operations and services . . .''

Disposition

   While we appreciate Sprint's concern that no plan can absolutely ensure uninterrupted operations and service regardless of the nature or gravity of the circumstances, we do not wish to lessen the impact of this regulation by adding Sprint's suggested language. We prefer to keep the language as written understanding that no plan will absolutely guarantee uninterrupted operations and service, but stress that uninterrupted operations and service is the goal for which all utilities should strive.

§ 101.3. Plan requirements.

   In the Proposed Rulemaking Order we proposed that a jurisdictional utility develop and maintain written physical and cyber security, emergency response and business continuity plans.

Development and maintenance of plans--§ 101.3(a)

Positions of the Parties

   The PTA, AT&T, Sprint and IRRC seek clarification as to whether the four plans may exist within a single document, and whether certification of compliance of that single document attests to compliance with all four plans.

   Also, Sprint and AT&T seek clarification on the acceptability of plans designed and maintained to protect assets on a national level for utilities that serve nationwide. Finally, Sprint suggests that the Commission should clarify that the use of the term ''written'' includes electronic means of storing and updating security plans required by these regulations.

Disposition

   The goal of this proposed regulation is to ensure that each jurisdictional utility has written plans that can be viewed as demonstrating each utility's ability to secure its operations and respond to emergency situations. If this objective can be demonstrated through the use of one interwoven plan incorporating the objectives and goals of all four plans, then this Commission would find one comprehensive plan acceptable for purposes of the self certification form.

   However, we caution our jurisdictional utilities utilizing a single plan to ensure that the intertwined nature of one consolidated plan does not detract from the clarity necessary to implement one or more of the four plans. Additionally, in addressing Sprint's request for clarification of the use of the term ''written,'' we remind Sprint that retrieval of electronically stored plans and data may not be possible during certain abnormal operating conditions. Therefore, while we are not opposed to utilities maintaining plans in electronic format, we caution each utility to not rely on the retrieval of those electronic plans as the sole repository for physical and cyber security, business continuity and emergency response plans.

Development and maintenance of plans--§ 101.3(c)

Positions of the Parties

   IRRC states that while § 101.3 requires utilities to maintain a testing schedule of plans, the proposed regulation does not specifically state the requirement to test the four plans. IRRC submits that if the Commission's intent is to require annual testing of the plans, then the final-form regulation should be amended to reflect this requirement.

   Allegheny Power and IRRC request that the term ''test'' be defined in the proposed regulation. Allegheny Power requests recognition that the four plans do not need to be entirely tested within a calendar year, and that testing of a portion of a plan constitutes a test of a plan. Allegheny points to the Commission's December 9, 2003, Order at Docket No. M-00031717 in which the Commission recognized that testing of the plans should be an ongoing process, but not necessarily a distinct annual drill where an entire plan is tested from beginning to end.

   Sprint avers that an annual review or testing requirement is unnecessary and unwise, since some processes will be reviewed more than annually, while others less frequently. Sprint also submits that § 101.3(c) should be clarified to allow intra-company assessments of plans to be accepted as compliance with this proposed regulation. Sprint recommends that the proposed § 101.3(c) should be modified to include ''a testing or assessment schedule of these plans.''

Disposition

   In response to IRRC's concern over whether the regulation requires actual testing or simply a test plan, we will revise the wording in § 101.3(c) to read: ''A jurisdictional utility shall maintain and implement an annual testing schedule.'' This emphasizes our desire to have our jurisdictional utilities actually test their plans. In light of this, we will not accept Sprint's suggestion that § 101.3(c) should be clarified to allow intra-company assessments of plans to be accepted as compliance with this proposed regulation or Sprint's recommendation to modify § 101.3(c) to include the language ''a testing or assessment schedule of these plans.''

   We also agree with IRRC's comment to add the definition of ''test'' to § 101.2. ''Test'' will be defined as ''A trial or drill of physical security, cyber security, emergency response and business continuity plans. Testing may be achieved through a sum of continuous partial testing rather than one distinct annual drill where an entire plan is tested from beginning to end.'' We believe this additional language also addresses Sprint's comments about annual testing.

   We agree with Allegheny Power's reemphasis of our December 9, 2003, Order at Docket No. M-00031717. Again, we believe that, in some cases, testing of physical security, cyber security, emergency response and business continuity plans are ongoing and security is achieved through a sum of continuous partial testing rather than one big test undertaken over some specified time table.

§ 101.4. Reporting requirements.

   In the Proposed Rulemaking Order we stated that each jurisdictional utility shall file a self certification form with the Commission.

Self certification form title--§ 101.4(a) and (b)

Positions of the Parties

   IRRC submits that the Physical and Cyber Security Planning Self Certification Form referred to in this section is titled differently in various sections of the proposed regulation. IRRC states that the title of the form needs to be made consistent throughout the proposed rulemaking.

Disposition

   We agree with IRRC's comment concerning a consistent reference to the self certification form. The form's title shall be changed to ''Public Utility Security Planning and Readiness Self Certification,'' consistent with the proposed regulation's Subpart E title. Accordingly, all other references to the self certification form in the proposed regulation shall be changed to maintain consistency.

Self certification form question numbers 2, 5, 9 and 12--§ 101.3(a) and (b)

Positions of the Parties

   Question numbers 2, 5, 9 and 12 of the self certification form ask if specific plans have been ''reviewed and updated in the past year.'' IRRC recommends that the proposed rulemaking be changed to read ''reviewed and updated as needed.'' This recommendation is based on the assertion that not every review will necessitate an update.

Disposition

   We agree with the IRRC assertion that not every plan review will necessarily result in an update to such plan. Therefore, we will amend self certification form question numbers 2, 5, 9 and 12 to include the language '' . . .reviewed in the last year and updated as needed.''

Self certification form question numbers 7--§ 101.3(a) and (b)

Positions of the Parties

   Question number 7 of the self certification form asks ''Has your company performed a vulnerability or risk assessment analysis as it relates to physical and/or cyber security?'' Allegheny Power and IRRC state that the terms ''vulnerability'' and ''risk assessment'' need to be defined in § 101.2 of the proposed regulation. Additionally, IRRC comments that the ''and/or'' terminology needs clarification.

Disposition

   In our review of question number 7 from the self certification form, we find that it is unnecessary and should be deleted from the form. We believe that in order for a utility to formulate a proper physical or cyber security program, a vulnerability or risk assessment would have been performed. Therefore, question number 7 is redundant, since the answer to this question is subsumed within the jurisdictional utility's response to question numbers 1 and 4. Therefore, we will remove question number 7 from the final form.

§ 101.5. Confidentiality of self certification form

   In the Proposed Rulemaking Order we stated that the self certification form is not a public document or record and is deemed confidential and proprietary.

Filing method--§ 101.5

Positions of the Parties

   IRRC inquires as to whether the self certification form can be filed electronically with the Commission. IRRC submits that the Commission should consider allowing electronic submission of the self certification form.

Disposition

   While we understand the benefits of electronic filing and hope to explore this possibility in the future, our Commission cannot accept the Self Certification Form through an electronic filing method under our current filing system. At this time, the Commission does not have the capability to accept filings to the Secretary's Bureau in electronic format. In addition, the Commission does not have the technology in place to ensure the security of an electronic filing.

§ 101.6. Compliance

   In the Proposed Rulemaking Order we proposed that the Commission may review a jurisdictional utility's physical, cyber, business continuity and emergency response plans as necessary and may inspect a utility's facilities to assess compliance monitoring. It also allows a utility to utilize a substantially similar plan, formulated for another jurisdiction, for compliance with this proposed regulation.

Plan review and utility site review--§ 101.6(b) and (c)

Positions of the Parties

   Section 101.6(b) and (c) state that the Commission may review the plans of a utility and inspect a utility's facility. IRRC submits that the Commission should explain the manner in which it will request to review a utility's plans or inspect a utility's site and the amount of prior notice a utility should expect before a review or site visit.

   Sprint seeks clarification regarding § 101.6(c)'s reference to ''facility.'' Sprint suggests that § 101.6(c) should be modified in relevant part as follows: ''The Commission may inspect a utility's facility, to the extent utilized for or necessary to the provision of utility service, so as to assess performance of its compliance monitoring under 66 Pa.C.S. §§ 504--506.''

   Sprint also comments that there is no reference made in the proposed § 101.6(c) regarding the level of confidentiality that will be extended during and following any such Commission inspection. Sprint avers that any information or data gathered during a Commission inspection pursuant to § 101.6(c) must be accorded confidentiality (e.g., inspector must execute a nondisclosure agreement) and must not be accessible as a public document.

Disposition

   IRRC expresses concern over the manner in which the Commission will request to review a utility's plans or inspect a utility's site and the amount of prior notice given. We understand IRRC's concern and comment that the Commission has in the past and, for the purposes of this regulation, will most likely give prior notification by letter or phone and arrive during normal business hours. However, several factors favor not setting forth the exact protocol for Commission inspection in the regulation. Pursuant to 66 Pa.C.S. § 506, the Commission already has the full power and authority to inspect and investigate a utility's equipment and facilities. In the performance of such duties, the Commission may further inspect pertinent records and documents. We do not wish to limit our authority under Section 506 by setting forth specific protocols before inspecting a utility through this regulation.

   Since the Commission has already been charged with this authority, we are uncomfortable adopting any restrictive language. In addition, we note the twenty-four hour operational nature of most of the utilities subject to this regulation. As has happened in the past, required site visits may need to occur during non-traditional business hours.

   Sprint seeks clarification on § 101.6(c)'s reference to ''facility.'' We agree with Sprint's suggested change and will adopt the language to modify § 101.6(c) to read: The Commission may inspect a utility's facility, to the extent utilized for or necessary to the provision of utility service, to assess performance of its compliance monitoring pursuant to 66 Pa.C.S. §§ 504, 505 and 506.

   Sprint further comments on the level of confidentiality during an inspection and any information gathered at such an inspection. We agree with Sprint that any information or data gathered during a Commission inspection pursuant to Section 101.6(c) should be accorded confidentiality. However, as indicated above, the Commission has the full power and authority to inspect and investigate a utility's equipment and facilities. 66 Pa.C.S. § 506. In the performance of such duties, the Commission may further inspect pertinent records and documents. Id. Since the Commission has already been charged with this authority and we do not know what kind of information could be gathered at this time, we decline to adopt Sprint's comment in the final-form regulation.

Substantially similar plans--§ 101.6(d)

Positions of the Parties

   IRRC comments that the phrase ''substantially similar plan'' is vague and the Commission should include specific guidelines in the final-form regulation for a jurisdictional utility to determine whether the plan it must file with another entity could also be used to fulfill the requirements set forth in this section of the proposed regulation.

   Furthermore, IRRC questions whether security information provided to another entity as part of its plans, but not required by the Commission, would be considered public or proprietary information by the Commission.

Disposition

   We agree with IRRC's suggestion to use the phrase ''meets the requirements of'' instead of ''substantially similar plan'' and will modify § 101.6(d) to read as follows: ''A utility that has developed and maintained a cyber security, physical security, emergency response or business continuity plan under the directive of another state or federal entity that meets the requirements of § 101.3 may utilize that plan for compliance with this subpart, upon the condition that a Commission representative be permitted to review the cyber security, physical security, emergency response or business continuity plan. A company that is utilizing another entity's plan shall briefly describe the alternative plan and identify the authority that requires the alternative plan along with the Self Certification Form filed with the Commission.''

   As to IRRC's second concern, the Commission is not requiring the filing of plans. Rather, through this proposed rulemaking, jurisdictional utilities are required to file a Self Certification Form. Any information submitted with the Self Certification Form would be deemed confidential and proprietary pursuant to § 101.5. If a specific plan does fall under review, security information provided in another entity's plan, but not required by the Commission, would likely be considered confidential and proprietary information by the Commission. However, not knowing the content of this information, we decline to include this in the final-form regulation.

Discussion of Additional Comments

   On January 21, 2005, Norfolk Southern, CSX, Canadian National, Canadian Pacific, and Consolidated Rail submitted joint comments via electronic email to the Commissioners of the PUC. On January 24, 2004, the same comments were filed with the Secretary's Bureau. On February 11, 2005, the Pennsylvania Telephone Association filed its comments with the Secretary's Bureau.

   Before discussing the proposed revision to the Final Rulemaking Order, the Commission makes the following observations on the joint comments filed by Norfolk Southern, CSX, Canadian National, Canadian Pacific, and Consolidated Rail. In the joint comments, the railroads suggest they may have been ''unintentionally swept up'' in the Final Rulemaking Order. This suggestion is without merit. The Commission did not ''unintentionally'' include the rail industry in the previous four Orders that it issued relating to this matter. A railroad is unquestionably included in the definition of a public utility in the Pennsylvania Public Utility Code. 66 Pa.C.S. § 102. In addition, the Commission's Bureau of Transportation and Safety, Rail Safety Division, is responsible for the administration and processing of rail safety complaints and safety inspections for compliance with the Federal Railroad Administration's (FRA) track, operating practice, and freight standards. The division is responsible for rail crossing and bridge safety.

   Second, Norfolk Southern, CSX, Canadian National, Canadian Pacific, and Consolidated Rail assert that they were unaware of the Final Rulemaking Order. The joint railroad comments do not state whether they were aware of the other three Commission orders addressing this matter that were issued over the past several years. In response, we point out that the Proposed and Final Rulemaking Orders were published in the Pennsylvania Bulletin and both Orders were served on those jurisdictional respondents to HR 361, which included Norfolk Southern. In fact, over twenty other railroads have properly filed the Self Certification Form with the Commission. This information belies Norfolk Southern, CSX, Canadian National, Canadian Pacific, and Consolidated Railroad's assertion that they were unable to discern that the regulation entitled Rulemaking Re: Public Utility Security Planning and Readiness applied to them.

   Third, the Commission emphasizes the importance of this regulation as highlighted in our previous Orders. In this new age, the Commission's attention to safety and security of utilities within the Commonwealth is certainly a priority. The Commission is committed to doing everything it can to help protect the citizens of this Commonwealth from a terroristic or other abnormal event. The self certification process was developed to make sure that all utilities that are located or travel (fixed and nonfixed) within the Commonwealth are proactively examining their security plans on an ongoing basis and testing these plans with the realization that in each passing year, circumstances change and new threats may be present. This is especially true of those utilities that transport hazardous material directly through our cities and across the state. We expect that all those utilities doing business with and serving the citizens of this Commonwealth share our same goal and will endeavor to cooperate with our efforts to secure our state.

   Fourth, the intent of this rulemaking is to create a minimum set of requirements that can be consistently implemented with sufficient flexibility to account for differences in the types of utilities under the Commission's jurisdiction. We reiterate that the regulations do not require utilities to file copies of their physical security, cyber security, emergency response, and business continuity plans with the Commission. The regulation only requires utilities to have physical security, cyber security, emergency response, and business continuity plans in place and does not impose any detailed plans or specific timeframe for testing them. Compliance with this regulation is not an onerous task, but rather a reasonable and important exercise to help ensure that our critical infrastructure is protected.

   Lastly, we have acknowledged that protecting the Commonwealth's infrastructure and key assets necessitates a cooperative paradigm. Homeland security requires coordinated action on the part of federal, state, and local government; the private sector, and citizens. The Commission, as it has said in its prior Orders, has no desire or intent to replicate rules and regulations that are already in place and required by the federal government or other agencies. However, it is our duty to identify and secure the critical infrastructure and key assets within the Commonwealth.⁶ As such, the Self Certification Form and regulation is drafted so that any overlapping reporting duties or regulation by other state and federal agencies will not overly burden utilities.

Position of Norfolk Southern, CSX, Canadian National, Canadian Pacific, and Consolidated Rail

   In Norfolk Southern, CSX, Canadian National, Canadian Pacific, and Consolidated Rail's comments, they assert that federal law preempts state and local regulation of railroad safety and security. They maintain that they have already adopted their own security plans in conformance with the Association of American Railroads, the U.S. Department of Transportation, and the Department of Homeland Security and because railroads already have taken such appropriate action pursuant to federal requirements, the following language should be included in the Final Rulemaking Order:

§ 101.7 Applicability

This chapter does not apply to interstate freight railroads regulated by the Federal Railroad Safety Act and the Hazardous Materials Transportation Act if, within 60 days following the effective date of this chapter, the railroads submit a certification to the PUC that the railroads are in compliance with the security plan requirements of those statutes.

Disposition

   We will first address the preemption argument. The Federal Railroad Safety Act (FRSA), 49 U.S.C.A. §§ 20101--20153, provides that the law and regulations related to rail safety and security⁷ must be nationally uniform to the extent practicable. 49 U.S.C. A. § 20106. A state may adopt a regulation relating to railroad safety or security until the Secretary of Transportation (with respect to railroad safety) or the Secretary of Homeland Security (with respect to railroad security) prescribes a regulation covering the subject matter of the state requirement. Id.

   The railroads do not rely on any security regulations prescribed by the Secretary of Homeland Security for their preemption argument. Rather, the railroads assert that the preemptive umbrella of the FRSA extends to ''rail safety/security'' matters under the HMTA and prescribed by the Secretary of Transportation.

   We note that the Department of Homeland Security issues security regulations; not the Department of Transportation which generally issues safety regulations. Nevertheless, the railroads assert that the Commission is preempted because the HMTA requires each person who transports hazardous material to develop and adhere to a security plan. 49 CFR 172.800. All railroads carrying hazardous material in Pennsylvania must comply with this regulation. Id.

   The HMTA is not as comprehensive as the Commission's Final Rulemaking Order, mainly because it is limited to the transport of hazardous material and does not require a per se business continuity plan, cyber security plan, and emergency response plan.⁸ Norfolk Southern, CSX, Canadian National, Canadian Pacific, and Consolidated Railroad have not produced specific federal regulations that require a business continuity plan, cyber security plan, or emergency response plan. Instead, the railroads assert that their security plans are based on Association of American Railroad (AAR) guidelines.

   The Commission is not persuaded by the genuine legality of the railroads' preemption concerns. However, we note that the Transportation Security Administration (TSA) recently evaluated the measures currently required under Department of Transportation hazmat and rail regulations, the nature of rail operations, and the security enhancements completed by railroads. Upon this review, the TSA concluded that, for the present, those provisions adequately address the security concerns of which it is aware.⁹ (Hazardous Materials: Transportation of Explosives by Rail, 68 F. Reg. 34,374 (June 9, 2003)).

   With that being said, we will adopt the railroads proposal in part. The railroads submit that they have already taken appropriate action with respect to the four areas of concern in the Commission's regulations: physical security, cyber security, emergency response, and business continuity. Certainly, ''appropriate action'' would include, at the very minimum, having a plan in place. Therefore, the following addition to the regulation address the preemption concerns of Norfolk Southern, CSX, Canadian National, Canadian Pacific, and Consolidated Railroad's, plus meet the security concerns¹⁰ of this Commission:

§ 101.7 Applicability.

This chapter does not apply to an entity regulated by the Federal Railroad Safety Act (FRSA), 49 U.S.C. § 20101--20153, and the Hazardous Materials Transportation Act (HMTA), 49 U.S.C. § 5101--5127, if within 60 days following the effective date of this chapter, it submits a certification to the Commission indicating that it has its own written physical and cyber security, emergency response, and business continuity plans in place and is in compliance with the requirements of the FRSA and HMTA.

Position of the Pennsylvania Telephone Association

   After the comments were sent by Norfolk Southern, CSX, Canadian National, Canadian Pacific, and Consolidated Rail and the resulting withdrawal of the Final Rulemaking Order before IRRC, Act 183 was enacted into law.¹¹ Act 183 applies to the telecommunications industry in the Commonwealth and addresses, inter alia, reports filed to the Commission.

   The PTA filed timely comments on February 11, 2005. The PTA asserts that Act 183 limits the reporting of the incumbent local exchange companies to nine specifically enumerated reports and thus, the Commission does not have the authority to require filing of the Self Certification Form. See 66 Pa.C.S. § 3015(e).

Disposition

   While arguing that this rulemaking is ''improper under Act 183'' and raising four arguments in support of that position, PTA ultimately states that its member companies ''will not oppose the continued annual filing of the Physical and Cyber Security Self Certification Form.'' We commend the PTA for its cooperation in this important endeavor. We do recognize PTA's position that the agreement to file this form is not intended to waive PTA's right to advocate its position regarding the reporting requirements set forth in Act 183. Since PTA agrees to file this report, disposition of PTA's Act 183 arguments is not necessary at this time though they may need to be addressed in the future.

   Overall, we believe that the regulations, as herein revised and amended in consideration of comments received, and as attached hereto as Annex A, are consistent with the public interest and shall be adopted at this time through final order. Accordingly, under authority at Sections 501, 504, 505, 506, 1501 of the Public Utility Code, 66 Pa.C.S. §§ 501, 504, 505, 506, 1501, 66 Pa.C.S. §§ 2801 et seq. and the regulations promulgated thereunder at 52 Pa.Code §§ 57.191--57.197; and sections 201 and 202 of the act of July 31, 1968 (P. L. 769, No. 240) (45 P. S. §§ 1201 and 1202) and the regulations promulgated thereunder at 1 Pa.Code §§ 7.1, 7.2 and 7.5; section 204(b) of the Commonwealth Attorneys Act (71 P. S. § 732.204(b)); section 5 of the Regulatory Review Act (71 P. S. § 732.204(b)); and section 612 of The Administrative Code of 1929 (71 P. S. § 232) and the regulations promulgated thereunder at 4 Pa.Code §§ 7.251--7.235, we adopt the revised regulations set forth in Annex A; Therefore,

It is Ordered that:

   1.  The regulations of the Commission, 52 Pa. Code, are amended by the addition §§ 101.1--101.7 to read as set forth in Annex A.

   2.  The Secretary shall submit this Revised Final Rulemaking Order and Annex A for review and approval by the designated Standing Committees of both houses of the General Assembly, and for review and approval of the Independent Regulatory Review Commission.

   3.  The Secretary shall submit this order and Annex A to the Governor's Budget Office for review of fiscal impact.

   4.  The Secretary shall submit a copy of this Order and Annex A to the Office of Attorney General for review as to legality.

   5.  The Secretary shall certify this Order and Annex A and deposit them with the Legislative Reference Bureau to be published in the Pennsylvania Bulletin.

   6.  The revisions to Chapter 101 embodied in Annex A shall become effective upon final publication in the Pennsylvania Bulletin.

   7.  A copy of this Order and Annex A be filed in the folder regarding physical and cyber security program self-certification requirements for public utilities at M-0031717.

   8.  A copy of this Order and Annex A be served upon the Pennsylvania Emergency Management Agency, the Pennsylvania Office of Homeland Security, the Pennsylvania Department of Environmental Protection, the Energy Association of Pennsylvania, the Pennsylvania Telephone Association, the Pennsylvania Motor Truck Association , the Pennsylvania Bus Association, the Pennsylvania Taxicab and Paratransit Association, Pennsylvania Moving and Storage Association, the Pennsylvania Limousine Association, the Pennsylvania Chapter of the National Association of Water Companies, the Pennsylvania Section of the American Water Works Association, the Pennsylvania Rural Water Association, Pennsylvania League of Cities and Municipalities, Pennsylvania State Association of Boroughs, Pennsylvania Local Government Commission, Pennsylvania State Association of Township Supervisors, Keystone Rail Association, and the PUC jurisdictional respondents to House Resolution 361.

JAMES J. MCNULTY,
Secretary

   (Editor's Note: For the text of the order of the Independent Regulatory Review Commission relating to this document, see 35 Pa.B. 2972 (May 14, 2005).)

   Fiscal Note: Fiscal Note 57-234 remains valid for the final adoption of the subject regulations.

Annex A

TITLE 52. PUBLIC UTILITES

PART I. PENNSYLVANIA PUBLIC UTILITY COMMISSION

Subpart E. PUBLIC UTILITY SECURITY PLANNING AND READINESS

CHAPTER 101. PUBLIC UTILITY PREPAREDNESS THROUGH SELF CERTIFICATION

Sec.

101.1. Purpose.

101.2. Definitions.

101.3. Plan requirements.

101.4. Reporting requirements.

101.5. Confidentiality of self certification form.

101.6. Compliance.

101.7. Applicability.

§ 101.1. Purpose.

   This chapter requires a jurisdictional utility to develop and maintain appropriate written physical security, cyber security, emergency response and business continuity plans to protect this Commonwealth's infrastructure and ensure safe, continuous and reliable utility service. A jurisdictional utility shall submit a Self Certification Form to the Commission documenting compliance with this chapter.

§ 101.2. Definitions.

   The following words and terms, when used in this chapter, have the following meanings, unless the context clearly indicates otherwise:

   Abnormal operating condition--A condition possibly showing a malfunction of a component or deviation from normal operations that may:

   (i)  Indicate a condition exceeding design limits.

   (ii)  Result in a hazard to person, property or the environment.

   Business continuity plan--A written plan that will ensure the continuity or uninterrupted provision of operations and services through arrangements and procedures that enable a utility to respond to an event that could occur by abnormal operating conditions.

   Business recovery--The process of planning for and implementing expanded operations to address less time-sensitive business operations immediately following an abnormal operating condition.

   Business resumption--The process of planning for and implementing the restarting of defined business operations following an abnormal operating condition, usually beginning with the most critical or time-sensitive functions and continuing along a planned sequence to address all identified areas required by the business.

   Contingency planning--The process of developing advance arrangements and procedures that enable a jurisdictional utility to respond to an event that could occur by abnormal operating conditions.

   Critical functions--Business activities or information that cannot be interrupted or unavailable for several business days without significantly jeopardizing operations of the organization.

   Cyber security--The measures designed to protect computers, software and communications networks that sup-port, operate or otherwise interact with the company's operations.

   Cyber security plan--A written plan that delineates a jurisdictional utility's information technology disaster plan.

   Emergency response plan--A written plan describing the actions a jurisdictional utility will take if an abnormal operating condition exists.

   Infrastructure--The systems and assets so vital to the utility that the incapacity or destruction of the systems and assets would have a debilitating impact on security, economic security, public health or safety, or any combination of those matters.

   Jurisdictional utility--A utility subject to the reporting requirements of § 27.10, § 29.43, § 31.10, § 33.103, § 57.47, § 59.48, § 61.28, § 63.36 or § 65.19.

   Mission critical--A term used to describe essential equipment or facilities to the organization's ability to perform necessary business functions.

   Physical security--The physical (material) measures designed to safeguard personnel, property and information.

   Physical security plan--A written plan that delineates the response to security concerns at mission critical equipment or facilities.

   Responsible entity--The person or organization within a jurisdictional utility designated as the security or emergency response liaison to the Commission.

   Self Certification Form--The Public Utility Security Planning and Readiness Self Certification Form.

   Test--A trial or drill of physical security, cyber security, emergency response and business continuity plans. Testing may be achieved through a sum of continuous partial testing rather than one distinct annual drill when an entire plan is tested from beginning to end.

§ 101.3. Plan requirements.

   (a)  A jurisdictional utility shall develop and maintain written physical and cyber security, emergency response and business continuity plans.

   (1)  A physical security plan must, at a minimum, include specific features of a mission critical equipment or facility protection program and company procedures to follow based upon changing threat conditions or situations.

   (2)  A cyber security plan must, at a minimum, include:

   (i)  Critical functions requiring automated processing.

   (ii)  Appropriate backup for application software and data. Appropriate backup may include having a separate distinct storage media for data or a different physical location for application software.

   (iii)  Alternative methods for meeting critical functional responsibilities in the absence of information technology capabilities.

   (iv)  A recognition of the critical time period for each information system before the utility could no longer continue to operate.

   (3)  A business continuity plan must, at a minimum, include:

   (i)  Guidance on the system restoration for emergencies, disasters and mobilization.

   (ii)  Establishment of a comprehensive process addressing business recovery, business resumption and contingency planning.

   (4)  An emergency response plan must, at a minimum, include:

   (i)  Identification and assessment of the problem.

   (ii)  Mitigation of the problem in a coordinated, timely and effective manner.

   (iii)  Notification of the appropriate emergency services and emergency preparedness support agencies and organizations.

   (b)  A jurisdictional utility shall review and update these plans annually.

   (c)  A jurisdictional utility shall maintain and implement an annual a testing schedule of these plans.

   (d)  A jurisdictional utility shall demonstrate compliance with subsections (a)--(c), through submittal of a Self Certification Form which is available at the Secretary's Bureau and on the Commission's website.

   (e)  A plan shall define roles and responsibilities by individual or job function.

   (f)  The responsible entity shall maintain a document defining the action plans and procedures used in subsection (a).

§ 101.4. Reporting requirements.

   (a)  A utility under the reporting requirements of § 27.10, § 57.47, § 59.48, § 61.28, § 63.36 or § 65.19 shall file the Self Certification Form at the time each Annual Financial Report is filed, under separate cover at Docket No. M-00031717.

   (b)  A utility not subject to the financial reporting requirements in subsection (a), but subject to the reporting requirements of § 29.43, § 31.10 or § 33.103 (relating to assessment reports; assessment reports; and reports) shall file the Self Certification Form at the time each Annual Assessment Report is filed, under separate cover at Docket No. M-00031717.

§ 101.5. Confidentiality of self certification form.

   A Public Utility Security Planning and Readiness Self Certification Form filed at the Commission is not a public document or record and is deemed confidential and proprietary.

§ 101.6. Compliance.

   (a)  The Commission will review a Self Certification Form filed under § 101.4 (relating to reporting requirements).

   (b)  The Commission may review a utility's cyber security plan, physical security plan, emergency response plan and business continuity plan under 66 Pa.C.S. §§ 504--506 (relating to reports by public utility; duty to furnish information to commission; and inspection of facilities and records).

   (c)  The Commission may inspect a utility's facility, to the extent utilized for or necessary to the provision of utility service, to assess performance of its compliance monitoring under 66 Pa.C.S. §§ 504--506.

   (d)  A utility that has developed and maintained a cyber security, physical security, emergency response or business continuity plan under the directive of another state or Federal entity that meets the requirements of § 101.3 (relating to plan requirements) may utilize that plan for compliance with this subpart, upon the condition that a Commission representative be permitted to review the cyber security, physical security, emergency response or business continuity plan. A company that is utilizing another entity's plan shall briefly describe the alternative plan and identify the authority that requires the alternative plan along with the Self Certification Form filed with the Commission.

§ 101.7. Applicability.

   This chapter does not apply to an entity regulated by the Federal Railroad Safety Act (FRSA) (49 U.S.C.A. §§ 20101--20153) and the Hazardous Materials Transportation Act (HMTA) (49 U.S.C.A. §§ 5101--5127), if by August 10, 2005, it submits a certification to the Commission indicating that it has its own written physical and cyber security, emergency response and business continuity plans in place and is in compliance with the FRSA and HMTA.

______

¹ Docket No. M-00031717.

² This group includes common carriers of passengers and/or household goods and jurisdictional telecommunications, electric, gas, steam heating and water/wastewater utilities.

³ This group includes common carriers and forwarders of property and railroad carriers.

⁴ Comments were due on July 19, 2004.

⁵ The due date for comments to the Secretarial Letter was later extended to February 11, 2004.

⁶ See HR 361 (The Pennsylvania Public Utility Commission is responsible for inspecting utility facilities to assure the safe and reliable delivery of utility service and for evaluating programs that ensure the stability of complex and interdependent utility systems in the Commonwealth).

⁷ The FRSA was amended on November 25, 2002 to include the national uniformity of security regulations, in addition to safety regulations.

⁸ Under the HMTA, a security plan must include an assessment of possible transportation security risks for shipments of hazardous material and appropriate measures to address the assessed risk. At a minimum, a security plan must include: (1) measures to confirm information provided by job applicants hired for positions that involve access to and handling of the hazardous material; (2) measures to address the assessed risk that unauthorized persons may gain access to the hazardous materials covered by the security plan; and (3) measures to address the security risks of shipments of hazardous materials covered by the security plan en route from origin to destination. 49 CFR § 172.802.

⁹ Similarly, in response to House Resolution 361, the Commission and the Pennsylvania Emergency Management Agency issued ''Protecting Critical Infrastructure: Keeping Pennsylvanian Safe'' where we examined rail safety in Pennsylvania. The Commission reported that the railroad industry is accustomed to dealing with emergency situations (i.e., derailments and hazardous material spills) and has extensive emergency response plans. Generally, the report found that railroad emergency plans include: assessing assets and vulnerabilities, threats, and risks; determining countermeasures and actions; setting up alert actions and railroad actions; implementing, monitoring, and testing the plan; security instructions; and tank car vulnerability.

¹⁰ Federal regulations concerning rail transportation anticipate state participation in investigative and surveillance activities under the federal railroad safety laws and regulations. 49 CFR 212.1. Thus, even with the revised rulemaking, the Commission has the means to inspect and monitor a railroad's compliance with federal regulations and maintains a staff to do so. 49 CFR 212.101(d).

¹¹ House Bill 30 was signed into law by Governor Rendell on November 30, 2004 and became effectively immediately.

[Pa.B. Doc. No. 05-1119. Filed for public inspection June 10, 2005, 9:00 a.m.]

No part of the information on this site may be reproduced for profit or sold for profit.

This material has been drawn directly from the official Pennsylvania Bulletin full text database. Due to the limitations of HTML or differences in display capabilities of different browsers, this version may differ slightly from the official printed version.

101.1.	Purpose.
101.2.	Definitions.
101.3.	Plan requirements.
101.4.	Reporting requirements.
101.5.	Confidentiality of self certification form.
101.6.	Compliance.
101.7.	Applicability.