NOTICES
PENNSYLVANIA PUBLIC UTILITY COMMISSION
Order
[39 Pa.B. 4991]
[Saturday, August 15, 2009]Public Meeting held
April 30, 2009Commissioners Present: James H. Cawley, Chairperson; Tyrone J. Christy, Vice Chairperson; Kim Pizzingrilli; Wayne E. Gardner; Robert F. Powelson
Cyber Security Plans Required by 52 Pa. Code §§ 101.1,
et seq.; M-2009-2104273
Order By the Commission:
The security of public utility infrastructure is central to the Commission's mission of ensuring safe and reliable public utility service and of the utmost concern to this Commission. Providing guidance on the safety and reliability of such infrastructure falls squarely within our charge of ensuring that public utilities comply with the mandates of 66 Pa.C.S. § 1501.
As part of this duty, the Commission issued final Regulations on Public Utility Security Planning and Readiness at 52 Pa. Code §§ 101.1, et seq., which became effective on June 11, 2005, requiring jurisdictional utilities to develop and maintain written physical security, cyber security, emergency response and business continuity plans. In addition, the Regulations require jurisdictional utilities to file a Self Certification Form with the Commission documenting compliance with the above-mentioned plans.
Additional information recently came to the attention of this Commission regarding the cyber security of public utility infrastructure, particularly that of electric utilities. The information that prompted the necessity for Commission action included the following:
* On March 10, 2009, in its Smart Grid Issues Summary, The National Institute of Standards and Technology (NIST) noted that cyber security standards adopted by North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) working group only apply to the bulk power system, which excludes most of the electrical distribution assets and systems and could leave security gaps.
* On March 19, 2009, Mr. Joseph M. Weiss, a nuclear engineer and Managing Partner of Applied Control Solutions, testified before the U.S. Senate Committee on Commerce, Science and Transportation on the current status of cyber security of critical infrastructures. He advised the Congress that the growing interconnectedness of utility control systems is increasing the risk of a cyber security incident, whether through an intentional act or not. He also noted that the NERC CIP cyber security standards were inadequate, and that additional regulation was needed.
* On April 7, 2009, the NERC issued a letter to industry stakeholders advising them of its concerns regarding the proper classification of critical cyber assets.
* On April 8, 2009, the Wall Street Journal published an article alleging that the U.S. electrical grid had been penetrated by spies who left software programs in place that could be used to disrupt the safe and reliable delivery of electricity.
The Commission issues this Order to clarify the scope of its existing Public Utility Security Planning and Readiness Regulations in order to address these concerns.
It is this Commission's goal to ensure that there are no security gaps at the distribution level of electric utility systems in the Commonwealth. There should be no doubt that all utility infrastructure assets squarely within the jurisdiction of this Commission, including electric utility distribution assets, must be included in a utility's development of security planning and readiness against potential cyber threats to a utility's ability to maintain safe and reliable facilities.
Jurisdictional electric utilities particularly should be aware that the adoption of NERC CIP cyber security standards alone may not adequately address the cyber security of distribution assets. Accordingly, the Commission makes the clarifications regarding its Public Utility Security Planning and Readiness Regulations:
* The definition of ''Cyber security'' at 52 Pa. Code § 101.2 is interpreted by this Commission to include the protection of all utility distribution assets from Internet or other cyber-related incidents.
* The definition of ''Cyber security plan'' at 52 Pa. Code § 101.2 is interpreted by this Commission to mean a plan that has components addressing the security of distribution, and not just bulk power system, utility assets.
It is incumbent upon all jurisdictional public utilities, not just electric utility systems, to review their current cyber security plans for compliance with this Order. While the primary impetus of our action is the security of electric utility systems, all utilities subject to Commission regulation should review and revise their plans as needed to ensure that all infrastructure assets are included in the development of security planning and readiness against potential cyber threats. It is further understood that our action also maintains the flexibility of our Regulations to changes in technology and standards developed by stakeholders such as NERC and NIST. Therefore,
It Is Ordered That:
1. Clarifications to the Commission's final Regulations on Public Utility Security and Readiness at 52 Pa. Code §§ 101.1, et seq., are adopted.
2. The Secretary shall certify this Order and deposit it with the LegislativeReference Bureau for publication in the Pennsylvania Bulletin.
3. A copy of this Order shall be served on all jurisdictional utilities subject to the provisions of 52 Pa. Code §§ 101.1, et seq.
JAMES J. MCNULTY,
Secretary
[Pa.B. Doc. No. 09-1539. Filed for public inspection August 14, 2009, 9:00 a.m.]
No part of the information on this site may be reproduced for profit or sold for profit.This material has been drawn directly from the official Pennsylvania Bulletin full text database. Due to the limitations of HTML or differences in display capabilities of different browsers, this version may differ slightly from the official printed version.
