ESCO Says Sought New York Utility Data Security Agreements Only Lowers Utility Liability While Not Addressing Real Risks; Alleges Deficiencies In Utility Websites
June 25, 2018 Email This Story Copyright 2010-17 EnergyChoiceMatters.com
Reporting by Paul Ring • email@example.com
The following story is brought free of charge to readers byEC Infosystems, the exclusive EDI provider of EnergyChoiceMatters.com
Empire Natural Gas Corporation submitted comments to the New York PSC concerning proposed Data Security Agreements (DSA) and other cybersecurity requirements that utilities are seeking to impose on ESCOs, with Empire Natural Gas alleging that the proposals would merely lower utilities' liability, but would be ineffective at actually improving the security of utility networks and systems
"We are concerned and somewhat overwhelmed with the rapid rush to react without fully considering the implications of these new statewide policies. These new requirements may have vast financial impacts on all entities involved, and may have a severe impact on a small business like Empire Natural Gas. This is especially troubling given that the PSC and utility representatives stated multiple times during last month's meeting that they have no understanding of the technical aspects of these issues. We also have concerns that the new agreements and assessments are being pushed through without proper authority under the Uniform Business Practices. Looking through the documents, there is no mention of cybersecurity requirements for network/computer systems," Empire Natural Gas Corporation alleged in its comments
"One of our main concerns is in regard to the cybersecurity insurance requirements. What is the purpose of such a blanket requirement? Requiring the same level of insurance at every level of service (i.e., utilities, EDI vendors, ESCOs) adds redundant layers of the same insurance, driving up costs for all customers without adding any technical measures for preventing a breach. The insurance, by itself, will neither increase the security levels of computer networks and systems nor stop a determined foreign national entity or some other threat agent from breaching those systems," Empire Natural Gas Corporation said
"One reason that has been given for the cybersecurity insurance requirement is our access to utility systems via the EDI process. We have no access to utility systems via the EDI process; we use a New York State approved EDI vendor who does this on our behalf. If we use an approved EDI vendor, who has cybersecurity insurance and has successfully completed testing with the utility, how does it make sense to require us to also have insurance covering the EDI process? Why is it impossible to separate liability in this scenario? It appears very straightforward," Empire Natural Gas Corporation said
"Another reason that has been given for the cybersecurity insurance requirement is our access to utility systems via their websites. Residential customers are also accessing utility websites and entering information such as account numbers, meter reads, and billing information. Are the utilities requiring residential customers to have cybersecurity insurance for accessing their websites as well," Empire Natural Gas Corporation said
In its comments, Empire Natural Gas alleged, "During the 5/31 meeting, an apt comparison was made that requiring cybersecurity insurance for accessing utility websites would be the equivalent of Amazon requiring all amazon.com customers to have cybersecurity insurance for accessing their website. The PSC representative's response was to threaten to take away the utility websites."
Empire Natural Gas continued in its comments to state that, "We have the following questions regarding that," listing the following questions:
"1. Do the utilities have a process in place for accepting nomination changes each cycle every day without a website?
"2. Do the utilities have an alternative process for sending capacity release and storage transfer information every month?
"3. NYSEG and RG&E currently ask us to review our customer pool information on their website prior to a new month starting, and have us enter new contract numbers resulting from monthly capacity releases. Are there alternative methods for disseminating this information in each direction?"
"In general, are there alternative processes in place for securely exchanging these types of 'sensitive' information without a website? This type of exchange occurs daily as a normal course of business. Any alternative process would likely make this process less secure, more error-prone, and more costly in time," Empire Natural Gas said
"It has been implied that we have direct access to utility systems through their websites. If the utilities are following security best practices, then our only access is to the web server hosting their website. The web server should be separated from the utility's internal network containing critical systems, either in a DMZ or a completely different network. It should be impossible to access the utility's internal network from their web servers. Therefore, the only security risk involved with the utility websites would be unauthorized information disclosure; it shouldn't be possible for an incident involving their websites to affect critical utility operations such as billing," Empire Natural Gas said
"The utility websites are publicly accessible on the Internet, meaning that anyone can access them. If the utilities are attempting to put all liability on us for their public websites, how can we be assured that they are properly securing them? There is already evidence that the utilities are not following best practices," Empire Natural Gas alleged in its comments
Empire Natural Gas alleged in its comments that, "Currently, many utility websites allow extremely weak passwords (short with very little entropy) and don't provide any account management options, making it difficult to accomplish a simple task such as changing a password. After a password change, at least one utility used to send an email with your new password, indicating that they were storing plaintext passwords in their backend database instead of salted password hashes. Some utility websites do not enforce HTIPS, allowing details such as usernames and passwords to be sent as clear text and be viewable by any third parties monitoring packets along the network path. At least one utility website does not support HTIPS at all. All of the web servers for utility websites appear to be missing fundamental security-related packet headers in their responses. These are extremely basic and troubling deficiencies."
Empire Natural Gas said that proposed requirements allowing utilities to audit ESCOs concerning security, "are overly intrusive given that auditors will have access to all of our internal systems and data."
"Likewise, we've been informed that we can make arrangements to securely transmit our risk assessment responses to the utilities, but how can we be assured that the responses are being stored and handled securely after they've been received? Isn't storing information about the security environments of each company in one location antithetical to the idea of securing our environments? This will be a very enticing target for attackers," Empire Natural Gas said
Empire Natural Gas said in its comments that, "It has been claimed that the goal of the security agreement and risk assessment is to improve security. They are effective at lowering utility liability, but ineffective at actually improving the security of utility networks and systems."
Empire Natural Gas said in its comments that, "We have the following questions about the security of utility networks and systems:
"1. Has application whitelisting been implemented to only allow approved software to run?
"2. Have all accounts been assigned the minimum set of privileges necessary to perform the task at hand?
"3. Is there a monthly (or more frequent) patch cycle to apply security updates to all software?
"4. Have firewall rules been implemented to allow outbound traffic only to approved IP prefix ranges?
"5. Have rules been implemented to strip dangerous attachments from emails before reaching users?
"6. Are regular security training and tests conducted with users?
"7. Has a comprehensive backup solution been implemented? Is recovery of data from those backups regularly tested?"
"If the goal is improving security and lowering risk, this small set of concrete steps is far more effective. The utilities should be focused on implementing defense-in-depth measures to protect customer data rather than finding ways to place the blame and financial responsibility on others when an incident happens," Empire Natural Gas said
Other ESCO parties raised concerns as well
Starion Energy NY, Inc. said that, with respect to insurance, the draft Data Security Agreements (DSA) at Section 12 specifies that ESCOs shall, "carry and maintain Cybersecurity insurance in an amount of no less than $10,000,000 per incident and Utility shall be included by endorsement as an additional insured on [such] Cybersecurity Insurance."
Starion Energy said, "This amount of coverage does not appear to be tied to any meaningful benchmark. Starion notes that the Commission declined to impose such an insurance requirement in the Proceeding on Motion of the Commission to Enable Community Choice Aggregation Programs in Case 14-M-0224."
Regarding insurance, Quantum Power Corp. stated, "On the many issues surrounding cyber insurance, it is important to recognize that insurance will add costs to ratepayers without improving data security. Cyber insurance will only hurt ratepayers and send the wrong signal to terrorist organizations. The cost of cyber security is being added to the cost to serve customers. The insurance costs will increase ratepayers’ supply costs. The smaller the ESCO, the higher the costs those customers will pay. These costs, when unitized down to the per therm or kWh level, will be quite dramatic to many ESCOs, especially the smaller ESCOs that do not have a large customer base to spread the additional costs over. Conversely, utility companies collect these costs from their delivery rates. As currently proposed, the $10 million dollar insurance requirement will create a huge imbalance in the overall energy costs as ESCOs’ supply costs will increase, while the utilities’ supply costs are unaffected, and the utilities’ may look to increase delivery rates in the future. This in itself is questionable, as utilities will tip the scales of economics and equity in their favor by creating a price disparity in supply sources and ultimately making their supply cost the lowest. It is our understanding the Commission’s Community Choice Aggregation proceeding ('CCA') has not required cyber insurance for conducting EDI transactions, and that the utilities do not carry that expense for their ratepayers commodity supply. For these reasons and more, the proposed VRA and DSA would reverse a major Commission policy of parity concerning energy supply costs. It may be a better use of capital to invest in failsafe backup and recovery systems, instead of purchasing insurance. Being cost efficient on how to best manage this issue will also better serve New York ratepayers, while maintaining system integrity."
Among various other objections Starion raised to the DSA is the authority that the DSA would grant to utilities to audit ESCOs
"Starion also strenuously objects to the extraordinary audit rights the Utilities have set forth in Section 9 of the draft DSA. Through this provision, the Utilities propose to acquire nearly unbounded access to the facilities, systems, resources, plans, books and records of the ESCOs. The Utilities, it should be noted, are not the ESCO's regulators; they are the ESCO's competitors. In no other industry does one competitor have such unfettered access to the proprietary information of another. While the need for data security protection exists, this need in no way supplants the traditional relationship between competitors nor does it undermine the historic recognition of the right to safeguard proprietary information against incursion. The Utilities should not be permitted to accomplish through an audit provision such a radical, anticompetitive departure from settled legal and business precedent," Starion said
A group of ESCOs (Blue Rock Energy, Empire Natural Gas, Energy Cooperative of New York, Energy Mark, Mirabito Natural Gas, New Wave Energy, NOCO Natural Gas) proposed first addressing concerns about physical protection of utility networks and data systems from illicit access, with other non-physical concerns (e.g. insurance) addressed on a more deliberative timeline
The group of ESCOs suggested a short term focus (by July 29, 2018) that would continue with a slightly modified "Attestation" process focusing solely on establishing and confirming the physical protection of utility networks and data systems from illicit access.
"Illicit access to and potential disruption of utility computing invoicing operations is clearly the most significant threat. Accordingly, it should be given appropriate priority and focus. This effort can be conducted without revision to the Uniform Business Practices and will be more readily accomplished by market participants," the group of ESCOs said
"The 'Attestation' process should be modified to confirm specifically and only that each utility, ESCO, Community Choice Aggregator, and third party vendor interfacing with utility data have in place sufficient physical and administrative controls to prevent disruption to utility systems. This will require an understanding of the breaches that have occurred and their root causes. To date, the stakeholders have little or no information on these items. In consideration of the sensitive nature of such information it may be solely the responsibility of the utilities to establish the criteria, however, these criteria should be limited only [sic] those that will reasonably prevent illicit utility system access," the group of ESCOs said
"The current 'Attestation' process mixes this extremely high priority issue with other issues that will certainly require further consideration time for successful implementation. The requirements for this high priority issue are also clearly separable from broader issues regarding what constitutes sensitive data, storage of such data, cybersecurity insurance, and audit requirements which must be addressed in the longer term," the ESCOs said
For other issues, the group of ESCOs suggested a long-term process (by December 31, 2018) to prepare a revision to the Uniform Business Practices and eventual Date Security Agreements that establishes:
• Appropriate regulations and standards to be applied
• Confidentially status of various utility data elements
• The need for insurance, level of insurance, and requirements for distribution of insurance proceeds
• The requirement for verifying and auditing compliance
Various other ESCO parties noted that various customer information which the utility DSA allegedly seek to protect are already known by the ESCOs, with such information received directly from the customer not the utilities. While ESCOs agreed that such information should be protected, ESCOs questioned why a DSA should govern such information given that ESCOs are receiving the information from the customers during enrollment, not from the utilities
The June 22, 2018 "business-to-business" deadline for Data Security Agreement (DSA) comments has been extended by the utilities to July 2, 2018. This "business-to-business" process is outside of a formal PSC proceeding, though parties may file comments in a PSC docket addressing cyber issues (Case 18-M-0376)
The PSC's Secretary said that a request from RESA to initiate a formal PSC process for review of the DSAs, due to anti-trust concerns of ESCOs collaborating outside of a government proceeding, is not properly resolved by the Secretary. The Secretary noted that in the Commission's Order Instituting Proceeding (Case 18-M-0376), the Commission supported the business-to-business process that is being utilized. "I note that the business-to-business process is being conducted under the supervision of the Department and the Commission," the Secretary said
However, per the EDCs, the deadline for completing the self-attestation remains the same, they should be completed and submitted to the appropriate Joint Utilities by June 30, 2018.