New York PSC Secretary Denies Request To Extend Deadline For ESCO Submission Of Self-Attestation Of Cybersecurity Controls
Utilities Say They Won't Take "Immediate" Action To Decertify ESCOs Based On Submitted Attestations
July 2, 2018 Email This Story Copyright 2010-17 EnergyChoiceMatters.com
Reporting by Paul Ring • firstname.lastname@example.org
The following story is brought free of charge to readers byEC Infosystems, the exclusive EDI provider of EnergyChoiceMatters.com
The Secretary of the New York PSC has denied requests from ESCOs to extend the June 30, 2018 (effectively July 2, 2018) deadline set for the submission of Self-Attestation of Information Security Controls by ESCOs to the utilities.
Under the Self-Attestation, the ESCO must self-attest to its compliance with the Information Security Control Requirements as listed in the attestation
The Secretary said that such deadline is part of the "business-to-business" discussions being conducted, "pursuant to the Uniform Business Practices under the supervision of the Department of Public Service Staff."
In light of the Joint Utilities' June 29, 2018 response to the requests that have been submitted (discussed further below), noting the iterative nature of the attestation process and their assurance to work in good faith, "I decline to modify the business-to-business deadline," the Secretary said
The Joint Utilities on July 29 submitted a response to various ESCO requests for extensions in which the utilities said that, "As set forth in Case 18-M-0376 in the Commission's recent Order the attestations are important to identify any material gaps in security and should be completed by the June 30, 2018 deadline agreed upon so that we can protect utility systems and customer data."
The Joint Utilities said in their July 29 response that, "The utilities will not take imminent action under the UBP to decertify any ESCO or other party that does not have all of the security identified in the attestation. Instead, the utilities will review the attestations and contact those ESCOs that lack some of the required security and work out reasonable schedules to bring the security deficient ESCO into compliance. If compliance cannot be achieved we will work through the UBP rules, including required consultation with Staff, to cure a deficiency(s) prior to a decertification action. Only if an ESCO is unwilling or unable to cure security deficiencies, or if there is a cyber event, do the utilities believe it may be necessary to go through an accelerated decertification process. It is a last resort and provides due process protections, including notice, all of which will be honored."
However, the Joint Utilities said in their July 29 response that, "In the event that the utilities are not able to determine an ESCO’s security status because the ESCO has refused to respond to the attestation, decertification may need to start sooner. In that event the utilities will consult with Staff and follow the due process associated with decertification set forth in the UBP, but will move to decertify because we need to know that the ESCOs and other applicable parties are providing adequate security. Once again, the utilities will inform the ESCOs prior to commencement of any process and there will be no surprises."
The Joint Utilities said in their July 29 response noted that there is some concern that the attestation cannot be completed before negotiation of the data security agreement (DSA) is completed. "Specifically the ESCOs have raised the issue that the attestation refers to Confidential Utility Information, which may change because it is defined in the DSA that is the subject of negotiation," the joint utilities noted
"So that we may move forward in a timely manner the utilities ask that the parties use the definition in the DSA to complete the attestation and that responses may be updated if the definition changes and the utilities commit that any changes that benefit the parties will flow through to all parties regardless of whether they have submitted a completed attestation or not. The utilities are committed to negotiate in good faith, including the definition of Confidential Utility Information," the Joint Utilities said in their July 29 response
"[M}any ESCOs have asked that the utilities provide an NDA before they submit their attestation. Because the attestations purposely do not reveal technical security software or other confidential material, the utilities did not think an NDA was necessary, but, we are preparing an NDA for that purpose and have no objection to having the attestations submitted pursuant to an NDA. The utilities commit to the confidential treatment of the attestations and ask that the responses not be held up pending an NDA, which the utilities will circulate shortly," the Joint Utilities said in their July 29 response
"The utilities are willing to include language to effectuate the above in the DSA. We are willing to discuss all issues in the attestation going forward and the DSA as long as they result in adequate security. We hope that this provides adequate assurance that the utilities are working in good faith and intend to see the process through so that we can attain adequate cyber security for utility systems and customers," the Joint Utilities said in their July 29 response
"The utilities remain committed to that process and think it is premature to extend any time period before we have had an opportunity to receive, review and respond to comments and meet to discuss resolution of the identified issues. If we cannot resolve issues at the July meeting then an extension for the DSA may be appropriate and the utilities are not opposed to a reasonable extension to work through the issues raised," the Joint Utilities said in their July 29 response