New York DPS Staff Says Data Security Agreement Now Required From ESCOs Strikes "Fair Balance", Notes Potential Discontinuance Process For Non-compliance
September 25, 2018 Email This Story Copyright 2010-17 EnergyChoiceMatters.com
Reporting by Paul Ring • email@example.com
The following story is brought free of charge to readers byEC Infosystems, the exclusive EDI provider of EnergyChoiceMatters.com
Staff of the New York Department of Public Service filed a report on the business-to-business process under which a Data Security Agreement (DSA) and other cybersecurity requirements now required from ESCOs were developed.
Concerning the Data Security Agreement (DSA) that resulted from the business-to-business process, Staff said, "The end result was a DSA that varies significantly from what was originally proposed by the Joint Utilities. The revised DSA was circulated to ESEs [energy services entities, including ESCOs] on August 16, 2018 with a submission deadline of August 31, 2018. Staff believes the revised DSA strikes a fair balance between the Joint Utilities’ concerns of both protecting the utility systems from infiltration and against customer data breaches, and the ESE’s concerns of overreaching and over-burdensome cyber security requirements."
Staff reported that, "As of the [sic] September 21, 2018, approximately 80% of ESCOs have executed the DSA, and approximately 75% of ESCOs have executed the Self-Attestation. Moreover, the ESCOs that have executed a complete DSA serve approximately 90% of New York retail Access customers. With respect to EDI providers, approximately 50% have executed the DSA and approximately 35% have executed the Self-Attestation. The Joint Utilities are continuing to work with ESEs to resolve any discrepancies, misunderstandings, or outstanding questions."
Staff said that, "Staff expects the numbers of ESE that have executed both the DSA and the Self-Attestation to continue to increase over the next several weeks as individual concerns are addressed."
Staff said that, "Staff recognizes that the DSA is a significant evolutionary step for the industry under the UBP. Staff also understands that utilities plan to pursue discontinuance actions under the UBP for ESEs that do not comply."
Staff said that, "At the technical conferences held on July 26 and 27, 2018, the parties discussed instituting a 'cyber security working group' for the purpose of continuing to nimbly refine cyber security requirements as threats and technology change. This model would be similar to the electronic data interchange (EDI) working group that meets periodically to discuss issues surrounding the exchange of data between utilities and ESCOs and adopts modifications to the EDI process. Staff supports this initiative as a potentially effective means of evaluating and adapting the existing DSA and Self-Attestation to an everchanging cyber landscape going forward. This will allow interested stakeholders to continue this dialog and further refine the DSA where appropriate."
Staff noted that, under the UBP, the utility may discontinue an ESCO’s participation in its retail access program for a number of reasons including, "[f]ailure to act that is likely to cause, or has caused, a significant risk or condition that compromises the safety, system security, or operational reliability of the distribution utility's system..."
Staff said that the utilities claim that the failure to maintain adequate cyber controls constitutes such a failure.
Staff noted that the UBP details the discontinuance process, including timeframes, and includes participation by Staff.
Staff said that, "For the reasons stated above, Staff believes the business-to-business process has enabled a productive dialogue and has resulted in a balanced DSA. Staff is encouraged that a large majority of ESEs have executed the Self-Attestation and DSA. To the extent there are remaining ESEs that have failed to do so, the utilities have the ability to initiate the discontinuance process which, as discussed above, requires Staff’s interaction."
"Additionally, Staff recognizes that the DSA may require modification in the future and recommends establishing a cyber security working group that meets periodically to discuss these issues," Staff said
Staff also recommended a similar business-to-business process be instituted to develop a DSA applicable to distributed energy resource suppliers (DERS).
"In the meantime, however, Staff recommends application of the revised DSA to DERS with EDI type interfacing as the most appropriate articulation of cyber controls to be applied to this industry," Staff said