New York Utilities Seek PSC Order Confirming Their Ability To Discontinue ESCOs' Access To Utility Systems For Failure To Sign Data Security Standards
November 9, 2018 Email This Story Copyright 2010-17 EnergyChoiceMatters.com
Reporting by Paul Ring • firstname.lastname@example.org
The following story is brought free of charge to readers byEC Infosystems, the exclusive EDI provider of EnergyChoiceMatters.com
Consolidated Edison Company of New York, Inc., Orange and Rockland Utilities, Inc., Central Hudson Gas & Electric Corporation, National Fuel Gas Distribution Corporation, The Brooklyn Union Gas Company d/b/a National Grid NY, KeySpan Gas East Corporation d/b/a National Grid, and Niagara Mohawk Power Corporation d/b/a National Grid, New York State Electric & Gas Corporation and Rochester Gas and Electric Corporation ("Petitioners" or "Joint Utilities") petitioned the New York Public Service Commission (the "Commission") to issue a declaratory ruling confirming the Joint Utilities’ right under the UBP to discontinue an Energy Service Company’s ("ESCO") access to Petitioners’ various systems, in their relevant retail access program, if that ESCO fails to meet minimum data security standards, including the execution of a Data Security Agreement ("DSA") in accordance with UBP provisions governing "Eligibility Requirements" for ESCOs
Citing UBP at 11-12 (Section 2: Eligibility Requirements (F).1.a), the Joint Utilities said that the UBP provides that they can discontinue an ESCO’s participation in a retail access program for the following reason:, "Failure to act that is likely to cause, or has caused, a significant risk or condition that compromises the safety, system security, or operational reliability of the distribution utility's system, and the ESCO or Direct Customer failed to eliminate immediately the risk or condition upon verified receipt of a non-EDI notice." [emphasis by Joint Utilities]
"An ESCO’s refusal or failure to meet minimum data security requirements, including a refusal to execute the DSA, poses a significant risk that compromises utility and ESCO system security and the privacy of customer data. An ESCO’s failure or refusal in this regard justifies discontinuance from access to utilities’ various systems," the Joint Utilities said
The Joint Utilities said that, "there remains a small group of ESCOs (the 'Non-participating ESCOs') that have either failed or refused to sign the DSA or complete the Self - Attestation, or both. In addition, some Non-participating ESCOs failed to engage in the business-to-business process and some now seek to delay the process or reject the business-to-business process entirely. Some seek further technical discussions to discuss further modifications to the current DSA and Self Attestation. To the extent the Non-participating ESCOs state that widely accepted cyber security protections/defenses are not necessary or justified, these positions were either incorporated, rejected or folded into the larger compromise to achieve the current DSA terms."
The Joint Utilities said that, "A small number of Non-participating ESCOs have failed to commit to adequate data security to meet the minimum cyber security standards required to participate in the retail access program as required by the Commission. Accordingly, the Joint Utilities request that the Commission affirm the Joint Utilities’ right to discontinue these Non- Participating ESCOs’ ability to participate in the relevant retail choice programs and to deny access to the Joint Utilities’ systems and data."
"The Staff Report addressed each of the concerns raised by the Non-participating ESCOs and concluded that, those concerns notwithstanding, moving forward promptly with signed DSAs and Self Attestations is warranted. Delaying efforts to close this gap in cyber protections only prolongs the period that utilities and their customers are unprotected," the Joint Utilities said
"Without executed DSAs and Self Attestations, the Joint Utilities and their customers are exposed to cyber security risks, including data and financial risk. These risks include the ability of the ESCO or ESE to harm a utility system during the regular exchange of information as well as the potential loss of customer data," the Joint Utilities said
"Permitting Non-participating ESCOs to maintain access to utility customer systems while circumventing or avoiding minimum cyber security standards poses an unreasonable risk to utility systems and perpetuates a gap in data security. The Joint Utilities’ and customers’ interest in having adequate data security is of paramount interest to all stakeholders. As shown above, the UBP specifically permits a utility to discontinue an ESCO’s participation in the retail access program where there is significant risk that compromises the safety, system security, or operational reliability of the distribution utility's systems," the Joint Utilities said
"The Joint Utilities believe the UBPs permit individual utilities to initiate the discontinuance process pursuant to UBP Section 2(F)(2) without intervention of the Commission. However, the Joint Utilities request that the Commission confirm the Joint Utilities’ right under the UBP to discontinue certain ESCOs access to Petitioners’ various systems and retail access program, if that ESCO fails to meet minimum data security standards," the Joint Utilities said
The Joint Utilities did not identify any specific ESCO by name which they allege are out of compliance