NEM Says Latest New York Utilities Cybersecurity Petition Can't Cure Procedural Deficiencies
April 29, 2019 Email This Story Copyright 2010-19 EnergyChoiceMatters.com
Reporting by Paul Ring • firstname.lastname@example.org
The following story is brought free of charge to readers byEC Infosystems, the exclusive EDI provider of EnergyChoiceMatters.com
The National Energy Marketers Association said in comments to the New York PSC concerning a February petition from the joint utilities, which sought to "confirm" the previously adopted Data Security Agreement ('DSA') and its accompanying Self-Attestation ('SA') under the business-to-business process was appropriate, cannot be used to cure procedural deficiencies in the original creation of the DSA and SA
As first exclusively reported by EnergyChoiceMatters.com, the joint utilities (JU) in February sought Commission approval of the business-to-business process used to develop the DSA because some Energy Services Entities (ESEs) argued that a rulemaking process must precede the joint utilities requiring that ESEs execute the DSA
In its comments, NEM said that, "In the February Petition the JU seek to cure the process deficiencies identified by NEM in its Response to the November Petition. The operative fact here is that the process deficiencies have already taken place. Potentially-affected entities were not apprised of the business-to-business process before or during the time it was taking place -- the time when the terms of the DSA and SA were being developed and when participation is vital to affecting the ultimate outcome."
"That the JU finally filed a copy of DSA and SA in Dockets 18-M-0376 and 15-M-0180 in February 2019 is not sufficient to undo the harm to the potentially affected entities (curiously the JU still did not file the DSA and SA in Docket 98-M-1343 notwithstanding the direct connection to the provisions of the UBP). Shining light on these policies and requirements after-the-fact of their development is not sufficient to ensure an informed dialogue or to afford parties with a real opportunity to inform or influence the results. Due process requires a meaningful opportunity for participation. Meeting notices and documents must be published to official Commission dockets on the Commission website," NEM said
"NEM supports the development and implementation of reasonable cybersecurity standards for the retail energy marketplace. However, as explained in this and prior filings, the Data Security Agreement (DSA) and Self Attestation (SA) are the result of a fundamentally flawed process, one that cannot be remedied by the after-the-fact fixes the utilities attempt to utilize in the February Petition. The Commission is entrusted with the authority to develop, implement and enforce energy policies in the State of New York. The JU have usurped the Commission’s policymaking authority in the business-to-business process to develop, implement and enforce cybersecurity policy for the retail energy marketplace in the State of New York that heretofore did not exist. The JU, direct competitors with ESCOs and ESEs, are exercising utility monopoly market power to unreasonably restrict ESCOs and other ESEs from accessing their systems and thereby cause these entities to be unable to serve customers. For these reasons, the Commission should affirm that reliance on a SAPA-compliant process is necessary and will be relied upon for the establishment of reasonable cybersecurity policy for the retail energy marketplace in New York," NEM alleged in its comments
Turning to the substance of the DSA and SA themselves, NEM reiterated prior concerns which have been previously reported by EnergyChoiceMatters.com
Among other things, NEM expressed remaining concerns with the latest insurance requirements, though the utilities reduced the amount of the DSA cyber insurance requirement to $5 million rather than the $10 million that was originally proposed and also agreed to remove the proposal that utilities be included as a named insured.
"If a cybersecurity insurance requirement is imposed, it should be commensurate with the nature of the data to be protected, the extent of ESCO interaction with utility systems (some ESCOs completely outsource the EDI function and do not interact with the utility EDI system), the risk posed by those interactions, and the cybersecurity measures the ESCO has implemented to prevent a data breach. In addition, if a cybersecurity insurance requirement is imposed, ESCOs should have flexibility in satisfying the requirement, for example, by allowing the ESCO to be self-insured, and allowing use of letters of credit or other similar security instruments," NEM said
NEM noted concerns with provisions in the DSA concerning customer data.
"For instance, DSA Section 14.a. prohibits ESCOs from creating or maintaining data that is derivative of CUI [Confidential Utility Information], subject to certain exclusions. The exclusions enumerated may be too narrow to accommodate or anticipate derivative data uses that will fuel DER product and service development. This clearly runs counter to REV goals - 'Ready access to information regarding customer energy usage is vital to the success of DER markets. For DER developers, information about a potential customer’s energy usage is necessary to design products tailored to the consumer’s needs.' In other words, ESCOs analyze customer information to derive data that drives customer-focused product innovation. To be clear, UBP Section 4.F. already clearly sets forth ESCO obligations with respect to customer data as well as prohibited uses and practices. The DSA exceeds these requirements of the UBP," NEM said
NEM further noted that, "The DSA applies a number of significant compliance obligations on 'Third Party Representatives' used by an ESCO, including direct liability to the utility for a data breach, submission to utility audits, compliance with utility security assessments, data processing and storage requirements, and to abide by the applicable UBP or UBP DER. The term 'Third-Party Representative' is defined in the DSA to refer to ESCO contractors and subcontractors “that store, transmit or process” CUI. The definition is too broad, encompasses entities that do not pose a real risk to the utility system and imposes unreasonable compliance obligations on these entities where a Non-Disclosure Agreement between the ESCO and Third-Party Representative would be sufficient to ensure customer data security."
"The DSA includes a requirement to allow utilities to audit ESCO operations. The DSA permits alternatives to a utility audit, such as a SOC II Type 2 report or a third-party auditor. However, concerns about permitting the utility, a business partner and direct competitor, to access ESCO confidential and proprietary systems remain. The exact process to be utilized in the audit also remains unclear. Also, PCI DSS28 compliance by an ESCO should be considered as an alternative to the utility audit," NEM said
NEM also urged the PSC to reject the JU's assertion that UBP Section 2.F.1.a. provides them with a basis for disconnecting ESCOs for failure to execute the DSA. UBP Section 2.F.1.a. provides that a utility may discontinue an ESCO’s participation in its retail access program for, "[f]ailure to act that is likely to cause, or has caused, a significant risk or condition that compromises the safety, system security, or operational reliability of the distribution utility’s system, and the ESCO or Direct Customer failed to eliminate immediately the risk or condition upon verified receipt of a non-EDI notice."
"To NEM’s knowledge, the type and extent of conduct to satisfy the Section 2.F.1.a. threshold has not heretofore been examined by the Commission. In the absence of such Commission guidance, the JU should not be permitted to exert unchecked discretion in making a determination that an ESCO should be discontinued under this Section. Moreover, it should be construed in such a way that it can only be invoked with respect to 'significant risks,' as opposed to disputes between the utility and an ESCO. UBP Section 2.F.1.a. was not intended to give the utilities unfettered discretion to demand prescriptive unvetted contracts to be signed by ESCOs participating in retail access programs allegedly in the name of system reliability," NEM said