New York Utilities Seek PSC Approval For Update To ESCO Cybersecurity Requirements -- EnergyChoiceMatters.com

New York Utilities Seek PSC Approval For Update To ESCO Cybersecurity Requirements

Would Require Criminal Background Checks Of Certain ESCO Employees

Utilities Propose Governance Committee To Recommend Future Updates, Consisting Of Only Utilities And DPS Staff

May 4, 2022

Email This Story
Copyright 2010-21 EnergyChoiceMatters.com
Reporting by Paul Ring • ring@energychoicematters.com

The following story is brought free of charge to readers by EC Infosystems, the exclusive EDI provider of EnergyChoiceMatters.com

The New York Joint Utilities petitioned the New York State Public Service Commission for modifications to the Commission’s October 17, 2019 Order Establishing Minimum Cyber Security and Privacy Protections and Making Other Findings and the attendant cybersecurity requirements for ESCOs and other entities (collectively, ESEs)

The utilities said that the proposed modifications include:

• Six updated and three new requirements in the current Self Attestation (SA) of the Commission-approved Data Security Agreement (DSA) that reflect, "evolving cybersecurity and privacy needs"
• A governance process for regular SA review and to provide recommendations for further SA updates.

Of the new SA requirements, the utilities alleged, "Generally, these updates apply the longstanding, industry-accepted voluntary standard frameworks issued by NIST. The proposed updates reflect reasonable cyber hygiene practices and are considered minimum best practice requirements in 2022. These universally accepted standards form the basis for several regulations, including, for example, the Transportation Security Agency’s (TSA) recent Security Directives30 and the Department of Defense (DoD) Cyber Maturity Model Certification (CMMC) process."

The new requirements are as follows:

• Item # 16 - Inventory - Developing and maintaining a data inventory that an ESE can use to catalog its data and location.
"Entities must have an adequate understanding of the data they possess to ensure that it is appropriately protected. A data inventory will assist entities in understanding where their sensitive data is located and is foundational to the cybersecurity life cycle management process," the utilities said
• Item # 17 - Communications - Organization communications (i.e., information transmitted or received by organizational systems) are monitored, controlled and protected at the external boundaries and key internal boundaries of the information systems. Sub-networks for publicly accessible system components are physically or logically separated from internal networks. Management of devices use encrypted sessions.
"These are part of NIST and other standards, including those required by the International Organization for Standardization (ISO), and represent minimum standards in 2022. The Joint Utilities meet these requirements," the utilities said
• Item # 18 – Physical Access – Physical access to organizational information systems, equipment, and the respective operating environments is limited to authorized individuals. Physical security controls include the following: Visitors are escorted and their activity is monitored; and Audit logs of physical access are maintained Physical access devices are controlled and managed
"Entities having access to confidential information should maintain appropriate physical security measures," the utilities said

One modified SA requirement is a specific requirement for criminal background checks as part of the current "screening" requirement

The proposal states: "Employee Background Screening - Include a criminal background check for employees with access to confidential information, employee background screening, including criminal background checks, occurs prior to the granting of access to Confidential Customer Utility Information."

"In line with applicable legal requirements, employees handling confidential information must clear a criminal background check given the sensitivity of this information," the utilities said

Another modified SA requirement is: "Encryption in Transit – Reflect expected encryption in transit requirements under NIST and encrypt all Confidential Customer and Non-Public Utility Information in transit using encryption methods compliant with NIST cryptographic standards and guidelines."

The utilities said that this change removes the exemption for emails and moves from industry best practice to NIST.

Among other things, the changes would, "Require installation of Endpoint protection software on all servers and workstations and maintenance of same with up-to-date signatures."

The Joint Utilities propose that the Commission establish a Governance Committee. A process and Governance Committee would provide a forum for regular reviews and updates of the SA. The Governance Committee could also be empowered to address other issues related to the DRC process, the utilities said

Among other things, the Governance Committee would:

• Consist of up to five Joint Utilities members and up to five Staff members, all of whom are cyber security subject matter experts
• Meet at least quarterly
• Establish an Advisory Working group, including, at a minimum, ESEs and NYSERDA, who would provide the Governance Committee with suggestions and recommendations as well as provide feedback on proposed recommendations for further updates to the SA
• Consider the current threat landscape, existing regulatory and legislative framework, and identify risks and potential gaps in the current protections
• Recommend changes to the SA to the Commission, as needed
• Participate and engage with stakeholder forums

Cases 20-M-0082 and 18-M-0376

Email This Story

HOME