PUC Asks Whether Retail Suppliers & Brokers Should Be Subject To Cybersecurity Obligations
November 14, 2022 Email This Story Copyright 2010-21 EnergyChoiceMatters.com
Reporting by Paul Ring • firstname.lastname@example.org
The following story is brought free of charge to readers byEC Infosystems, the exclusive EDI provider of EnergyChoiceMatters.com
The Pennsylvania Public Utility Commission (PUC) has issued an Advance Notice of Proposed Rulemaking Order (ANOPR) to review its current regulations relating to cybersecurity, including whether electric generation suppliers (EGSs) and natural gas suppliers (NGSs) should be subject to the regulations
The PUC's definitions of EGS and NGS include brokers and aggregators, in addition to load serving suppliers
The PUC's cybersecurity regulations fall into two groups: (1) cyber attack reporting regulations and (2) self-certification regulations
The self-certification regulations currently apply to jurisdictional utilities, as defined by 52 Pa. Code § 101.2.
Licensed entities under the PUC’s supervision do not qualify as a "jurisdictional utility" under Section 101.2 and are thus not subject to the existing self-certification regulations, including but not limited to electric generation suppliers (EGS) and natural gas suppliers (NGS)
The reporting regulations apply to a subset of utilities, and also do not currently apply to EGSs or NGSs
The PUC sought comment, "on whether the self certification regulations, or revisions thereto, should be applied to additional types of entities that are subject to the PUC’s supervision."
The PUC also stated, "there is an open question as to whether the reporting requirements should remain limited to water, electric, gas and steam public utilities, or be broadened to include any of the following: other certificated public utilities, such as wastewater and telecommunications public utilities, and licensed entities such as those providing EGS, NGS and TNC [transportation network company] services."
The PUC listed five potential regulatory approaches to ensure that public utilities (and potentially other entities) have adequate cybersecurity plans in place to respond to cyber threats:
• Similar to the existing regulations, require a public utility to self-certify that it has a plan, a program, or both, that complies with criteria set forth in the PUC’s regulations and to report annually to the PUC that such plans and/or programs exist and are updated and tested annually.
• Require a public utility to self-certify that it has a plan, a program, or both, that complies with an appropriate Federal or industry standard and to report annually to the PUC that such plans and/or programs exist and are updated and tested annually.
• Require a public utility to provide a third-party expert certification that the public utility has a plan, a program, or both, in place that comply with a relevant Federal or industry standard appropriate to that utility and to report annually to the PUC that such plans and/or programs exist and are updated and tested annually.
• Integrate an onsite review of cybersecurity measures, plans, and programs into the PUC’s public utility management audit process and examine cybersecurity measures, plans, and programs in place as a part of the management audit function.
• Require a public utility to file a confidential copy of its cybersecurity plans and programs with the PUC and enable the PUC to directly review and comment on the adequacy of such plans and programs and, where deficiencies exist, require conformance with regulatory standards.
The PUC sought comment on the relative merits and weaknesses of each of the above approaches
With respect to the existing rules, which (in current or revised form) may in the future be applied to suppliers and brokers, the PUC sought comment on ways to streamline and otherwise improve the filing, handling, and storage of Self-Certification Forms.
The PUC also sought comment on whether and how to streamline the self-certification form, plan and reporting requirements to better calibrate the benefits of the existing regulations against the burdens they place on regulated entities, especially smaller utilities, and on PUC staff.
The PUC sought comment on potential ways to revise the reporting criteria in its existing regulations, including the potential addition of new requirements for reporting incidents involving IT.
The PUC sought comment with respect to the continuing efficacy of the $50,000 reporting threshold for cyber attacks in the current rule