Stakeholders Urge NYPSC to Reject Utilities’ Cybersecurity Proposal

Energy Service Companies Favor a Risk-based Approach

The National Institute of Standards and Technology (NIST) offers strategies to help protect sensitive information stored in computers that supports high-value assets. | Shutterstock

Jul 27, 2022 | Michael Kuser

Energy service companies urged New York regulators to reject a petition from utilities to strengthen cybersecurity requirements regarding customer data.

Energy service companies and a data policy coalition on Monday urged New York regulators to reject or amend a petition from the state’s investor-owned utilities to strengthen cybersecurity requirements regarding customer data (Case Nos. 20-M-0082; 18-M-0376).

The joint utilities on May 4 petitioned the New York Public Service Commission to approve six updated and three new requirements in the current self-attestation (SA) of the commission-approved Data Security Agreement (DSA) and a process for regular SA review and potential updates.

The utilities should use a risk-based approach to evaluate cybersecurity concerns, distinguishing between the risk to utility IT systems and the risk of improper access to customer data, whereby they could classify the sensitivity of such data and align appropriate levels of protection, NRG Energy said.

“Instead, the JU Petition opts to overly burden energy service entities [ESEs] and customers by requiring cyber security and encryption methods normally reserved for highly sensitive data at the highest levels of government,” NRG said.

Because the New York State Energy Research and Development Authority (NYSERDA) is working to implement the Integrated Energy Data Resource (IEDR) platform and the commission is considering the utilities’ Data Access Implementation Plan (DAIP), which includes a Data Ready Certification process, the utilities requested that the PSC “move expeditiously” to address the petition no later than Sept. 15, the date of the commission’s regular monthly session.

The utilities’ petition is “misguided and administratively inefficient” and should rather address “the root of the matter,” which is utility liability for a data breach caused by a customer-authorized third party, said Mission:data, a Seattle-based policy advocacy coalition.

Until the commission conclusively removes such liability from the joint utilities, a policy choice that has been made by numerous other states, the PSC will face unending requests from the utilities to increase cybersecurity requirements, even if such requirements are unreasonable, costly, impractical or ineffective, Mission:data said.

“Ultimately… the petition is ‘security theat’ — the performance of precautionary gestures that lack underlying substance,” Mission:data said.

In its July 26 comments, D.C.-based software company Arcadia Power concurred with Mission:data and requested that the commission conclusively remove liability from the utilities for customer-permissioned third-party data breaches. It also urged the PSC to establish a right to due process for ESEs with respect to cybersecurity standards while also requiring ESE representation on a proposed governance committee.

In addition to the general request to adopt a risk-based approach to cybersecurity that includes the SA, Arcadia recommended the commission remove or modify the current SA requirement that all confidential customer utility information be stored in the U.S. or Canada only (Cybersecurity Protection 10).

“Such a blanket restriction is not informed by risk level and is also premised on a flawed understanding of zero trust architecture. There are better ways to address national security concerns related to data processing than implementing such an overly broad geographic restriction,” Arcadia said.

To the extent there is any actual, incremental risk associated with processing data outside of the U.S. and Canada, Arcadia suggested there are numerous mitigation measures under a risk-based framework that would offset such a perceived risk.

“At a minimum, ESEs should be allowed a waiver from these unduly burdensome geographic restrictions upon implementing risk-based mitigation measures that more fully address the data processing security risks at the core of that policy’s rationale,” Arcadia said.

All of the modifications and additions to the SA proposed by the utilities should be reviewed in a stakeholder collaborative prior to the commission rendering a decision, a process that would allow stakeholders to articulate concerns about implementation, said New Jersey-based energy services company Family Energy, which offers gas and electric products throughout New York state.

New York Attorney General Letitia James in March announced that her office was requiring Family Energy to reimburse customers more than $2.1 million for its “dishonest business practices.”

New York NPCC NY PSC