The Pennsylvania Public Utility Commission is reviewing the state’s cybersecurity regulations for utilities, with the goal of identifying whether they need to be revised to “address public utility fitness in the current and anticipated future cybersecurity threat landscapes.”

In a 5-0 vote Thursday, the PUC agreed to issue an Advance Notice of Proposed Rulemaking regarding two main groups of cybersecurity regulations: those that govern reporting of cyberattacks, and those related to self-certification. The ANOPR seeks comments from industry stakeholders, including regulated utilities, advocates and members of the public, regarding whether the existing regulations need to be revised.

Pennsylvania’s self-certification regulations, introduced in 2005, require jurisdictional utilities in the state “to develop and maintain written physical, cyber security, emergency response and business continuity plans to … ensure safe, continuous and reliable utility service.”

Entities that are counted as “jurisdictional utilities” include public electricity and gas utilities — along with public telecommunications, water, and steam utilities; air transportation utilities; motor vehicle common carriers; and railroad carriers — but not non-public electric and gas suppliers.

The cyberattack reporting regulations likewise apply only to public electric, gas, water, and steam utilities. They require affected utilities to report any physical or cyberattacks that cause an interruption of service or over $50,000 in damages, or both. The $50,000 threshold was chosen because the PUC considers it “high enough to prevent reporting minor everyday occurrences but still [allowing] the PUC to have knowledge of incidences that result in a significant expense.”

Self-Certification Leads Concerns

The ANOPR listed several potential justifications for revising both sets of regulations, mostly in the realm of self-certification.

First, the age of the existing regulations means that since they were drafted the list of cyber threats facing utilities has “increased in number, type, and sophistication.” For example, ransomware attacks, in which an aggressor threatens to delete important data or reveal embarrassing information to the public, have targeted critical infrastructure in recent years to a degree that was not anticipated in 2005. In addition, as public utilities integrate their information technology (IT) and operational technology (OT) systems, the risk that adversaries will be able to disrupt operations has grown as well.

The PUC noted that “industry and government have continuously reviewed, expanded, and improved cybersecurity standards for entities of all kinds,” pointing to the National Institute for Standards and Technology’s (NIST) cybersecurity framework as a “model and a process to increase cybersecurity maturity in any organization.” It also held up NERC’s Critical Infrastructure Protection (CIP) reliability standards as an illustration of a “prescriptive” approach to addressing “the evolving nature of cyber-related threats to the bulk power system.”

The ANOPR suggests that the PUC has “at a minimum, five potential regulatory approaches to ensure that public utilities have adequate cybersecurity plans in place,” including:

• a similar approach to existing regulations that would see the PUC set criteria for utilities’ cyber plans and require entities to report that they have such plans and are updating them annually;
• having entities self-certify that they have plans that comply with appropriate federal or industry standards;
• requiring utilities to have a third-party certify that it has a plan that complies with relevant federal or industry standards;
• modifying the PUC’s public utility management audit process to include onsite reviews of cybersecurity plans and programs; and
• requiring public utilities to file confidential copies of their cybersecurity plans and procedures with the PUC so that it can comment on their adequacy and require modifications where needed.

Stakeholders are asked to comment on the “relative merits and weaknesses” of each approach and which one, or combination, would best address the cyber threat landscape. In addition, the PUC asked for comment on whether the self-certification provisions should be expanded to include other types of entities besides public utilities, and whether some public utility types should be wholly or partially exempt from the requirements in order to ease their regulatory burdens, or for other reasons.

Reporting Criteria Updates

The requested comments on the cyber reporting regulations mainly relate to the type of incidents that the PUC expects utilities to encounter in the future.

Commissioners believe the current standards “focus on interruption of service” — and therefore utilities’ OT networks — “as a criterion for reporting.” But with IT and OT systems increasingly integrated, there is growing risk that cyber threats affecting the IT environment will create disruptions in the OT space as well. As a result, the PUC has a vested interest in having “advance warning of threats emerging in the IT environment.

The commission is seeking comment on how it might revise the reporting criteria to bring in new requirements for reporting IT incidents, along with the relevance of the $50,000 threshold for damages. Noting that the regulations currently do not address several elements of a potential cyberattack, including how damages should be attributed, when the damages calculation should be performed and how the availability of insurance should be factored in, the PUC asked whether the threshold should be revised or done away with.

Finally, the PUC is wondering whether it should merge the self-certification and reporting requirements. Commissioners suggest that bringing all of the PUC’s cyber regulations together would give utilities a single point of reference and help eliminate “unintended or unjustified inconsistencies in the existing regulations.”

Comments on the ANOPR are due 60 days after its publication in the Pennsylvania Bulletin.