- Texas utilities are wary of a cybersecurity monitor (CSM) proposed in a December rule by the state's Public Utilities Commission, stressing in comments filed Monday that legislators intended the new entity to focus on best practices sharing rather than oversight and enforcement.
- Lawmakers last year authorized a framework for collaboration among regulators, utilities and the state's grid operator, through a cybersecurity coordination program that would monitor efforts among investor-owned, cooperative and municipally-owned power providers.
- Experts say utilities are wary of sharing sensitive information that could wind up being broadly disseminated through public records requests, and they note there are already mandatory security standards intended to keep the grid secure.
The details of how the CSM would operate and what information would be shared with it are still being worked out, but comments from Texas utilities reveal a fair bit of concern.
"The Legislature never suggested there was any intention to create a new investigatory entity with oversight authority over monitored utilities," Oncor Electric, the state's largest utility, told regulators in its comments. "The language of the enabling statutes clearly reflects this specific role intended for the CSM as a facilitator, not a regulator."
To that end, Oncor told the regulators they should delete from the proposed rule "all provisions that could be construed to vest the CSM with authority to require monitored utilities to submit to assessments or respond to information requests."
Likewise, Oncor told the PUC that lawmakers had "made clear that information to be submitted by monitored utilities to the CSM is to be done on a voluntary basis."
Similarly, Southwestern Public Service Co., El Paso Electric Co. and Entergy Texas filed joint comments raising their concern that "reporting to the CSM may duplicate coordination efforts" with the North American Electric Reliability Corp.'s existing Critical Infrastructure Protection standards, "which increases compliance costs."
Some experts say the utilities' concerns are valid, in particular as more state regulators feel the need to take on roles related to cybersecurity.
"Many state PUCs are wrestling with the need to do something in this area," Sharon Chand, a principal with Deloitte & Touche's cyber risk services, told Utility Dive. "States are feeling the need to take some action, though certainly there are federal programs as well."
The Texas legislation "does read as voluntary, so there aren't enforcement standards — but a lot of objectives around outreach," Chand said. "There are a lot of questions from utilities about whether this will add value. It's just not clear."
Richard Henderson, head of global threat intelligence at cybersecurity firm Lastline, said that while utilities have concerns about the regulatory burden, he would prefer to see participation in the CSM be mandatory.
"To make certain aspects of it voluntary is probably not the right direction," Henderson told Utility Dive in an email. "It takes a lot of time and resources to prove compliance ... The complete lack of enforcement ability by the CSM is also a concern — what is the expected outcome when the CSM discovers a substantial issue with a utility? It appears for now, the only intent is to let the state know about it."
Reply comments in the docket are due Feb. 10, and a public hearing on the CSM proposal is scheduled for March 4 at the commission's offices in Austin.