UPDATE: May 19, 2020: The Public Utilities Commission of Texas voted May 14 to establish new cybersecurity coordination and monitoring programs in line with staff recommendations. There were no substantive changes in the PUC's decision, analysts told Utility Dive.
- The Public Utilities Commission of Texas will vote May 14 to establish new cybersecurity coordination and monitoring programs authorized by lawmakers last year. Experts say other states are watching the proceeding and may follow with development of their own monitoring programs, if Texas is successful.
- Senate Bill 64 established a cybersecurity coordination program for utilities to share guidance on best practices, while SB 936 established a cybersecurity monitor program for transmission and distribution utilities, and municipally owned utilities or electric cooperatives in the Electric Reliability Council of Texas (ERCOT) market.
- While state law requires utilities to fund the monitoring program through ERCOT, they will have wide latitude in what information they share. "Monitored utilities are not required to provide any documents to the cybersecurity monitor," according to a staff's recommended order being considered at the PUC's Thursday open meeting.
Utilities had pressed to maintain the voluntary nature of the cybersecurity monitor, but some experts question whether that was the most effective path.
"For the long-term success and safety of the grid, participation and reporting should be compulsory, not voluntary, but perhaps that will happen in the years to come," Richard Henderson, head of global threat intelligence at security firm Lastline, told Utility Dive. "On the other hand, I do think that mandatory monthly reporting to the [monitor] to be onerous for participants."
Texas utilities have maintained in comments to the PUC that legislators intended the new cybersecurity entity to focus on best practices sharing rather than oversight and enforcement. And they are wary of sharing sensitive information that could be disseminated through public records requests.
"The commission agrees that the cybersecurity monitor does not have the authority to require monitored utilities to submit to vulnerability assessments or to produce documents or other information related to any such assessments," according to staff's recommended decision.
State lawmakers "never suggested there was any intention to create a new investigatory entity with oversight authority over monitored utilities," Oncor Electric, the state's largest utility, told regulators in January comments.
Oncor officials told Utility Dive they stand by their previous comments and are waiting to see the PUC's ruling before commenting further.
"The commission did make some minor changes to the proposal, but for the most part, the original substance remains the same," Henderson said.
Some utilities had pressed the PUC to loosen reporting requirements, which include monthly, quarterly and annual reports. The proposed order notes the PUC "does not agree that a requirement for monthly reports is duplicative or excessive."
"Quarterly reporting with ad hoc reporting of incidents or issues would probably be more than sufficient," Henderson said, siding with utilities.
The Texas cybersecurity monitor shows the PUC "continues to strive to protect the security of the electric grid in their state," Mike Kosonog, Deloitte's cyber risk services energy, resources and industrials industry leader, told Utility Dive in an email.
Deloitte advises its utility clients to embrace automation and artificial intelligence to adapt their security programs, "while also leveraging existing public and private information-sharing vehicles to support a coordinated industry response," Kosonog said.
Henderson said the new monitoring program is "a good step forward."
"And I know from speaking with other officials in other states that what's happening in Texas right now is being watched very closely," he said. "A successful outcome here will likely result in other states following suit."