Physical and Cyber Security Program Self Certification Requirements for Public Utilities [33 Pa.B. 6382] Public Meeting held
December 4, 2003Commissioners Present: Terrance J. Fitzpatrick, Chairperson; Robert K. Bloom, Vice Chairperson; Glen R. Thomas; Kim Pizzingrilli; Wendell F. Holland
Physical and Cyber Security Program Self Certification Requirements for Public Utilities; Doc. No. M-00031717 Order By the Commission:
Background In July 1998, the Pennsylvania Public Utility Commission (PUC or Commission) instituted a Year 2000 technology (Y2K) readiness formal investigation to ensure the safe and reliable delivery of utility services to citizens in this Commonwealth and to refine emergency management and response processes. Since the completion of the Y2K investigation, the PUC has been working closely with its jurisdictional utilities and the Pennsylvania Emergency Management Agency (PEMA) to ensure coordination of critical infrastructure emergency and security procedures. Following the events of September 11, 2001, and its involvement in House Resolution 361 (HR 361), the PUC began coordinating its security efforts with the State Office of Homeland Security.
As the result of recommendations made by the Commission in the September 1, 2002, HR 361 report ''Protecting Critical Infrastructure: Keeping Pennsylvanians Safe,'' the Bureau of Fixed Utility Services, in conjunction with the Law Bureau and the Bureau of Transportation and Safety, developed a security self certification process for all PUC jurisdictional utilities. The bureaus proposed that a Physical and Cyber Security Planning Self Certification Form (Self Certification Form) be submitted to the Commission yearly as part of each utility's Annual Financial or Annual Assessment Report.
At the public meeting of July 17, 2003, the Commission adopted as its action the Motion sponsored by Commissioner Pizzingrilli in this proceeding. The corresponding Tentative Order was entered on August 5, 2003. The Tentative Order was published in the Pennsylvania Bulletin on August 16, 2003, with comments to the Tentative Order due by September 5, 2003.
Timely comments on the Tentative Order were filed by the Pennsylvania Telephone Association (PTA), the Energy Association of Pennsylvania (EAP), Pennsylvania-American Water Company (PA-American) and The Peoples Natural Gas Company d/b/a Dominion Peoples (Dominion Peoples). Columbia Gas of Pennsylvania, Inc. (Columbia) provided late filed comments on September 8, 2003.
Discussion A. Confidentiality
In the Tentative Order, utilities were required to file the Self Certification Forms as an appendix to the Annual Financial or Annual Assessment Reports and any utility that desired its submitted form be kept confidential was required to file for a protective order.
The EAP, Columbia and PA-American aver that the Self Certification Forms should be automatically deemed confidential and proprietary, without the necessity of petitioning for a protective order.
Because of the potential security interests implicated by the release of a completed form, we find that the harm from release of the completed forms outweighs the public's interest in access to this information. Therefore, we deem that all completed Self Certification Forms filed with the Commission are to be treated as confidential.
B. Physical Location of the Self Certification Forms
The Tentative Order instructed utilities to append their Self Certification Form to either their Annual Financial or Annual Assessment Reports, beginning in 2004.
The EAP and PA-American believe that to the extent that submission of the Self Certification Forms is required, that the form should not reside in the utilities' Annual Financial or Annual Assessment Reports or be retained by the Secretary's Bureau. Primarily, the EAP takes the position that the Self Certification Forms should be retained at the companies' premises and an affidavit of compliance should be filed with the Commission. However, the EAP requests that security related documents filed with the Commission under this docket or any security docket should be filed with the Office of Executive Director, separately from all other documents filed with the Commission. PA-American urges the Commission to physically and/or electronically store the Self Certification Forms separately from other documents filed at the Commission.
The EAP and PA-American's request to house the Self Certification Forms in a location other that the Secretary's Bureau is based upon their assertion that the forms may be released to the public inadvertently.
To ensure the confidentiality of the Self Certification Form, we have reconsidered the filing location of the form. The Self Certification Form should be filed, beginning in 2004 at Docket No. M-00031717, and will be kept in a confidential folder by year (starting with F0004).
We have no reason to believe that the Commission's Secretary should not store these documents in the same manner that all confidential documents are handled. Additionally, we will not adopt the EAP's suggestion that an affidavit of compliance be filed with the Commission instead of the Self Certification Form.
By this Order, we are requiring each utility subject to the reporting requirements of 52 Pa. Code §§ 27.10, 61.28, 63.36, 65.19, 59.48 and 57.471 to submit the Self Certification Form. The form shall be submitted at the same time as the Annual Financial Reports filed on or after January 1, 2004, and each year thereafter. However, it shall be submitted under separate cover at Docket No. M-00031717.
For those utilities that are not subject to the previous annual financial reporting requirements, the Self Certification Form shall be submitted by each utility subject to the reporting requirements of 52 Pa. Code §§ 29.43, 31.10 and 33.103.2 For these utilities, the form shall be submitted at the same time as the Annual Assessment Reports filed on or after January 1, 2004, and each year thereafter. However, it shall be submitted under separate cover at Docket No. M-00031717.
C. Redundant Reporting Requirements and Proposed Rulemaking
In the Tentative Order, we advised that the Law Bureau, in conjunction with the Bureau of Fixed Utility Services and the Bureau of Transportation and Safety, would initiate a rulemaking to include the security self certification reporting requirements and requirements for our jurisdictional utilities to develop and maintain appropriate physical and cyber security, emergency response and business continuity plans, as a permanent part of the Commission's regulations.
Dominion Peoples states that it is concerned that the proposed subsequent rulemaking may lead to the creation of regulations that are redundant with obligations that Pennsylvania public utilities have to Federal regulators, resulting in the inefficient and unnecessary layering of regulations. Dominion Peoples states that it is not opposed to a rulemaking that results in regulations codifying the obligation to file the security Self Certification Form. However, Dominion Peoples does not want Pennsylvania utilities to be in the position of responding to redundant or multiple requirements regarding the design or implementation of its security plans.
Columbia encourages a truly integrated and coordinated approach to avoid duplication of effort and to ensure that best practices are shared across all jurisdictions. As an example of a potential coordination concern, Columbia sites an operator statement submitted to the Commission that it has met the Federal Department of Transportation's Office of Pipeline Safety's security requirements and whether this statement will be superceded by the Self Certification Form. Likewise, Columbia inquires as to whether the Workplace Security Survey checklist attached to the HR 361 report will be necessary in light of the Self Certification Form.
Columbia suggests that enhanced coordination could be accomplished through a working group rulemaking process similar to the one employed during the gas restructuring process. The working group could then develop the regulations as well as suggest any necessary changes to the Self Certification Form.
We recognize that various Federal and State agencies have already placed requirements on many of our jurisdictional utilities to develop and maintain security and emergency response related plans and we do not wish to replicate the efforts of those authorities, nor create duplicative or undue effort for our jurisdictional utilities. The comments of Dominion Peoples and Columbia will be taken into account during the upcoming rulemaking. However, until that rulemaking is completed, each utility is required to annually file the Self Certification Form following this Order as Appendix A.
D. Self Certification Form Content and Dates
The EAP believes that all date related questions on the Self Certification Form should be modified to achieve the Commission's purpose of ensuring current and ongoing testing. The EAP states that testing of systems, physical security, emergency plans, cyber security and risk assessment are all ongoing and security is achieved through a sum of continuous partial testing rather than one big test undertaken over some specified time table. Additionally, the EAP avers that if the Self Certification Forms are deemed public documents and available to the public, these dates become a security threat in and of themselves.
The EAP proposes modifications to questions 3, 6, 7, 10 and 13 of the Self Certification Form to inquire if testing is done periodically, versus supplying specific testing dates.
We agree with the EAP, that in some cases, testing of physical security, cyber security, emergency response and business continuity plans are ongoing and security is achieved through a sum of continuous partial testing rather than one big test undertaken over some specified time table. Therefore, we will modify questions 3, 6, 7, 10 and 13 of the Self Certification Form to inquire if complete testing is performed annually, versus supplying specific testing dates.
Columbia submits that all parties need to understand and agree upon specific and concrete definitions for the terminology used in describing the plans and their contents. Columbia asserts that while the Tentative Order offered limited definitions, the definitions do not provide adequate guidance to ensure that all those who read them will interpret them similarly. Columbia suggests that developing more precise definitions at this point of the effort would eliminate any differences of interpretation and provide more cohesive results. Towards that end, Columbia submits that the Commission's regulations, resulting from the proposed rulemaking, should adopt standard definitions from the Disaster Recovery Institute International.
Columbia asserts that since many of the terms incorporated on the form are not yet precisely defined and the regulations have not yet been adopted, it may be impossible for a utility to compile the required plans and certify to them in a limited amount of time. Columbia is concerned with the due date for submission of the Self Certification Form. Columbia seeks clarification as to whether a Self Certification Form respondent is in compliance with the terms of the Tentative Order by answering ''No'' to any or all of the questions posed on the Form. Columbia submits that the timeframe for the initial submission of the Self Certification Form should provide ample time for utilities to develop, test and implement each of the various plans. Columbia suggests that a minimum of one year is required to properly design, develop, test and implement the plans.
We understand Columbia's request for additional guidance on the specifics of what the Commission expects to be included in the physical, cyber, disaster recovery, emergency response and business continuity plans. We expect these definitional issues to be dealt with in detail in the rulemaking. In the meantime, we expect each utility submitting a Self Certification Form to utilize and interpret, to the best of their ability, definitions for the various security plans provided in the Tentative Order.
In reply to Columbia's clarification request, while certainly not preferred, a utility could provide a ''No'' response to any or all of the questions posed on the form and be in compliance with the terms of the Tentative Order and this Order. We believe it is important that the Commission become aware of utilities without physical, cyber, disaster recovery, emergency response or business continuity plans as soon as possible, and not wait a year or more until a utility has completed designing, developing, testing and implementing their plans. Recognition of these utilities will enable the Commission to provide education outreach assistance on security planning.
E. Commission's Security Educational Outreach Program
In its comments, the EAP urges the Commission to designate a person to whom the industry representatives can bring questions concerning the Self Certification Form.
Industry representatives should bring questions concerning the Self Certification Form to the Commission's Bureau of Fixed Utility Services. Furthermore, as we stated in the Tentative Order, the HR 361 report stressed the importance of communicating with smaller and mid-sized companies regarding security issues and the sharing of best practices. Therefore, we reiterate our directive that Commission Staff develop an educational outreach component so that the purpose and intent of the Self Certification Form and additional information relative to the security, emergency response and business continuity plans are communicated to all companies. This outreach component should include trade associations representing the affected industries, existing working groups, such as the small water task force and any other opportunities that Commission Staff deems appropriate.
F. Multiple Operating Companies' Filings
The PTA requests that, in cases of multiple companies operating together under a common ownership, those companies be permitted to file one Self Certification Form collectively.
We believe that in many cases, even companies operating under a common ownership may have separate and distinct physical, cyber, disaster recovery, emergency response or business continuity plans. Therefore, we will not grant blanket approval to filing one form for multiple companies operating together under a common ownership, however, we will review each request for this treatment on a case by case basis.
Conclusion In addition to submittal of the Self Certification Form, each of our jurisdictional utilities should note that we intend, as necessary, to review how their security plans affect, and will in the future affect, the ability to provide service and facilities to the public.
We note that the Commission has explicit statutory authority to institute these reporting requirements and to carry out and enforce the purposes of the Public Utility Code in the public interest. 66 Pa.C.S. §§ 501 and 504. The subject matter that the Commission may examine and act on under the Public Utility Code is very broad and includes any issue, such as security, which, if left unaddressed, could pose a serious threat to the utilities' responsibility to provide safe and reliable utility service.
As a result of the foregoing and, upon full consideration of all the matters before us at this time, we determine that a self certification process for utility security programs should be instituted to determine the current and anticipated security compliance of all jurisdictional utilities; Therefore,
It Is Ordered That:
1. Utilities under the reporting requirements of 52 Pa. Code §§ 27.10, 29.43, 31.10, 33.103, 61.28, 63.36, 65.19, 59.48 and 57.47 be required to complete and file the Self Certification Form following this Order as Appendix A.
2. Utilities under the reporting requirements of 52 Pa. Code §§ 27.10, 61.28, 63.36, 65.19, 59.48 and 57.47 shall file the Self Certification Form at Docket No. M-00031717, at the time each Annual Financial Report is filed, beginning on or after January 1, 2004.
3. Utilities not subject to the previous reporting requirements but subject to the reporting requirements of 52 Pa. Code §§ 29.43, 31.10 and 33.103 shall file the Self Certification Form at Docket No. M-00031717, at the time each Annual Assessment Report is filed, beginning on or after January 1, 2004.
4. Blank Self Certification Forms be available to jurisdictional utilities from the Commission's website and from the Secretary.
5. Commission Staff develop and implement an educational outreach program so that the purpose and intent of the Self Certification Form and additional information relative to the security, emergency response and business continuity plans are communicated to all companies.
6. The Law Bureau, in conjunction with the Bureau of Fixed Utility Services and the Bureau of Transportation and Safety, initiate a rulemaking in an expedited manner to include the requirement for jurisdictional utilities to develop and maintain appropriate written physical and cyber security, emergency response and business continuity plans and the requirement for jurisdictional utilities to submit the security self certification form as part of the Commission's regulations.
7. Copies of this Order be provided to PEMA, the Pennsylvania Office of Homeland Security, the Department of Environmental Protection, the EAP, the PTA, the Pennsylvania Motor Truck Association, the Pennsylvania Bus Association, the Pennsylvania Taxicab and Paratransit Association, the Pennsylvania Moving and Storage Association, the Pennsylvania Limousine Association, the Pennsylvania Chapter of the National Association of Water Companies, the Pennsylvania Section of the American Water Works Association, the Pennsylvania Rural Water Association, Pennsylvania League of Cities and Municipalities, Pennsylvania State Association of Boroughs, Pennsylvania Local Government Commission, Pennsylvania State Association of Township Supervisors and the Commission jurisdictional respondents to HR 361.
8. This Order be published in the Pennsylvania Bulletin and posted on the Commission's website.
JAMES J. MCNULTY,
SecretaryAppendix A Company Name:
Utility/Industry Type:
Year Ended
CONFIDENTIAL Physical and Cyber Security Planning Self Certification
Docket No. M-00031717F0004
(Do Not Submit Actual Physical, Cyber, Emergency Response or Business Continuity Plans)
Item
No.Classification
Response
(Yes - No - N/A*)1 Does your company have a physical security plan? 2 Has your physical security plan been reviewed and updated in the past year? 3 Is your physical security plan tested annually? 4 Does your company have a cyber security plan? 5 Has your cyber security plan been reviewed and updated in the past year? 6 Is your cyber security plan tested annually? 7 Has your company performed a vulnerability or risk assessment analysis as it relates to physical and/or cyber security? If so, when? 8 Does your company have an emergency response plan? 9 Has your emergency response plan been reviewed and updated in the past year? 10 Is your emergency response plan tested annually? 11 Does your company have a business continuity plan? 12 Has your business continuity plan been reviewed and updated in the past year? 13 Is your business continuity plan tested annually? *Attach a sheet with a brief explanation if N/A is supplied as a response to a question.
The foregoing certification must be verified by the officer having control of the security planning for the respondent.
I am authorized to complete this form on behalf of ______ [name of corporation/partnership/proprietorship] being the ______ [position] of this corporation/partnership/proprietorship and verify that the facts set forth above are true and correct to the best of my knowledge, information and belief. This verification is made pursuant to 52 Pa. Code § 1.36 and that statements herein are made subject to the penalties of 18 Pa.C.S. § 4904 (relating to unsworn falsification to authorities).
Name of Officer: ___________________________
Signature of Officer: ___________________________
Phone Number of Officer: ___________________________
Email Address of Officer: ___________________________
____
1 This group includes common carriers of passengers and/or household goods and jurisdictional telecommunications, electric, gas, steam heating and water/wastewater utilities.
2 This group includes common carriers and forwarders of property and railroad carriers.
[Pa.B. Doc. No. 03-2432. Filed for public inspection December 19, 2003, 9:00 a.m.]