eLaws | eCases | State of Pennsylvania |
 Pennsylvania Code (Last Updated: April 5, 2016)
 Title 52. PUBLIC UTILITIES
 PART I. Public Utility Commission
 Subpart E. Public Utility Security Planning and Readiness
 Chapter 101. Public Utility Preparedness through Self Certification

  Section 101.3. Plan requirements  

Latest version.

  • (a) A jurisdictional utility shall develop and maintain written physical and cyber security, emergency response and business continuity plans.

    (1) A physical security plan must, at a minimum, include specific features of a mission critical equipment or facility protection program and company procedures to follow based upon changing threat conditions or situations.

    (2) A cyber security plan must, at a minimum, include:

    (i) Critical functions requiring automated processing.

    (ii) Appropriate backup for application software and data. Appropriate backup may include having a separate distinct storage media for data or a different physical location for application software.

    (iii) Alternative methods for meeting critical functional responsibilities in the absence of information technology capabilities.

    (iv) A recognition of the critical time period for each information system before the utility could no longer continue to operate.

    (3) A business continuity plan must, at a minimum, include:

    (i) Guidance on the system restoration for emergencies, disasters and mobilization.

    (ii) Establishment of a comprehensive process addressing business recovery, business resumption and contingency planning.

    (4) An emergency response plan must, at a minimum, include:

    (i) Identification and assessment of the problem.

    (ii) Mitigation of the problem in a coordinated, timely and effective manner.

    (iii) Notification of the appropriate emergency services and emergency preparedness support agencies and organizations.

    (b) A jurisdictional utility shall review and update these plans annually.

    (c) A jurisdictional utility shall maintain and implement an annual testing schedule of these plans.

    (d) A jurisdictional utility shall demonstrate compliance with subsections (a)—(c), through submittal of a Self Certification Form which is available at the Secretary’s Bureau and on the Commission’s website.

    (e) A plan shall define roles and responsibilities by individual or job function.

    (f) The responsible entity shall maintain a document defining the action plans and procedures used in subsection (a).

Notation

Cross Reference

This section cited in 52 Pa. Code § 101.6 (relating to compliance).