The New Jersey Board of Public Utilities (BPU), in a March 18 order, directed electric, natural gas, and water/wastewater utilities to have a cybersecurity program that defines and implements organizational oversight, accountabilities and responsibilities for cyber risk management activities, and that establishes policies, plans, processes and procedures for identifying and mitigating risk to critical systems to acceptable levels.
The BPU said in a March 18 statement that the requirements placed on the regulated utilities were developed in consultation with experts in utility cybersecurity, the New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) and the Federal Bureau of Investigation.
“As cyber-attacks against utility systems nationwide continue to increase in number and sophistication, addressing cybersecurity is a top priority to enhancing the security and reliability of utility service in New Jersey and across the nation,” BPU President Richard Mroz said in the statement. “To ensure that we continually meet the challenges of this ever changing threat, we have made certain that these policies are uniform yet flexible, promote information sharing and are capable of evolving as the threat landscape changes.”
According to the order, the cybersecurity program must meet these minimum requirements:
Cyber risk management:
- Identify – Annually inventory critical systems and document changes
- Analyze – Annually assess and prioritize cyber risks, including physical risks, to identified critical systems
- Control – Implement administrative, technical (logical and physical), and compensating controls, alone or in combination, to mitigate prioritized cyber risks
- Measure and monitor – Annually review risk assessment methodology to identify and incorporate revisions as appropriate
- Monitor log files of critical systems
- Monitor internal and external sources of threat and vulnerability information, including vendor and industry-appropriate Information Sharing and Analysis Center or Information Sharing and Analysis Organizations; and establish a review process to determine applicability and response
- Review vendor security patches in a timely manner, and implement as appropriate
- Utilities are to report cyber events relating to the industrial control systems (ICS), including:
* A person, including any individual, firm, corporation, educational institution, financial institution, governmental entity, or legal or other entity that accessed the ICS without authorization or exceeded authorized access
* Unauthorized programs, information, code or commands discovered on an ICS
- Utilities are to copy Reliability and Security Division staff on notifications to law enforcement agencies of New Jersey regarding information breaches involving the personally identifiable information of customers to the extent such notifications are required by New Jersey laws
- Utilities are to report unusual cyber activity that has the potential to compromise critical systems and for which controls are ineffective
Response and recovery:
- Establish a cybersecurity incident response plan that addresses the life-cycle of an incident, including identification of, response to, and recovery from a cyber event
- Conduct an exercise to test the plan once every 24 calendar months, at a minimum
Security awareness and training:
- Develop and implement a cybersecurity awareness program, which must include general cybersecurity topics as well as emerging threats, and must be reviewed biannually and updated as appropriate
- Cybersecurity awareness communications must be provided periodically throughout the year
- Develop and implement cybersecurity training that details cybersecurity roles and responsibilities, for individuals who have access credentials to ICS and for administrators of customer information systems that contain personal information
- Develop and implement protocols for training new personnel as well as periodic training re-enforcement
Regarding implementation, the BPU said that utilities must join the NJCCIC and create a cybersecurity incident reporting process no later than 60 days after the effective date of the BPU’s order. Also, utilities must submit written confirmation of compliance with that requirement to Reliability and Security Division staff by June 1.
The BPU added that the utilities must submit a written report to Reliability and Security Division staff by June 1 that documents the assignment of organizational oversight, accountabilities, and responsibilities for cyber risk management activities.
In addition, the BPU said that the utilities must submit a written report to Reliability and Security Division staff by Dec. 31, describing progress toward compliance with these requirements and defining potential barriers that may interfere with meeting the defined implementation date.
Regarding accountability and board review, the BPU said that the utilities are to certify on an annual basis compliance with the minimum requirements set forth in the order, and such certification must be submitted to Reliability and Security Division staff by Dec. 31 of each year following the implementation period.
In cases where the utilities have critical systems that are also subject to NERC Critical Infrastructure Protection (CIP) standards, certification of compliance with those standards is sufficient to meet the annual certification requirement under the BPU’s order for those critical systems, the BPU said.
Among other things, the BPU said that it has given consideration to the sensitive security nature of the information and reports required by its order, including the utilities’ cybersecurity programs and the utilities’ ability to defend against cyber intrusions. The BPU said it finds that public disclosure of such information would "substantially interfere with the state’s ability to protect and defend its citizens against acts of sabotage or terrorism or would materially increase the risk or consequences of potential acts of sabotage or terrorism".
The BPU said it further finds that similar cybersecurity information reported to the NJCCIC, within the New Jersey Office of Homeland Security and Preparedness, would be deemed confidential. Therefore, the BPU ordered that in exercising its authority, any reports and other information submitted, collected or exchanged in accordance with its order is to be deemed confidential and is to not be considered to be a government record.
The BPU directed staff to develop a memorandum of understanding, to be negotiated between the BPU and the NJCCIC, to address how cybersecurity information submitted to the NJCCIC will be handled and shared with the BPU.