Given the concerns about cyber security, critical infrastructure, and the need for uniformity in reporting among regulated entities, the Michigan Public Service Commission (MPSC) recently directed its staff to craft rules to be included in the technical standards for electric service, and in the technical standards for gas service.
The MPSC said that the rules are to provide for an annual report that includes an overview of the electric or gas provider’s cyber security program; a list of the company’s cyber security departments, staffing numbers and position descriptions, and the names of key contacts; a description of any cyber security training and exercises undergone by employees; an explanation of any cyber security investment made and the rationale for such investment; a discussion of the tools and methods used to conduct risk and vulnerability assessments; and a summary of cyber security incidents that resulted in a loss of service, financial harm, or a breach of sensitive business or customer information.
As noted in the order, the MPSC in January 2012 opened Case No. U-17000 to address issues and concerns associated with the deployment of advanced metering infrastructure (AMI) by Michigan electric utilities. In that January 2012 order, the MPSC directed all regulated electric utilities to file information in the docket concerning various aspects of AMI, requested written comments from interested parties, and directed its staff to prepare a report addressing the utility findings, public comments, and other pertinent information.
Staff in June 2012 submitted its report, and in October of that year, the MPSC issued an order in which it found, inter alia, that cyber security issues were of sufficient complexity and importance to merit the establishment of this docket (Case No. U-18203).
The MPSC further noted that in two recent rate case proceedings, it directed DTE Electric Company and Consumers Energy Company to each provide the staff with periodic reports on the utility’s cyber security program. In those cases, staff provided a general framework outlining the type and scope of cyber security information to be provided to the MPSC, the commission said.
As reviewed in the staff report, cyber security is critical to the operation of a modern electric utility and utilities must continually assess and upgrade their defenses to cyber attacks, the MPSC said.
“While the commission recognizes that AMI itself could increase the vulnerability of the electric grid, grid automation generally, including the deployment of a number of ‘smart’ grid components, inherently increases the risk to system security,” the MPSC said. “Increased security risks arise largely, but not exclusively, because grid modernization involves increasing the number of digital access points within the electric distribution system and increasing the number of and level of control by networked devices.”
According to the staff report, the MPSC said, as Michigan transitions to a more technologically advanced power grid, it is important that the proper actions are taken by utilities to address cyber security threats.
With every added piece of technology, the risk of vulnerabilities inherently increases, the staff report said, adding that a smarter grid includes more devices and connections that may become avenues for intrusions, error-caused disruptions, malicious attacks, destruction, and other threats.
Among other things, the MPSC added that because cyber security threats challenge the reliability, resiliency, and safety of the electric grid, and because utility spending to address cyber vulnerabilities can impact customers’ bills, the MPSC has an obligation to fully examine utilities’ cyber security practices. Also, because most gas transportation and distribution systems rely extensively on supervisory control and data acquisition for gas system monitoring and control, those systems require cyber security protections as well, the MPSC said.