Texas regulators propose rule to establish cybersecurity coordination program among utilities

Commission staff will conduct a public hearing on the proposed rulemaking, if requested in accordance with Texas Government Code, at the commission’s offices located in Austin, Texas, on March 4, 2020

The Public Utility Commission of Texas proposes a new rule that will establish a cybersecurity coordination program to monitor cybersecurity efforts among electric utilities, electric cooperatives, and municipally owned electric utilities in the state, as required by Senate Bill 64 of the state Legislature, according to a Dec. 13 proposal for publication as approved at an open meeting of the commission.

The new rule will also establish a cybersecurity monitor (CSM), a CSM program, and the method to fund the CSM, as required by Senate Bill 936 of the state Legislature.

As noted on the Legislature’s website, Senate Bill 64 amends the Government Code and Occupations Code to authorize the governor to command the Texas National Guard to assist the Texas State Guard with defending the state’s cyber operations. The bill requires the state cybersecurity coordinator, in collaboration with the cybersecurity council and public and private entities in Texas, to develop best practices for cybersecurity and to establish a cyberstar certificate program to recognize public and private entities that implement those best practices, the site said. Senate Bill 64 amends the Utilities Code to require the commission to establish a program to monitor cybersecurity efforts among utilities in Texas and requires an independent organization certified by the commission to conduct internal cybersecurity risk assessment, vulnerability testing, and employee training, the site said.

Senate Bill 936, according to the Legislature’s website, amends the Utilities Code to establish a framework for collaboration between the commission, electric utilities, and ERCOT relating to cybersecurity issues by requiring the selection of a CSM to act as the commission’s CSM of certain electric utilities operating in the ERCOT power region. The bill authorizes certain electric utilities that operate solely outside the ERCOT power region to elect to participate in the CSM program or to discontinue participation, the site said. The bill requires the commission, on its own motion or on the petition of an electric utility, to allow an applicable electric utility to recover reasonable and necessary costs incurred in connection with activities under the cybersecurity program, the site said.

According to the commission’s Dec. 13 proposal for publication, the agency has determined that for each year of the first five years that the proposed rule is in effect, certain statements will apply, including:

  • Implementation of the proposed rule will not require the creation of new employee positions and will not require the elimination of existing employee positions
  • The proposed rule will not affect the state’s economy

As noted in the filing, the commission and ERCOT will contract with an entity selected by the commission to act as the commission’s CSM, which must be independent from ERCOT and is not subject to the supervision of ERCOT.

The cybersecurity coordination program is available to all electric utilities, municipally owned utilities, as well as electric cooperatives in Texas, and must include such functions as guidance on best practices for cybersecurity controls for supply chain risk management of cybersecurity systems used by utilities, which may include best practices related to software integrity and authenticity.

The filing also noted that the CSM program is available to all monitored utilities and must include the functions of the cybersecurity coordination program, as well as such functions as holding regular meetings with monitored utilities to discuss emerging threats, best business practices, and training opportunities.

Discussing ERCOT’s responsibilities and support role, the filing noted that ERCOT must, for instance, conduct an internal cybersecurity risk assessment, vulnerability testing, and employee training to the extent that ERCOT is not otherwise required to do so under applicable state and federal cybersecurity and information security laws. Also, ERCOT must submit an annual report to the commission on ERCOT’s compliance with applicable cybersecurity and information security laws by Jan. 15 of each year or as otherwise determined by the commission.

The filing also said that a transmission and distribution utility, a corporation described in PURA §32.053, and a municipally owned utility or electric cooperative that owns or operates equipment or facilities in the ERCOT power region to transmit electricity at 60 or more kilovolts must participate in the CSM program.

Among other things, the filing noted that on an annual basis, ERCOT must calculate the non-refundable, fixed fee that a monitored utility that operates solely outside of the ERCOT power region must pay in order to participate in the CSM program for the upcoming calendar year. ERCOT must file notice of the fee in the project designated by the commission for that purpose and post notice of the fee on the ERCOT website. The filing added that for the 2020 program year, ERCOT must file and post notice of the fee to participate in the program by May 1, 2020; beginning with the 2021 program year, ERCOT must file and post notice of the fee to participate in the program by Oct. 1 of the preceding program year.

Commission staff will conduct a public hearing on the proposed rulemaking, if requested in accordance with Texas Government Code, at the commission’s offices located in Austin, Texas, on March 4, 2020. The filing added that the request for a public hearing must be received by Feb. 10, 2020.

Initial comments on the proposed rule may be filed with the commission’s filing clerk by Jan. 27, 2020, and reply comments may be submitted by Feb. 10, 2020, according to the proposal for publication.