Pennsylvania Code & Bulletin
COMMONWEALTH OF PENNSYLVANIA

• No statutes or acts will be found at this website.

The Pennsylvania Bulletin website includes the following: Rulemakings by State agencies; Proposed Rulemakings by State agencies; State agency notices; the Governor’s Proclamations and Executive Orders; Actions by the General Assembly; and Statewide and local court rules.

PA Bulletin, Doc. No. 03-1615

NOTICES

PENNSYLVANIA PUBLIC UTILITY COMMISSION

Physical and Cyber Security Program Self Certification Requirements for Public Utilities

[33 Pa.B. 4133]

Public Meeting held
July 17, 2003

Commissioners Present:  Terrance J. Fitzpatrick, Chairperson; Robert K. Bloom, Vice Chairperson; Aaron Wilson, Jr.; Glen R. Thomas; Kim Pizzingrilli

Physical and Cyber Security Program Self Certification Requirements for Public Utilities; Doc. No. M-00031717

Tentative Order

By the Commission:

Background

   The Pennsylvania Public Utility Commission's (Commission) primary emergency management staff has been working closely with its jurisdictional utilities since July 1998 to ensure the safe and reliable delivery of utility services to citizens in this Commonwealth and to refine emergency management and response processes. The Commission has also been working closely with the Pennsylvania Emergency Management Agency (PEMA) and the State Office of Homeland Security to ensure coordination of critical infrastructure emergency and security procedures.

A.  Pre-Y2K

   From July 1998--November 1999, the Commission instituted a formal investigation to determine the Year 2000 technology (Y2K) readiness of approximately 750 public utilities and conducted an assessment of Y2K readiness for 23 jurisdictional companies and the Pennsylvania Rural Electric Association (PREA). These electric, natural gas, telecommunications and water companies represented the largest potential impact to Commonwealth citizens. The companies also provided emergency response plans, business continuity plans and contingency plans for review. At that time, it was unknown what type of events (terroristic, physical, cyber threats or other actions) could potentially trigger an emergency. The companies were prepared for what were then perceived as the ''worst case scenarios.''

B.  September 11, 2001

   When the events of September 11th occurred, the Commission immediately surveyed its jurisdictional companies, the PJM Interconnection, which is responsible for the operation and control of the bulk electric power system throughout major portions of five mid-Atlantic states, the District of Columbia and PREA to determine what actions were being taken. Rail safety inspectors, gas safety inspectors and telecommunications staff were also contacted to assess their industry groups. Companies responded that they were at a ''heightened state of awareness,'' had implemented emergency procedures as developed during Y2K and took additional steps in preparation for responding to a potential event in their service territories within this Commonwealth.

   The Department of Environmental Protection (DEP) and the Commission offered recommendations to public water suppliers and dam owners to take reasonable precautions to protect raw and finished water supplies and dams from external threats. Plans have since been reviewed by the companies and modified or updated where necessary.

C.  Post September 11, 2001

   Shortly after September 11th, the Commission secured/inventoried sensitive documents in its possession (for example, system maps) and established procedures for information flow. Additionally, the Commission began coordinating with the local Federal Bureau of Investigation Infragard program on issues involving Pennsylvania utilities and the Commission serves on the National Association of Regulatory Utility Commissioners Critical Infrastructure Committee.

   Post September 11th, the Commission and PEMA personnel assisted in the review and analysis process for Executive Order 2001-6, the Governor's Task Force on Security, with Commission staff participating in all 11 subcommittee meetings.

D.  House Resolution 361

   On December 3, 2001, the House of Representatives tasked the Commission and PEMA with the following:

   *  To review, analyze and evaluate utility infrastructure security protection and risk mitigation policies and other related security issues.

   *  To recommend prudent strategies to enhance the standards for the physical security and integrity of this infrastructure.

   *  To recommend statutory changes to enable cost recovery mechanisms for security modifications to utility infrastructure.

   This resolution directed the Commission and PEMA to submit a comprehensive report to the House of Representatives addressing utility infrastructure security issues on or before September 1, 2002.

   The Commission determined that nine industries under its jurisdiction--the fixed utilities of electric, natural gas, water and wastewater, telecommunications, steam heat and the transportation utilities of rail, motor carrier (trucking), taxi and limousine and busing--were the industries to be profiled. Seventy-two companies, both Commission jurisdictional and nonjurisdictional, encompassed these nine industries.

   The evaluations included small, medium and large-scale companies, as well as nonjurisdictional entities, such as electric generators, natural gas suppliers, municipal authorities, and the like. The jurisdictional and nonjurisdictional companies were profiled to address the industry as a whole, and also to identify any trends within an industry. Where appropriate, Emergency Response Plans, Contingency Plans, Cyber Security Plans and Business Continuity Plans were reviewed.

   The overall findings are fully profiled in the HR 361 report, ''Protecting Critical Infrastructure: Keeping Pennsylvanians Safe,'' that was submitted to the Legislature on September 1, 2002.

E.  House Resolution 361--Phase Two Update

   On January 30, 2003, the Pennsylvania Director of Homeland Security tasked the Commission to request additional information from the participants of the HR 361 report. The primary focus of the additional information was related to the potential escalation in the Federal Office of Homeland Security's Advisory System from Elevated (Yellow) to High (Orange) or to Severe (Red).

   One of the recommendations to the HR 361 report was to acknowledge that all utilities should uniformly adopt the Department of Homeland Security color code system. This second phase of the survey process further encouraged the implementation of the color code system by the companies and industries.

   The Commission submitted ''Protecting Critical Infrastructure: Keeping Pennsylvanians Safe''--Phase II Update to the Pennsylvania Office of Homeland Security on February 24, 2003.

Discussion

   The Commission, as well as the critical infrastructure industries, recognizes that it is impossible to completely protect all utility infrastructures in Pennsylvania. Nevertheless, all parties want a foundation to organize efforts to protect this Commonwealth, its critical facilities and its citizens from any type of event--manmade or natural. The parties involved recognize that as security risks and vulnerabilities change and as information becomes available, plans will need to be adjusted and amended over time to reassess priorities and realign resources. The initiatives are recognized as permanent additions to our society and will need to be addressed for years and decades, not just weeks or months.

   Additionally, in its February 2003 release, ''The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets,'' the Federal government stresses that ''States should further facilitate coordinated planning and preparedness for critical infrastructure and key asset protection, applying unified criteria for determining criticality, prioritizing protection investments, and exercising preparedness within their jurisdictions.'' (Executive Summary, P. x.)

   We find that the security issue presents questions that are of fundamental importance to the public health, safety and convenience of Pennsylvanians and that each of our jurisdictional utilities must be prepared to demonstrate that it is adequately addressing the security issue so as to enable it to furnish and maintain adequate, efficient, safe and reasonable service. 66 Pa.C.S. § 1501.

   The Commission believes that the development, maintenance, exercising and implementation of physical and cyber security, emergency response and business continuity plans are essential to ensuring our jurisdictional utilities are equipped to furnish and maintain adequate, efficient, safe and reasonable service. Therefore, as described in this Tentative Order, we urge each jurisdictional utility, if they have not already done so, to develop and maintain written physical and cyber security, emergency response and business continuity plans.

   We recognize that various Federal and State agencies have already placed requirements on many of our jurisdictional utilities to develop and maintain security and emergency response related plans and we do not wish to replicate the efforts of those authorities, nor create duplicative or undue effort for our jurisdictional utilities. However, we advise all jurisdictional utilities that the Law Bureau, in conjunction with the Bureau of Fixed Utility Services and the Bureau of Transportation and Safety, will initiate a rulemaking to include, as a permanent part of the Commission's regulations, requirements for our jurisdictional utilities to develop and maintain appropriate physical and cyber security, emergency response and business continuity plans.

   To permit the Commission to determine the current and anticipated level of security compliance of our jurisdictional utilities, following this Tentative Order is a Physical and Cyber Security Planning Self Certification Form (Self Certification Form) that jurisdictional utilities will be required to submit to the Commission annually. This form addresses four areas of security planning:

   *  Physical Security Plan

   *  Cyber Security Plan

   *  Emergency Response Plan

   *  Business Continuity Plan

   For the purposes of the Self Certification Form, we will define Physical Security as the physical (material) measures designed to safeguard personnel, property and information. A Physical Security Plan should be a document that characterizes the response to security concerns at mission critical equipment or facilities. The Physical Security Plan may include the specific features of a mission critical equipment or facility protection program, such as fences, surveillance cameras, and the like, and company procedures to follow based upon changing threat conditions or situations.

   Cyber Security shall be defined as the measures designed to protect those computers, software and communications networks that support, operate or otherwise interact with the company's operations. As part of a Cyber Security Plan, we would expect each company to maintain and test an information technology disaster recovery plan, including: (1) critical functions requiring automated processing; (2) appropriate backup for application software and data; (3) alternative methods for meeting critical functional responsibilities in the absence of information technology capabilities; and (4) a recognition of the critical time period, for each information system, before the company could no longer continue to operate.

   An Emergency Response Plan is defined as a plan describing the actions a company will take if a problem exists at a facility, whether due to natural causes or sabotage. Actions typically include identifying and assessing the problem, mitigating the problem if possible, and notifying the emergency management system to protect human life and property.

   A Business Continuity Plan is defined as a plan that should ensure the continuity or uninterrupted provision of operations and services. As part of its business continuity planning process, a company needs to review the continuity or recovery of facilities or operations that are critical to the company's survival. Business continuity planning is an on-going process with several different but complementary elements. Planning for business continuity is a comprehensive process that includes business recovery, business resumption, and contingency planning.

   By this Tentative Order, we are requiring each utility subject to the reporting requirements of 52 Pa. Code §§ 27.10, 61.28, 63.36, 65.19, 59.48 and 57.471 to submit the Self Certification Form. The Self Certification Form shall be submitted as an appendix to Annual Financial Reports filed on or after January 1, 2004. For those utilities that are not subject to the previous annual financial reporting requirements, the Self Certification Form shall be submitted by each utility subject to the reporting requirements of 52 Pa. Code §§ 29.43, 31.10 and 33.103.2 For these utilities, the Self Certification Form shall be submitted as an appendix to Annual Assessment Reports filed on or after January 1, 2004.

   Although these annual reports are public documents, we recognize that a utility may want to seek proprietary treatment of the Self Certification Form under the Commission's Procedures Manual and 52 Pa. Code § 5.423 governing treatment of proprietary information. Customarily, requests to treat information as proprietary are automatically honored by the Commission unless and until challenged by a third party. In this case, to maintain the proprietary treatment, the utility must file for a protective order. By this Tentative Order, we direct the Secretary to grant, upon the Law Bureau's review and approval, petitions for protective order filed by a jurisdictional utility to maintain proprietary treatment of its completed Self Certification Form. Because of the potential security interests implicated by the release of a completed Self Certification Form, we find that the harm from release of the completed forms outweighs the public's interest in access to this information.

   We direct the Secretary to supply Self Certification Forms to jurisdictional utilities upon request. Furthermore, we direct that blank Self Certification Forms be available on the Commission's website.

   In addition to submittal of the Self Certification Form, each of our jurisdictional utilities should note that we intend, as necessary, to review how their security plans affect, and will in the future affect, the ability to provide service and facilities to the public.

   We note that the Commission has explicit statutory authority to institute these reporting requirements and to carry out and enforce the purposes of the Public Utility Code in the public interest. 66 Pa.C.S. §§ 501 and 504. The subject matter that the Commission may examine and act on under the Public Utility Code is very broad and includes any issue, such as security, which, if left unaddressed, could pose a serious threat to the utilities' responsibility to provide safe and reliable utility service.

   By this Tentative Order, we further advise that the Law Bureau, in conjunction with the Bureau of Fixed Utility Services and the Bureau of Transportation and Safety, will initiate a rulemaking to include the security self-certification reporting requirements as a permanent part of the Commission's regulations.

   The HR 361 report stressed the importance of communicating with smaller and mid-sized companies regarding security issues and the sharing of best practices. While the Commission has made strides in this endeavor, more can and needs, to be done. Therefore, we direct that Commission staff develop an educational outreach component so that the purpose and intent of the Self Certification Form and additional information relative to the security, emergency response and business continuity plans are communicated to all companies. This outreach component should include trade associations representing the affected industries, existing working groups, such as the small water task force and any other opportunities that Commission staff deems appropriate.

   As a result of the foregoing and, upon full consideration of all the matters before us at this time, we determine that a self certification process for utility security programs should be instituted to determine the current and anticipated security compliance of all jurisdictional utilities; Therefore,

It Is Ordered That:

   1.  Utilities under the reporting requirements of 52 Pa. Code §§ 27.10, 61.28, 63.36, 65.19, 59.48 and 57.47 be required to complete and file the Self Certification Form appended to this Tentative Order as Appendix A with each Annual Financial Report filed on or after January 1, 2004.

   2.  Utilities not subject to the previous reporting requirements but subject to the reporting requirements of 52 Pa. Code §§ 29.43, 31.10 and 33.103 be required to complete and file the Self Certification Form appended to this Tentative Order as Appendix A with each Annual Assessment Report filed on or after January 1, 2004.

   3.  Blank Self Certification Forms be available to jurisdictional utilities from the Commission's website and from the Secretary.

   4.  Commission staff develop and implement an educational outreach program so that the purpose and intent of the Self Certification Form and additional information relative to the security, emergency response and business continuity plans are communicated to all companies.

   5.  Law Bureau, in conjunction with the Bureau of Fixed Utility Services and the Bureau of Transportation and Safety, initiate a rulemaking in an expedited manner to include the requirement for jurisdictional utilities to develop and maintain appropriate written physical and cyber security, emergency response and business continuity plans and the requirement for jurisdictional utilities to submit the security Selfcertification Form as part of the Commission's regulations.

   6.  Copies of this Tentative Order be provided to PEMA, the Pennsylvania Office of Homeland Security, DEP, the Energy Association of Pennsylvania, the Pennsylvania Telephone Association, the Pennsylvania Motor Truck Association, the Pennsylvania Bus Association, the Pennsylvania Taxicab and Paratransit Association, the Pennsylvania Moving and Storage Association, the Pennsylvania Limousine Association and the Commission jurisdictional respondents to HR 361.

   7.  This Tentative Order be published in the Pennsylvania Bulletin and posted on the Commission's website.

   8.  Interested parties' comments on this Tentative Order shall be filed within 20 days of publication date in the Pennsylvania Bulletin.

   9.  If no comments are filed to this Tentative Order by the end of the 20 day period, this Tentative Order shall become a Final Order.

JAMES J. MCNULTY,   
Secretary

Appendix A

   Annual Report of:                                                                               Year Ended

Physical and Cyber Security Planning Self Certification

(Do Not Submit Actual Physical, Cyber, Emergency Response or Business Continuity Plans)

Item No. Classification
Response
(Yes--No--N/A*) or (Date)
1 Does your company have a physical security plan?
2 Has your physical security plan been reviewed and updated in the past year?
3 When was the most recent test of your physical security plan?
4 Does your company have a cyber security plan?
5 Has your cyber security plan been reviewed and updated in the past year?
6 When was the most recent disaster recovery test of your cyber security plan?
7 Has your company performed a vulnerability or risk assessment analysis as it relates to physical and/or cyber security? If so, when?
8 Does your company have an emergency response plan?
9 Has your emergency response plan been reviewed and updated in the past year?
10 When was the most recent test of your emergency response plan?
11 Does your company have a business continuity plan?
12 Has your business continuity plan been reviewed and updated in the past year?
13 When was the most recent test of your business continuity plan?
*  Attach a sheet with a brief explanation if N/A is supplied as a response to a question.

   The foregoing certification must be verified by the officer having control of the security planning for the respondent.

   I am authorized to complete this form on behalf of ______ [name of corporation/partnership/proprietorship] being the ______ [position] of this corporation/partnership/proprietorship and verify that the facts set forth above are true and correct to the best of my knowledge, information and belief. This verification is made pursuant to 52 Pa. Code § 1.36 and that statements herein are made subject to the penalties of 18 Pa.C.S. § 4904 (relating to unsworn falsification to authorities).

Name of Officer: __________
 

Signature of Officer: __________
 

Phone Number of Officer: __________
 

Email Address of Officer: __________

   1 This group includes common carriers of passengers and/or household goods and jurisdictional telecommunications, electric, gas, steam heating and water/wastewater utilities.

   2 This group includes common carriers and forwarders of property and railroad carriers.

[Pa.B. Doc. No. 03-1615. Filed for public inspection August 15, 2003, 9:00 a.m.]



No part of the information on this site may be reproduced for profit or sold for profit.

This material has been drawn directly from the official Pennsylvania Bulletin full text database. Due to the limitations of HTML or differences in display capabilities of different browsers, this version may differ slightly from the official printed version.