Pennsylvania Code & Bulletin
COMMONWEALTH OF PENNSYLVANIA

• No statutes or acts will be found at this website.

The Pennsylvania Bulletin website includes the following: Rulemakings by State agencies; Proposed Rulemakings by State agencies; State agency notices; the Governor’s Proclamations and Executive Orders; Actions by the General Assembly; and Statewide and local court rules.

PA Bulletin, Doc. No. 04-1064

PROPOSED RULEMAKING

PENNSYLVANIA PUBLIC UTILITY COMMISSION

[52 PA. CODE CH. 101]

[L-00040166]

Public Utility Security Planning and Readiness

[34 Pa.B. 3138]

   The Pennsylvania Public Utility Commission, on March 18, 2004, adopted at proposed rulemaking order requiring all jurisdictional utilities to develop and maintain written physical, cyber security, emergency response and business continuity plans.

Executive Summary

   Pursuant to 66 Pa.C.S. § 1501, every public utility must furnish and maintain adequate, efficient, safe, and reasonable service and facilities, and make changes, alterations, and improvements in or to such service and facilities as shall be necessary for the accommodation, convenience, and safety of its patrons, employees, and the public.

   The proposed regulations require jurisdictional utilities to develop and maintain written physical security, cyber security, emergency response, and business continuity plans. In addition, jurisdictional utilities must file a Self Certification Form with the Commission documenting compliance with the above mentioned plans.

   These proposed regulations will ensure that jurisdictional utilities are effectively equipped and prepared to provide safe and reliable utility service when faced with security concerns. In addition, jurisdictional utilities will be required to review and exercise their ability to detect, prevent, respond to and recover from abnormal operating conditions on an annual basis.

   The contact persons are Kimberly Joyce, Law Bureau (legal), 717-705-3819 and Darren Gill, Bureau of Fixed Utility Services (technical), 717-783-5244.

Regulatory Review

   Under section 5(a) of the Regulatory Review Act (71 P. S. § 745.5(a)), on June 3, 2004, the Commission submitted a copy of this proposed rulemaking and a copy of a Regulatory Analysis Form to the Independent Regulatory Review Commission (IRRC) and to the Chairpersons of the House and Senate Committees. A copy of this material is available to the public upon request.

   Under section 5(g) of the Regulatory Review Act, IRRC may convey any comments, recommendations or objections to the proposed rulemaking within 30 days of the close of the public comment period. The comments, recommendations or objections shall specify the regulatory review criteria which have not been met. The Regulatory Review Act specifies detailed procedures for review, prior to final publication of the rulemaking, by the Commission, the General Assembly and the Governor of comments, recommendations or objections raised.

Public Meeting held
March 18, 2004

Commissioners Present:  Terrance J. Fitzpatrick, Chairperson; Robert K. Bloom, Vice Chairperson; Glen R. Thomas; Kim Pizzingrilli; Wendell F. Holland

Public Utility Security Planning and Readiness; Doc. No. L-00040166

Proposed Rulemaking Order

By the Commission:

   This proposed rulemaking requires all jurisdictional utilities to develop and maintain written physical, cyber security, emergency response and business continuity plans to protect the Commonwealth's infrastructure and ensure safe, continuous and reliable utility service. In accordance with the proposed regulations, jurisdictional utilities will submit a Physical and Cyber Security Planning Self Certification Form (Self Certification Form) to the Commission documenting compliance with these four plans.

Background

   In the past several years, the Pennsylvania Public Utility Commission (Commission) has ardently worked with its jurisdictional utilities to ensure the safe and reliable delivery of utility services to citizens in the Commonwealth and to refine the emergency management and response processes.

   Beginning in 1998, the Commission instituted a Year 2000 technology (Y2K) readiness formal investigation which examined the readiness of approximately 750 public utilities and conducted an assessment of Y2K readiness for twenty-three jurisdictional companies. The attacks of September 11, 2001 dramatically underscored the importance of safeguarding public utility assets. As a result, the Commission immediately surveyed its jurisdictional companies, the PJM Interconnection, and the Pennsylvania Rural Electric Association (PREA). Rail safety inspectors, gas safety inspectors and telecommunications staff were also contacted to assess their industry.

   In addition, the Commission began coordinating its security efforts with the state Office of Homeland Security and submitted several comprehensive reports to the House of Representatives and the state Office of Homeland Security. Through this process, the Commission developed a security self certification process for all Commission jurisdictional utilities. The Commission directed that a Physical and Cyber Security Planning Self Certification Form be submitted to the Commission yearly as part of each utility's Annual Financial or Annual Assessment Report.

Procedural History

   The Physical and Cyber Security Program Self Certification Requirements for Public Utilities were issued by the Commission in a Tentative Order1 entered on August 5, 2003 and published in the Pennsylvania Bulletin on August 16, 2003. Comments to the Tentative Order were due on September 5, 2003.

   Comments were filed by the Pennsylvania Telephone Association (PTA), the Energy Association of Pennsylvania (EAP), Pennsylvania-American Water Company (PA-American) and The Peoples Natural Gas Company d/b/a Dominion Peoples (Dominion Peoples). Columbia Gas of Pennsylvania, Inc. (Columbia) provided late comments on September 8, 2003.

   At the Public Meeting of December 4, 2003, the Commission responded to the filed comments and determined that a self certification process for utility security programs should be instituted for the current and anticipated security compliance of all jurisdictional utilities. The Commission ordered that jurisdictional utilities complete and file with the Commission the Physical and Cyber Security Planning Self Certification Form. See Appendix A. Utilities under the reporting requirements of 52 Pa. Code §§ 27.10, 61.28, 63.36, 65.19, 59.48 and 57.47 must file the Self Certification Form at Docket No. M-00031717, at the time each Annual Financial Report is filed, beginning on or after January 1, 2004.2 Utilities not subject to the reporting requirements above, but subject to the reporting requirements of 52 Pa. Code §§ 29.43, 31.10 and 33.103 must file the Self Certification Form at Docket No. M-00031717, at the time each Annual Assessment Report is filed, beginning on or after January 1, 2004.3

   In the Order entered on December 9, 2003, the Commission further ordered the Law Bureau, in conjunction with the Bureau of Fixed Utility Services and the Bureau of Transportation and Safety, to initiate a rulemaking to include the requirement for jurisdictional utilities to develop and maintain appropriate written physical and cyber security plans, emergency response plans and business continuity plans as part of the Commission's regulations. This rulemaking includes the requirement that jurisdictional utilities submit the Self Certification Form to the Commission.

   The various security issues facing our utilities present questions that are fundamental to the public health, safety and convenience of Pennsylvanians. Consequently, each of our jurisdictional utilities must be prepared to demonstrate that it is adequately addressing the security issue so as to enable it to furnish and maintain adequate, efficient, safe and reasonable service. 66 Pa.C.S. § 1501. Therefore, the development, maintenance, exercising and implementation of physical security, cyber security, emergency response, and business continuity plans are necessary to ensure that our jurisdictional utilities are effectively equipped to furnish and maintain adequate, efficient, safe and reasonable service.

   As referenced above, the Commission has explicit statutory authority to institute these reporting requirements and to carry out and enforce the purposes of the Public Utility Code in the public interest. 66 Pa.C.S. §§ 501, 504 and 1501. The subject matter that the Commission may examine includes issues of security, which if ignored, could pose a serious threat to the utilities' responsible for providing safe and reliable utility service. Thus, the intent of this rulemaking is to create a minimum set of requirements that can be consistently implemented with sufficient flexibility to account for differences in the types of utilities under the Commission's jurisdiction.

   Through this rulemaking, we underscore our commitment to ensure the safe and reliable delivery of utility service in the Commonwealth by promulgating regulations that require each jurisdictional utility to develop and maintain written physical security plans, cyber security plans, emergency response plans and business continuity plans. In addition, each utility will review and exercise its ability to detect, prevent, respond to and recover from abnormal operating conditions. Compliance with the proposed regulations also requires that each jurisdictional utility file the Self Certification Form.

   The Commission believes that the adoption of the self certification process will aid the safeguarding of public utility assets, but at the same time, recognizes the sensitive nature of the information that each utility must provide us in the Self Certification Form. Disclosure of a Self Certification Form to the public could be used for criminal or terroristic purposes, jeopardize security or cause substantial harm to the entity filing the Self Certification Form. The potential harm from release of a completed form outweighs the public's interest in accessing this information. Therefore, great care will be taken to protect the confidentiality of information contained in the Self Certification Form, commensurate with its extraordinary sensitivity. As such, the Self Certification Form is deemed confidential and access to it will be restricted.4

   We further acknowledge that protecting the Commonwealth's infrastructure and key assets necessitates a cooperative paradigm. Homeland security requires coordinated action on the part of federal, state, and local government; the private sector; and concerned citizens. Many other government entities have become actively involved with critical infrastructure protection. For example, the National Electric Reliability Council established security guidelines for physical and cyber security. The Environmental Protection Agency established requirements for emergency plans, vulnerability analysis and corrective measure implementation. The Department of Transportation Office of Pipeline Safety established regulations for security programs and the Pipeline Safety Act was reauthorized to provide for expanded security certification of personnel operating on pipelines. The Federal Railway Administration has established similar protocols.

   We do not wish to replicate rules and regulations that are already in place. However, it is our duty to identify and secure the critical infrastructure and key assets within the Commonwealth under our jurisdiction. Therefore, the Self Certification Form is drafted so that any overlapping reporting duties or regulations by other state or federal agencies will not overly burden utilities under our jurisdiction and plans under this rulemaking may satisfy more than one agency or department.

   Accordingly, under sections 501, 504 and 1501 of the Public Utility Code, 66 Pa.C.S. §§ 501, 504 and 1501; sections 201 and 202 of the Act of July 31, 1968, P. L. 769 No. 240, 45 P. S. §§ 1201--1202, and the regulations promulgated thereunder at 1 Pa. Code §§ 7.1, 7.2 and 7.5; section 204(b) of the Commonwealth Attorneys Act, 71 P. S. § 732.204(b); section 745.5 of the Regulatory Review Act, 71 P. S. § 745.5; and section 612 of The Administrative Code of 1929, 71 P. S. § 232, and the regulations promulgated thereunder at 4 Pa. Code §§ 7.231--7.234, we are considering adopting the proposed regulations set forth in Annex A; Therefore,

It Is Ordered That:

   1.  The proposed rulemaking be opened to consider the regulations set forth in Annex A.

   2.  The Secretary submit this Order, Appendix A and Annex A to the Office of Attorney General for review as to form and legality and to the Governor's Budget Office for review of fiscal impact.

   3.  The Secretary certify this Order, Appendix A and Annex A and deposit them with the Legislative Reference Bureau to be published in the Pennsylvania Bulletin.

   4.  An original and 15 copies of any comments referencing the docket number of the proposed regulations be submitted within 30 days of publication in the Pennsylvania Bulletin to the Pennsylvania Public Utility Commission, Attention:  Secretary, P. O. Box 3265, Harrisburg, PA 17105-3265. When preparing comments, parties should consider this Order in conjunction with the Tentative Order and Order in Docket No. M-00031717.

   5.  A copy of any comments be filed electronically to Kimberly A. Joyce, kjoyce@state.pa.us.

   6.  The contact persons for this rulemaking are (technical) Darren Gill, (717) 783-5244 and (legal) Kimberly A. Joyce, Law Bureau, (717) 705-3819.

   7.  A copy of this Order, Appendix A and Annex A be filed at Docket No. M-00031717.

   8.  A copy of this Order, Appendix A and Annex A be served upon the Pennsylvania Emergency Management Agency, the Pennsylvania Office of Homeland Security, the Department of Environmental Protection, the Energy Association of Pennsylvania, the Pennsylvania Telephone Association, the Pennsylvania Motor Truck Association, the Pennsylvania Bus Association, the Pennsylvania Taxicab and Paratransit Association, Pennsylvania Moving and Storage Association, the Pennsylvania Limousine Association, the Pennsylvania Chapter of the National Association of Water Companies, the Pennsylvania Section of the American Water Works Association, the Pennsylvania Rural Water Association, Pennsylvania League of Cities and Municipalities, Pennsylvania State Association of Boroughs, Pennsylvania Local Government Commission, Pennsylvania State Association of Township Supervisors and the PUC jurisdictional respondents to House Resolution 361.

   9.  All jurisdictional utilities operating within the Commonwealth are directed to file the Physical and Cyber Security Planning Self Certification Form consistent with our previous order at Docket No. M-00031717.

JAMES J. MCNULTY,   
Secretary

   Fiscal Note:  57-234. No fiscal impact; (8) recommends adoption.

Annex A

TITLE 52.  PUBLIC UTILITIES

PART I.  PUBLIC UTILITY COMMISSION

Subpart E.  PUBLIC UTILITY SECURITY PLANNING AND READINESS

CHAPTER 101.  PUBLIC UTILITY PREPAREDNESS THROUGH SELF CERTIFICATION

Sec.

101.1.Purpose.
101.2.Definitions.
101.3.Plan requirements.
101.4.Reporting requirements.
101.5.Confidentiality of self certification form.
101.6.Compliance.

§ 101.1.  Purpose.

   This chapter requires a jurisdictional utility to develop and maintain appropriate written physical security, cyber security, emergency response and business continuity plans to protect this Commonwealth's infrastructure and ensure safe, continuous and reliable utility service. A jurisdictional utility shall submit a Physical and Cyber Security Planning Self Certification Form (Self Certification Form) to the Commission documenting compliance with this chapter.

§ 101.2.  Definitions.

   The following words and terms, when used in this chapter, have the following meanings, unless the context clearly indicates otherwise:

   Abnormal operating condition--A condition possibly showing a malfunction of a component or deviation from normal operations that may:

   (i)  Indicate a condition exceeding design limits.

   (ii)  Result in a hazard to person, property or the environment.

   Business continuity plan--A written plan that will ensure the continuity or uninterrupted provision of operations and services through arrangements and procedures that enable a utility to respond to an event that could occur by change or unforeseen circumstances. The business continuity plan must:

   (i)  Provide guidance on the system restoration for emergencies, disasters and mobilization.

   (ii)  Establish a comprehensive process addressing business recovery, business resumption and contingency planning.

   Business recovery--The process of planning for and implementing expanded operations to address less time-sensitive business operations immediately following an interruption or disaster.

   Business resumption--The process of planning for and implementing the restarting of defined business operations following an interruption or disaster, usually beginning with the most critical or time-sensitive functions and continuing along a planned sequence to address all identified areas required by the business.

   Contingency planning--Process of developing advance arrangements and procedures that enable a jurisdictional utility to respond to an event that could occur by change or unforeseen circumstances.

   Critical functions--Business activities or information that cannot be interrupted or unavailable for several business days without significantly jeopardizing operations of the organization.

   Cyber security--The measures designed to protect computers, software and communications networks that support, operate or otherwise interact with the company's operations.

   Cyber security plan--A written plan that delineates a jurisdictional utility's information technology disaster plan. This plan must include:

   (i)  Critical functions requiring automated processing.

   (ii)  Appropriate backup for application software and data.

   (iii)  Alternative methods for meeting critical functional responsibilities in the absence of information technology capabilities.

   (iv)  A recognition of the critical time period for each information system before the utility could no longer continue to operate.

   Emergency response plan--A written plan describing the actions a jurisdictional utility will take if an abnor-mal operating condition exists, whether due to natural causes or sabotage. Actions include:

   (i)  Identifying and assessing the problem.

   (ii)  Mitigating the problem in a coordinated, timely and effective manner.

   (iii)  Notifying the emergency management system.

   Mission critical--A term used to describe essential equipment or facilities to the organization's ability to perform necessary business functions.

   Physical security--The physical (material) measures designed to safeguard personnel, property and information.

   Physical security plan--

   (i)  A written plan that delineates the response to security concerns at mission critical equipment or facilities.

   (ii)  The plan must include specific features of a mission critical equipment or facility protection program and company procedures to follow based upon changing threat conditions or situations.

   Responsible entity--Person or organization within a jurisdictional utility designated as the security or emergency response liaison to the Commission.

§ 101.3.  Plan requirements.

   (a)  A jurisdictional utility shall develop and maintain written physical and cyber security, emergency response and business continuity plans.

   (b)  A jurisdictional utility shall review and update these plans annually.

   (c)  A jurisdictional utility shall maintain a testing schedule of these plans.

   (d)  A jurisdictional utility shall demonstrate compliance with subsections (a)--(c), through submittal of a Self Certification Form which is available at the Secretary's Bureau and on the Commission's website.

   (d)  A plan shall define roles and responsibilities by individual or job function.

   (e)  The responsible entity shall maintain a document defining the action plans and procedures used in subsection (a).

§ 101.4.  Reporting requirements.

   (a)  A utility under the reporting requirements of §§ 27.10, 57.47, 59.48, 61.28, 63.36 and 65.19 shall file the Self Certification Form at the time each Annual Financial Report is filed, under separate cover at Docket No. M-00031717.

   (b)  A utility not subject to the financial reporting requirements in subsection (a), but subject to the reporting requirements of §§ 29.43, 31.10 and 33.103 (relating to assessment reports; assessment reports; and reports) shall file the Self Certification Form at the time each Annual Assessment Report is filed, under separate cover at Docket No. M-00031717.

§ 101.5.  Confidentiality of self certification form.

   A Physical and Cyber Security Self Certification Form filed at the Commission is not a public document or record and is deemed confidential and proprietary.

§ 101.6.  Compliance.

   (a)  The Commission will review a Self Certification Form filed under § 101.4 (relating to reporting requirements).

   (b)  The Commission may review a utility's cyber security plan, physical security plan, emergency response plan and business continuity plan under 66 Pa.C.S. §§ 504--506 (relating to reports by public utility; duty to furnish information to commission; cooperation in valuing property; and inspection of facilities and records).

   (c)  The Commission may inspect a utility's facility to assess performance of its compliance monitoring under 66 Pa.C.S. §§ 504--506.

   (d)  A utility that has developed and maintained a substantially similar cyber security, physical security, emergency response or business continuity plan under the directive of another state or Federal entity may utilize that substantially similar plan for compliance with this subpart, upon the condition that a Commission representative be permitted to review the cyber security, physical security, emergency response or business continuity plan. A company that is utilizing a substantially similar plan shall briefly describe the alternative plan and identify the authority that requires the alternative plan along with the Self Certification Form filed with the Commission.


Appendix A

PHYSICAL AND CYBER SECURITY PLANNING SELF CERTIFICATION

Company Name:
Utility/Industry Type:
Year Ended
CONFIDENTIAL
Physical and Cyber Security Planning Self Certification
Docket No. M-00031717F0004
(Do Not Submit Actual Physical, Cyber, Emergency Response or
Business Continuity Plans)
Item
No.
Classification
Response
(Yes - No - N/A*)
1 Does your company have a physical security plan?
2 Has your physical security plan been reviewed and updated in the past year?
3 Is your physical security plan tested annually?
4 Does your company have a cyber security plan?
5 Has your cyber security plan been reviewed and updated in the past year?
6 Is your cyber security plan tested annually?
7 Has your company performed a vulnerability or risk assessment analysis as it relates to physical and/or cyber security?
8 Does your company have an emergency response plan?
9 Has your emergency response plan been reviewed and updated in the past year?
10 Is your emergency response plan tested annually?
11 Does your company have a business continuity plan?
12 Has your business continuity plan been reviewed and updated in the past year?
13 Is your business continuity plan tested annually?

   * Attach a sheet with a brief explanation if N/A is supplied as a response to a question.

   The foregoing certification must be verified by the officer having control of the security planning for the respondent.

   I am authorized to complete this form on behalf of _________________ [name of corporation/partnership/proprietorship] being the _________________ [position] of this corporation/partnership/proprietorship and verify that the facts set forth above are true and correct to the best of my knowledge, information and belief. This verification is made pursuant to 52 Pa. Code § 1.36 and that statements herein are made subject to the penalties of 18 Pa.C.S. § 4904 (relating to unsworn falsification to authorities).

   Name of Officer: _________________

   Signature of Officer:  _________________

   Phone Number of Officer: _________________

   Email Address of Officer: _________________

[Pa.B. Doc. No. 04-1064. Filed for public inspection June 18, 2004, 9:00 a.m.]

_______

1  Docket No. M-00031717.

2  This group includes common carriers of passengers and/or household goods and jurisdictional telecommunications, electric, gas, steam heating and water/wastewater utilities.

3  This group includes common carriers and forwarders of property and railroad carriers.

4  Self Certification forms must be filed under separate cover with the Secretary at Docket M-00031717.



No part of the information on this site may be reproduced for profit or sold for profit.

This material has been drawn directly from the official Pennsylvania Bulletin full text database. Due to the limitations of HTML or differences in display capabilities of different browsers, this version may differ slightly from the official printed version.