New York utilities propose cybersecurity protocols for third parties

Dive Brief:

A group of New York utilities earlier this month asked the state's Public Service Commission (PSC) to confirm that they have the authority to require and enforce Data Security Agreements (DSA) for entities seeking access to customer data or utility systems, such as energy service companies (ESCO) or distributed energy resource suppliers (DERS).
According to the utilities, these energy service entities (ESE) have protested the data security agreement's "reasonable and minimal data privacy and cybersecurity standards," and have refused to sign without a decision from the commission.
The utilities' request comes after a March 2018 cybersecurity incident that affected New York ESCOs and exposed the utilities and their customers to additional risk.

Dive Insight:

As the electric grid becomes more distributed and interconnected, cybersecurity is increasingly a concern: the New York utilities say the cost of a cybersecurity incident averaged more than $17 million for the sector in 2017, a 22.7% increase over the 2016 costs.

According to the utilities, many energy service entities initially objected to the proposed agreement, which included a requirement for cyber insurance, a data security rider detailing cybersecurity requirements for each utility, and for some of the utilities, a vendor questionnaire concerning the state of each entity's cybersecurity.

The utilities include Consolidated Edison, Central Hudson Gas & Electric, National Fuel Gas Distribution, New York State Electric & Gas, National Grid and others.

The companies told regulators that they support the PSC's efforts to develop competitive markets, including those involving ESEs. "However, those markets must develop in tandem with maintaining the security of customer data and utility IT systems through appropriate cybersecurity measures," the utilities said in a Feb. 4 filing.

"Each market participant must bear the cost responsibility of its IT systems and customers without shifting cost responsibility to nonparticipating customers or entities. Moreover, entities must be required to responsibly participate in the market by safeguarding confidential data, particularly customer data, and the Joint Utilities' IT systems," the group argued.

There are "currently no formal requirements associated with cybersecurity or data protection for ESCOs, DERS, and the like," Consolidated Edison told Utility Dive in a statement. "We are trying to protect customer data and utility systems."

The Retail Energy Supply Association (RESA) opposed the utilities' request and called on regulators to reject it.

Allowing utilities' to enforce the DSAs would "effectively constitute an amendment to the Uniform Business Practices that has not been subjected to the rulemaking requirements of the State Administrative Procedure Act," the group said in comments, adding the request would "seek to impose significant requirements that are not in existing Commission rules."

Comments on the issue are due to the commission on April 29, after which Con Ed officials say they expect the PSC will issue an order.

"The costs of implementing reasonable cybersecurity controls significantly outweigh the risks associated with not having adequate controls," the utilities said in their filing. "The number of cybersecurity incidents continues to rise each year."