On November 10, the Public Utility Commission launched a review of its current regulations relating to cybersecurity – including requirements for reporting cyber attacks on utility systems and the regulations for utility self-certification of their security planning and preparedness.

The Commission voted 5-0 to issue an Advanced Notice of Proposed Rulemaking (ANOPR), seeking comments from interested stakeholders, including members of the regulated industry, statutory advocates, the public, and any other interested parties. 

The cybersecurity regulations cover all the utilities regulated by the PUC-- electric, natural gas, steam, water, wastewater, telecommunications, railroads, motor vehicle and transportation utilities.

A 60-day public comment period will begin with the publication of this ANOPR in the Pennsylvania Bulletin.

Areas of Interest

The overriding goal of the PUC’s review is to explore approaches to ensuring cybersecurity fitness in public utilities.  As part of this process, the ANOPR seeks input on key cybersecurity points for public utilities regulated by the PUC, including--

-- Updating cyber attack reporting regulations – including potential modifications to current reporting guidelines, which focus primarily on interruption of service or damages, to also include growing concerns about attempts to interfere with utility computer, software, and operating systems.

-- Verification for utility cybersecurity plans – including the exploration of different approaches to regularly certify that plans and programs are in place, are updated and tested annually, and/or comply with relevant federal or industry standards.

-- Updating terms and definitions for cybersecurity, cybersecurity plans, cyber attacks, cybersecurity measures, and other related concepts.

-- Combining cybersecurity reporting and certification regulations – bringing all the PUC’s different cybersecurity regulations together in a single chapter of regulations, which could be applied uniformly to all utilities overseen by the PUC.

-- Any additional considerations related to the cybersecurity fitness of public utilities and licensed entities regulated by the PUC.

Submitting Comments

After this ANOPR has been published in the Pennsylvania Bulletin, interested parties may submit written comments, referencing Docket No. L-2022-3034353, within 60 days from the publication date. 

Comments may be filed either through the PUC’s eFiling system or by mail.

[Posted: November 10, 2022]

11/14/2022