On May 23, 2016, the Staff of the Public Service Commission (“Staff”) filed a petition (Docket No. 16-0659) requesting that the Delaware Public Service Commission open a docket to review whether cybersecurity guidelines or regulations are needed to ensure and maintain safe and reliable public utility services for customers in the State of Delaware. The Commission has the exclusive jurisdiction and authority over such matters pursuant to 26 Del. C. §§201(a) and 209(a)(2).
There remains a potential for a cybersecurity breach of utility customer information and/or their system control systems. No matter how well the utilities monitor secure these systems. As noted in the petition, Staff recommended a discussion of the cybersecurity risks that Delaware’s regulated utilities may have to ensure that they are prepared for any such system breach or cyber-attack.
Through the public workshops, Staff confirmed that all regulated utilities in Delaware are aware of the cybersecurity risks and are diligently monitoring facilities and training workforce to ensure that they are prepared for any potential security breach. The utilities are taking the actions that they need to take in order to continue ensuring safe, adequate and reliable utility service to its customers.
To maintain an understanding of regulated utilities’ cybersecurity efforts, all Class A utilities are required to file an annual report in DelaFile that includes both the cybersecurity questions from Staff and the utilities’ responses. Staff will conduct an annual review of the cybersecurity questions and revise as necessary.
The current list of questions is as follows:
Planning/Risk Management
- Is your cybersecurity plan regularly reviewed and audited? If yes, is it audited internally or externally?
- How often is the cybersecurity plan reviewed?
- Do you assess vulnerabilities and threats to your system and assets?
- Do you have a documented risks assessment and management program?
- Is cybersecurity addressed differently for IT and OT systems?
- Does your company include in its procurement contract language cybersecurity requirements for IT and OT assets?
- Do you have a documented records retention policy?
Personnel and Policies
- Are background checks being conducted upon hire for those with access to critical systems and assets?
- Do you provide internal cyber security training for all employees?
- Do you provide enhanced internal cyber security training for those that are actually in the utility’s information technology (IT) and operations technology (OT) networks?
- Are there structural and/or organizational policies and procedures in place that allow the utility to be able to address cybersecurity issues?
- Are there managerial and operational controls in place to ensure compliance with the company’s cybersecurity policies and procedures?
- How quickly is access terminated for personnel who leave the company?
- Do you have certain employees who are assigned as cybersecurity personnel? Or is the function outsourced?
- Do you have specific practices and policies in place about how your private customer data should be handled? Contingency plans for breach of data?
- Are recovery activities communicated to internal stakeholders and executive management teams?
- Do you screen vendors and third parties that have access to cyber control systems?
- Have you implemented processes and procedures for identifying and tracking suspicious cyber activity?
Standards and Guidelines for Reporting
- Do you have a disaster recovery plan? (The plan itself should not be made public.)
- Do you have separate plans for separate business units in the company?
- Are you reporting to the necessary state and/or federal agencies in regards to your plan?
- Are response and recovery plans regularly tested?
- Are legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, understood and managed?
- Do you have a list of contacts for cybersecurity information sharing? (i.e. Federal and state emergency management, law enforcement, National Security, or Any others?)
- Should the Commission create guidelines or regulations to ensure utilities are properly managing cyber security issues?
- Does your utility use multi-factor identification for system sign-on purposes?
- Do you keep audit logs for all remote connection protocols?
- Do you have the capability to identify and suspend access of users exhibiting unusual computer activity?
- Have you worked with, or used resources provided by, a federal agency (e.g., ICS-CERT/CSET, DHS C3 Program, FERC Architectural Reviews) to conduct a cybersecurity assessment?
2023 Class A Regulated Utility Responses
Delmarva Power & Light 2023 Responses
Chesapeake Utilities 2023 Responses
Tidewater Utilities 2023 Responses
Veolia Water Delaware 2023 Responses
Artesian Water 2023 Responses
2022 Class A Regulated Utility Responses
Delmarva Power & Light 2022 Responses
Chesapeake Utilities 2022 Responses
Tidewater Utilities 2022 Responses
Veolia Water Delaware 2022 Responses
Artesian Water 2022 Responses