On May 23, 2016, the Staff of the Public Service Commission (“Staff”) filed a petition (Docket No. 16-0659) requesting that the Delaware Public Service Commission open a docket to review whether cybersecurity guidelines or regulations are needed to ensure and maintain safe and reliable public utility services for customers in the State of Delaware. The Commission has the exclusive jurisdiction and authority over such matters pursuant to 26 Del. C. §§201(a) and 209(a)(2).
There remains a potential for a cybersecurity breach of utility customer information and/or their system control systems. No matter how well the utilities monitor secure these systems. As noted in the petition, Staff recommended a discussion of the cybersecurity risks that Delaware’s regulated utilities may have to ensure that they are prepared for any such system breach or cyber-attack.
Through the public workshops, Staff confirmed that all regulated utilities in Delaware are aware of the cybersecurity risks and are diligently monitoring facilities and training workforce to ensure that they are prepared for any potential security breach. The utilities are taking the actions that they need to take in order to continue ensuring safe, adequate and reliable utility service to its customers.
To maintain an understanding of regulated utilities’ cybersecurity efforts, all Class A utilities are required to file an annual report in DelaFile that includes both the cybersecurity questions from Staff and the utilities’ responses. Staff will conduct an annual review of the cybersecurity questions and revise as necessary.
The current list of questions is as follows:
- Is your cybersecurity plan regularly reviewed and audited? Internally or externally?
- Has your plan been reviewed recently? If not how often is it reviewed?
- Do you assess vulnerabilities to your system and assets?
- Do you assess threats to your system and assets?
- Do you prioritize risks and what processes do you use?
Personnel and Policies
- Are background checks being conducted upon hire?
- Do you provide internal cyber security training for all employees?
- Do you provide enhanced internal cyber security training for those that are actually in the utilities operating network?
- Are there structural and/or organizational policies and procedures in place that allows the utility to able to address or think through these things (cybersecurity issues)?
- Are there managerial and operational controls in place?
- How quickly is access to those personnel who quit/fired eliminated?
- Do you have certain employees that are assigned as cybersecurity personnel? Or outsourced?
- Do you have specific practices and policies in place about how your private customer data should be handled? Contingency plans for breach of data?
- Are recovery activities communicated to internal stakeholders and executive and management teams?
- Do you screen vendors and third parties that have access to cyber control systems?
Standards and Guidelines for Reporting
- Do you have a disaster recovery plan? (The plan itself should not be made public.)
- Do you have separate plans for separate business units in the company?
- Are you reporting to the necessary agencies in regards to your plan?
- Are response and recovery plans regularly tested?
- Are legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, understood and managed?
- Do you have a list of contacts for cybersecurity information sharing? (i.e. Federal and state emergency management, law enforcement, National Security, or Any others?)
- Should the Commission create guidelines or regulations to ensure utilities are properly managing cyber security issues?
2016 Class A Regulated Utility Responses
*Responses will be posted as they are received
Utility Name & Response
– Artesian Water
– Chesapeake Utilities
– Delmarva Power & Light
– Suez Water Delaware
– Tidewater Utilities