Current through Vol. 24-21, December 1, 2024
Section R. 460.3506 - Cybersecurity programRule 506.
(1) An electric utility or cooperative shall develop, implement, and maintain a cybersecurity program. At a minimum, the cybersecurity program must include procedures to do all of the following:(a) Protect against the unauthorized acquisition, access, use, or disclosure of customer, electric utility, or cooperative information.(b) Protect against the unauthorized destruction, degradation, or disruption of electric utility or cooperative information or communication systems, networks, or infrastructure.(c) Identify and mitigate software vulnerabilities.(d) Implement a least-privileged electronic access approach to electric utility or cooperative assets and information.(e) Manage cybersecurity risks relating to vendors and suppliers.(f) Respond to and recover from a cybersecurity incident as detailed in a cybersecurity incident response plan.(g) Determine appropriate training requirements for cybersecurity staff and ensure they are met.(h) Inventory the electric utility's or cooperative's information technology and operations technology hardware and software assets.(2) In addition to the requirements under subrule (1) of this rule, an electric utility or cooperative shall do all of the following:(a) Conduct annual assessments of the cybersecurity program using the United States National Institute of Standards and Technology Cybersecurity Framework, the Department of Energy Cybersecurity Capability Maturity Model, or a similar tool.(b) Conduct an annual exercise to test the procedures to ensure the effectiveness of the program.(c) At least quarterly, conduct cyber threat simulations, such as phishing, to test employee awareness and responsiveness to cyber threats.(d) At least annually, conduct cybersecurity awareness and procedure training.(3) By March 31 of each year, on forms suitable to the commission, an electric utility or cooperative shall file with the commission a written attestation, signed by an officer of the electric utility or cooperative who is authorized to manage the operations of the cybersecurity program, that the electric utility or cooperative maintains a cybersecurity program in compliance with this rule.Mich. Admin. Code R. 460.3506
2023 MR 7, Eff. 4/10/2023