16 Tex. Admin. Code § 25.367

Current through Reg. 49, No. 49; December 6, 2024
Section 25.367 - Cybersecurity Monitor
(a) Purpose. This section establishes requirements for the commission's cybersecurity coordination program, the cybersecurity monitor program, the cybersecurity monitor, and participation in the cybersecurity monitor program; and establishes the methods to fund the cybersecurity monitor.
(b) Applicability. This section is applicable to all electric utilities, including transmission and distribution utilities; corporations described in Public Utility Regulatory Act (PURA) §32.053; municipally owned utilities; electric cooperatives; and the Electric Reliability Council of Texas (ERCOT).
(c) Definitions. The following words and terms when used in this section have the following meanings, unless the context indicates otherwise:
(1) Cybersecurity monitor -- The entity selected by the commission to serve as the commission's cybersecurity monitor and its staff.
(2) Cybersecurity coordination program -- The program established by the commission to monitor the cybersecurity efforts of all electric utilities, municipally owned utilities, and electric cooperatives in the state of Texas.
(3) Cybersecurity monitor program -- The comprehensive outreach program for monitored utilities managed by the cybersecurity monitor.
(4) Monitored utility -- A transmission and distribution utility; a corporation described in PURA §32.053; a municipally owned utility or electric cooperative that owns or operates equipment or facilities in the ERCOT power region to transmit electricity at 60 or more kilovolts; or an electric utility, municipally owned utility, or electric cooperative that operates solely outside the ERCOT power region that has elected to participate in the cybersecurity monitor program.
(d) Selection of the Cybersecurity Monitor. The commission and ERCOT will contract with an entity selected by the commission to act as the commission's cybersecurity monitor. The cybersecurity monitor must be independent from ERCOT and is not subject to the supervision of ERCOT. The cybersecurity monitor operates under the supervision and oversight of the commission.
(e) Qualifications of Cybersecurity Monitor.
(1) The cybersecurity monitor must have the qualifications necessary to perform the duties and responsibilities under subsection (f) of this section.
(2) The cybersecurity monitor must collectively possess technical skills necessary to perform cybersecurity monitoring functions, including the following:
(A) developing, reviewing, and implementing cybersecurity risk management programs, cybersecurity policies, cybersecurity strategies, and similar documents;
(B) working knowledge of North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards and implementation of those standards; and
(C) conducting vulnerability assessments.
(3) The cybersecurity monitor staff are subject to background security checks as determined by the commission.
(4) Every cybersecurity monitor staff member who has access to confidential information must each have a federally-granted secret level clearance and maintain that level of security clearance throughout the term of the contract.
(f) Responsibilities of the cybersecurity monitor. The cybersecurity monitor will gather and analyze information and data provided by ERCOT and voluntarily disclosed by monitored utilities and cybersecurity coordination program participants to manage the cybersecurity coordination program and the cybersecurity monitor program.
(1) Cybersecurity Coordination Program. The cybersecurity coordination program is available to all electric utilities, municipally owned utilities, and electric cooperatives in the state of Texas. The cybersecurity coordination program must include the following functions:
(A) guidance on best practices in cybersecurity;
(B) facilitation of sharing cybersecurity information among utilities;
(C) research and development of best practices regarding cybersecurity;
(D) guidance on best practices for cybersecurity controls for supply chain risk management of cybersecurity systems used by utilities, which may include, as applicable, best practices related to:
(i) software integrity and authenticity;
(ii) vendor risk management and procurement controls, including notification by a vendor of incidents related to the vendor's products and services; and
(iii) vendor remote access.
(2) Cybersecurity Monitor Program. The cybersecurity monitor program is available to all monitored utilities. The cybersecurity monitor program must include the functions of the cybersecurity coordination program listed in paragraph (1) of this subsection in addition to the following functions:
(A) holding regular meetings with monitored utilities to discuss emerging threats, best business practices, and training opportunities;
(B) reviewing self-assessments of cybersecurity efforts voluntarily disclosed by monitored utilities; and
(C) reporting to the commission on monitored utility cybersecurity preparedness.
(g) Authority of the Cybersecurity Monitor.
(1) The cybersecurity monitor has the authority to conduct monitoring, analysis, reporting, and other activities related to information voluntarily provided by monitored utilities.
(2) The cybersecurity monitor has the authority to request, but not to require, information from a monitored utility about activities that may be potential cybersecurity threats.
(h) Ethics standards governing the Cybersecurity Monitor.
(1) During the period of a person's service with the cybersecurity monitor, the person must not:
(A) have a direct financial interest in the provision of electric service in the state of Texas; or have a current contract to perform services for any entity as described by PURA §31.051 or a corporation described by PURA §32.053.
(B) serve as an officer, director, partner, owner, employee, attorney, or consultant for ERCOT or any entity as described by PURA §31.051 or a corporation described by PURA §32.053;
(C) directly or indirectly own or control securities in any entity, an affiliate of any entity, or direct competitor of any entity as described by PURA §31.051 or a corporation described by PURA §32.053, except that it is not a violation of this rule if the person indirectly owns an interest in a retirement system, institution or fund that in the normal course of business invests in diverse securities independently of the control of the person; or
(D) accept a gift, gratuity, or entertainment from ERCOT, any entity, an affiliate of any entity, or an employee or agent of any entity as described by PURA §31.051 or a corporation described by PURA §32.053.
(2) The cybersecurity monitor must not directly or indirectly solicit, request from, suggest, or recommend to any entity, an affiliate of any entity, or an employee or agent of any entity as described by PURA §31.051 or a corporation described by PURA §32.053, the employment of a person by any entity as described by PURA §31.051 or a corporation described by PURA §32.053 or an affiliate.
(3) The commission may impose post-employment restrictions for the cybersecurity monitor and its staff.
(i) Confidentiality standards. The cybersecurity monitor and commission staff must protect confidential information and data in accordance with the confidentiality standards established in PURA, the ERCOT protocols, commission rules, and other applicable laws. The requirements related to the level of protection to be afforded information protected by these laws and rules are incorporated in this section.
(j) Reporting requirement. All reports prepared by the cybersecurity monitor must reflect the cybersecurity monitor's independent analysis, findings, and expertise. The cybersecurity monitor must prepare and submit to the commission:
(1) monthly, quarterly, and annual reports; and
(2) periodic or special reports on cybersecurity issues or specific events as directed by the commission or commission staff.
(k) Communication between the Cybersecurity Monitor and the commission.
(1) The personnel of the cybersecurity monitor may communicate with the commission and commission staff on any matter without restriction consistent with confidentiality requirements.
(2) The cybersecurity monitor must:
(A) immediately report directly to the commission and commission staff any cybersecurity concerns that the cybersecurity monitor believes would pose a threat to continuous and adequate electric service or create an immediate danger to the public safety, and notify the affected utility or utilities of the information reported to the commission or commission staff;
(B) regularly communicate with the commission and commission staff, and keep the commission and commission staff apprised of its activities, findings, and observations;
(C) coordinate with the commission and commission staff to identify priorities; and
(E) coordinate with the commission and commission staff to assess the resources and methods for cybersecurity monitoring, including consulting needs.
(l) ERCOT's responsibilities and support role. ERCOT must provide to the cybersecurity monitor any access, information, support, or cooperation that the commission determines is necessary for the cybersecurity monitor to perform the functions described by subsection (f) of this section.
(1) ERCOT must conduct an internal cybersecurity risk assessment, vulnerability testing, and employee training to the extent that ERCOT is not otherwise required to do so under applicable state and federal cybersecurity and information security laws.
(2) ERCOT must submit an annual report to the commission on ERCOT's compliance with applicable cybersecurity and information security laws by January 15 of each year or as otherwise determined by the commission.
(3) Information submitted in the report under paragraph (2) of this subsection is confidential and not subject to disclosure under chapter 552, Government Code, and must be protected in accordance with the confidentiality standards established in PURA, the ERCOT protocols, commission rules, and other applicable laws.
(m) Participation in the cybersecurity monitor program.
(1) A transmission and distribution utility, a corporation described in PURA §32.053, and a municipally owned utility or electric cooperative that owns or operates equipment or facilities in the ERCOT power region to transmit electricity at 60 or more kilovolts must participate in the cybersecurity monitor program.
(2) An electric utility, municipally owned utility, or electric cooperative that operates solely outside the ERCOT power region may elect to participate in the cybersecurity monitor program.
(A) An electric utility, municipally owned utility, or electric cooperative that elects to participate in the cybersecurity monitor program must annually:
(i) file with the commission its intent to participate in the program and to contribute to the costs of the cybersecurity monitor's activities in the project established by commission staff for this purpose; and
(ii) complete and submit to ERCOT the participant agreement form available on the ERCOT website to furnish information necessary to determine and collect the monitored utility's share of the costs of the cybersecurity monitor's activities under subsection (n) of this section.
(B) The cybersecurity monitor program year is the calendar year. An electric utility, municipally owned utility, or electric cooperative that elects to participate in the cybersecurity monitor program must file its intent to participate and complete the participant agreement form under subparagraph (A) of this subsection for each calendar year that it intends to participate in the program.
(i) Notification of intent to participate and a completed participant agreement form may be submitted at any time during the program year, however, an electric utility, municipally owned utility, or electric cooperative that elects to participate in an upcoming program year is encouraged to complete these steps by December 1 prior to the program year in order to obtain the benefit of participation for the entire program year.
(ii) The cost of participation is determined on an annual basis and will not be prorated.
(iii) A monitored utility that operates solely outside of the ERCOT power region may discontinue its participation in the cybersecurity monitor program at any time but is required to pay the annual cost of participation for any calendar year in which the monitored utility submitted a notification of intent to participate.
(3) Each monitored utility must designate one or more points of contact who can answer questions the Cybersecurity Monitor may have regarding a monitored utility's cyber and physical security activities.
(n) Funding of the Cybersecurity Monitor.
(1) ERCOT must use funds from the rate authorized by PURA §39.151(e) to pay for the cybersecurity monitor's activities.
(2) A monitored utility that operates solely outside of the ERCOT power region must contribute to the costs incurred for the cybersecurity monitor's activities.
(A) On an annual basis, ERCOT must calculate the non-refundable, fixed fee that a monitored utility that operates solely outside of the ERCOT power region must pay in order to participate in the cybersecurity monitor program for the upcoming calendar year.
(B) ERCOT must file notice of the fee in the project designated by the commission for this purpose and post notice of the fee on the ERCOT website by October 1 of the preceding program year.
(C) Before filing notice of the fee as required by paragraph (2)(B) of this subsection, ERCOT must obtain approval of the fee amount and calculation methodology from the commission's executive director.

16 Tex. Admin. Code § 25.367

Adopted by Texas Register, Volume 45, Number 22, May 29, 2020, TexReg 3620, eff. 6/4/2020