________________________________ Burl W.

Haar, Executive Secretary

STATE OF MINNESOTA PUBLIC UTILITIES COMMISSION
NOTICE OF COMMISSION INQUIRY
(October 8, 2013) In the Matter of a Commission Inquiry to Promote Cybersecurity among Minnesota’s Energy Suppliers PUC Docket Number: E,G-999/CI-13-881 Comment Period: Comment Period closes November 7, 2013 Discussion: The providers of energy services to Minnesota’s residential and business customers have long understood the need for a reliable and safe energy supply. However, with increasing computing capacity and the development of the ubiquitous internet a new threat to reliability has arisen. The internet has become a critical component of business systems and for supervisory control and data acquisition (SCADA) systems, placing such systems at risk to local or global cyber-attacks. Threats to cybersecurity may focus on theft of customer data, theft of intellectual property, or disruption of service. An important part of the Minnesota Public Utilities Commission’s statutory mission is to create and maintain a regulatory environment that ensures safe and reliable service. With the increasing threat of cyber incursions into the state’s critical infrastructure the Commission seeks to increase utilities’ awareness of cyber threats and to assure that Minnesota’s utilities are continually assessing and improving the security of their business, information and control systems and, further, that the utilities have developed plans for recovery and redundancy. The Commission invites voluntary comments regarding: (i) actions the Commission might take to encourage ongoing cybersecurity efforts to promote reliability and to minimize the risk of cascading failures; and (ii) a general discussion of each utility’s current effort to meet mandatory requirements and/or discretionary cybersecurity recommendations proposed by relevant industry groups or agencies, such as the North American Electric Reliability Corporation (NERC), the National Institute of Standards and Technology (NIST), the Transportation Security Administration (TSA) and/or the Department of Homeland Security (DHS).
PHONE 651-296-7124 • TOLL FREE 800-657-3782 • FAX 651-297-7073 • CONSUMER.PUC@STATE.MN.US 121 7TH PLACE EAST • SUITE 350 • SAINT PAUL, MINNESOTA 55101-2147 WWW.PUC.STATE.MN.US

PUC Docket Number E,G-999/CI-13-881

Page 2

A number of additional questions are listed in Attachment 1. These questions are intended as a guide and catalyst for each utility to examine its ability to provide reliable service. The Commission does not seek detailed answers to these questions. Note that the Commission is currently examining a related issue in Docket No. E, G/-999/CI-121344; In the Matter of a Commission Inquiry into Privacy Policies of Rate-Regulated Energy Utilities. Interested parties may wish to follow the progress of that docket by subscribing to the Commission e-filing system at: www.puc.state.mn.us, Filing Requirements: Utilities, telecommunications carriers, official parties, and state agencies are required to file documents using the Commission’s electronic filing system (eFiling). All parties, participants and interested persons are encouraged to use eFiling: www.puc.state.mn.us, select “eFiling,” and follow the prompts. Submit Public Comments: E-mail to PublicComments.PUC@state.mn.us. Persons without email access may send comments by U.S. mail to Burl Haar, Executive Secretary, Minnesota Public Utilities Commission, 121 7th Place East, Suite 350, St. Paul MN 55101-2147. Please refer to the Commission’s docket number in all communications. Full Case Record: All documents filed in this docket are available on the Commission’s website at www.puc.state.mn.us, select “Search eDockets,” enter the year (13) and the docket (881), select “Search.” Subscribe to the Docket: Receive notification when new documents are filed in this docket at www.puc.state.mn.us, select “Subscribe to a Docket,” and follow the prompts. Questions about this docket or Commission process and procedure? Contact Kevin O’Grady (651-201-2218) or Andrew Bahn (651-201-2249) of the Commission staff. Change your mailing preferences: E-mail docketing.puc@state.mn.us or call 651-201-2204. This document can be made available in alternative formats (e.g., large print or audio) by calling 651-296-0406 (voice). Persons with hearing loss or speech disabilities may call us through their preferred Telecommunications Relay Service.

PHONE 651-296-7124 • TOLL FREE 800-657-3782 • FAX 651-297-7073 • CONSUMER.PUC@STATE.MN.US 121 7TH PLACE EAST • SUITE 350 • SAINT PAUL, MINNESOTA 55101-2147 WWW.PUC.STATE.MN.US

Attachment 1 Questions to Guide Utility Cybersecurity Review Leadership 1. Does your organization have a Chief Security Officer, or similar position, and does that person have explicit cybersecurity responsibilities? Are other individuals in your organization specifically assigned cybersecurity responsibility? Has your organization identified external points of contact for cybersecurity-related issues and concerns? a. with emergency management/law enforcement b. with national security advisors such as the Department of Homeland Security c. with other utilities, reliability organizations, ISO/RTOs, NERC, others

2.

Planning 3. 4. Does your company have a cybersecurity policy, plan, strategy or governing document? Is the cybersecurity plan reviewed or audited periodically (when, how often, internally, or by an outside party)? Does your cybersecurity plan contain both cyber and physical security components? Does your cybersecurity plan include alternative methods for meeting critical functional responsibilities in the absence of IT or communication technology? Has your organization conducted a comprehensive cyber-risk or vulnerability assessment of its information systems, control systems and other networked systems? How in-depth was the assessment/audit? Has your company done so in concert with the Department of Homeland Security?

5. 6.

7.

Recovery 8. Does your company have a plan, policy or governing document to address recovery in the event of a disruption of service to consumers? Is the recovery plan reviewed or audited periodically (when, how often, internally, or by an outside party)?

9.

PUC Docket Number E,G-999/CI-13-881; October 8, 2013

Standards of Practice 10. Does your company adhere to cybersecurity standards and/or recommendations proposed by relevant industry groups or agencies, such as the North American Electric Reliability Corporation (NERC), the National Institute of Standards and Technology (NIST), the Transportation Security Administration (TSA) and/or the Department of Homeland Security (DHS)? What are those standards? What organizations has your company collaborated or interacted with to improve its cybersecurity posture? How do you determine which systems, components and functions get priority in regard to implementation of new cybersecurity measures? What is your company doing to go beyond compliance, that is, to treat compliance as a as a floor, not a ceiling?

11.

12.

13.

Procurement 14. 15. Are cybersecurity criteria used for vendor and device selection and procurement? Have your vendors documented and independently verified their cybersecurity controls? Who is the verifier and how are they qualified? Are the cybersecurity controls used by your third-party providers beyond the ability of your organization to monitor, understand, or assure? Has your organization explored whether these may create cybersecurity vulnerabilities to your operations?

16.

Personnel Awareness 17. What training is provided to personnel that are involved with cybersecurity control, implementation and policies? Does senior management receive training in cybersecurity practice and procedures? Does your company restrict access to sensitive information to only authorized employees? What criteria are used to select those authorized employees? What steps are taken to assure that the authorized employees maintain required security standards? What personnel/vendor surety/background checking is performed for those with access to key cyber components?

18. 19.

20.

PUC Docket Number E,G-999/CI-13-881; October 8, 2013