On July 15, the New York State Public Service Commission granted the state’s largest electric and gas utilities permission to lease or transfer utility property amongst themselves and other utilities in the United States and Canada in the event of a cyber-attack. The initiative, part of the Cyber Mutual Assistance (CMA) program, provides for mutual assistance among utility participants in anticipation of, during, or following a cyber incident through the voluntary lease or transfer of services, labor, or equipment.
“New York is a hub for significant financial, governmental, manufacturing, and transportation infrastructure that has higher than normal risk of cyber-attack for either criminal or geopolitical reasons,” said Commission Chair John B. Howard. “Our utilities’ participation in this type of mutual assistance program is both appropriate and timely in light of the increased recent cyber-attacks on critical infrastructure. Being able to recover and return to normal operations as quickly as possible is critical, thus pre-approval of transfers of utility property and equipment under the CMA program is in the public interest.”
In its decision, the commission granted the largest utilities in New York — Consolidated Edison Company of New York, Inc.; Orange and Rockland Utilities, Inc.; National Grid; Central Hudson Gas & Electric Corporation; New York State Electric & Gas Corporation; Rochester Gas & Electric Corporation; and National Fuel Gas Distribution Corporation — approval to lease or transfer utility property to participants of the CMA program. In addition, New York electric and gas utilities that join the CMA program were also granted approval to lease or transfer utility property to participants of the CMA program.
The commission said the utilities’ participation in the CMA program will not adversely affect their provision to provide safe and reliable service as the program participants are under no obligation to respond to assistance requests. Pre-authorization of utility equipment leases or transfers allows the larger utilities to respond to cyber events under the CMA program at the time the assistance is needed, without having to wait for approval by the Commission.
Utility mutual assistance programs, which enable the program participants to share critical resources to facilitate timely recovery following storms or other natural disasters, are a longstanding energy industry practice. The CMA program is an extension of the tradition of mutual assistance through collective emergency response. The program was developed to counter the increasing and evolving threats to the cybersecurity of energy infrastructure. While traditional utility mutual assistance programs are usually coordinated at regional or state level, the CMA program allows utilities across the United States and Canada to share critical resources and equipment during and/or in recovery from a cyber-attack event. The membership is comprised of most of the major New York State electric and gas utilities and over 155 other entities including gas and electric utilities, regional transmission organizations, and independent system operators.
When responding to a cybersecurity incident, the utilities can request assistance in the form of services, equipment, and/or personnel. A member may request certain tools or equipment to aid in the response to the incident itself, or request equipment to replace equipment that was damaged or compromised during a cybersecurity incident. Under the CMA program, the participants directly impacted by a cybersecurity event are not obligated to request or receive assistance. Similarly, utilities are not required to respond to requests for assistance or to provide such assistance.