Current through Reg. 50, No. 13; March 28, 2025
(a) Purpose. This
section establishes requirements for the commission's cybersecurity
coordination program, the cybersecurity monitor program, the cybersecurity
monitor, and participation in the cybersecurity monitor program; and
establishes the methods to fund the cybersecurity monitor.
(b) Applicability. This section is applicable
to all electric utilities, including transmission and distribution utilities;
corporations described in Public Utility Regulatory Act (PURA) §32.053;
municipally owned utilities; electric cooperatives; and the Electric
Reliability Council of Texas (ERCOT).
(c) Definitions. The following words and
terms when used in this section have the following meanings, unless the context
indicates otherwise:
(1) Cybersecurity
monitor -- The entity selected by the commission to serve as the commission's
cybersecurity monitor and its staff.
(2) Cybersecurity coordination program -- The
program established by the commission to monitor the cybersecurity efforts of
all electric utilities, municipally owned utilities, and electric cooperatives
in the state of Texas.
(3)
Cybersecurity monitor program -- The comprehensive outreach program for
monitored utilities managed by the cybersecurity monitor.
(4) Monitored utility -- A transmission and
distribution utility; a corporation described in PURA §32.053; a
municipally owned utility or electric cooperative that owns or operates
equipment or facilities in the ERCOT power region to transmit electricity at 60
or more kilovolts; or an electric utility, municipally owned utility, or
electric cooperative that operates solely outside the ERCOT power region that
has elected to participate in the cybersecurity monitor program.
(d) Selection of the Cybersecurity
Monitor. The commission and ERCOT will contract with an entity selected by the
commission to act as the commission's cybersecurity monitor. The cybersecurity
monitor must be independent from ERCOT and is not subject to the supervision of
ERCOT. The cybersecurity monitor operates under the supervision and oversight
of the commission.
(e)
Qualifications of Cybersecurity Monitor.
(1)
The cybersecurity monitor must have the qualifications necessary to perform the
duties and responsibilities under subsection (f) of this section.
(2) The cybersecurity monitor must
collectively possess technical skills necessary to perform cybersecurity
monitoring functions, including the following:
(A) developing, reviewing, and implementing
cybersecurity risk management programs, cybersecurity policies, cybersecurity
strategies, and similar documents;
(B) working knowledge of North American
Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP)
standards and implementation of those standards; and
(C) conducting vulnerability
assessments.
(3) The
cybersecurity monitor staff are subject to background security checks as
determined by the commission.
(4)
Every cybersecurity monitor staff member who has access to confidential
information must each have a federally-granted secret level clearance and
maintain that level of security clearance throughout the term of the
contract.
(f)
Responsibilities of the cybersecurity monitor. The cybersecurity monitor will
gather and analyze information and data provided by ERCOT and voluntarily
disclosed by monitored utilities and cybersecurity coordination program
participants to manage the cybersecurity coordination program and the
cybersecurity monitor program.
(1)
Cybersecurity Coordination Program. The cybersecurity coordination program is
available to all electric utilities, municipally owned utilities, and electric
cooperatives in the state of Texas. The cybersecurity coordination program must
include the following functions:
(A) guidance
on best practices in cybersecurity;
(B) facilitation of sharing cybersecurity
information among utilities;
(C)
research and development of best practices regarding cybersecurity;
(D) guidance on best practices for
cybersecurity controls for supply chain risk management of cybersecurity
systems used by utilities, which may include, as applicable, best practices
related to:
(i) software integrity and
authenticity;
(ii) vendor risk
management and procurement controls, including notification by a vendor of
incidents related to the vendor's products and services; and
(iii) vendor remote access.
(2) Cybersecurity
Monitor Program. The cybersecurity monitor program is available to all
monitored utilities. The cybersecurity monitor program must include the
functions of the cybersecurity coordination program listed in paragraph (1) of
this subsection in addition to the following functions:
(A) holding regular meetings with monitored
utilities to discuss emerging threats, best business practices, and training
opportunities;
(B) reviewing
self-assessments of cybersecurity efforts voluntarily disclosed by monitored
utilities; and
(C) reporting to the
commission on monitored utility cybersecurity preparedness.
(g) Authority of the
Cybersecurity Monitor.
(1) The cybersecurity
monitor has the authority to conduct monitoring, analysis, reporting, and other
activities related to information voluntarily provided by monitored
utilities.
(2) The cybersecurity
monitor has the authority to request, but not to require, information from a
monitored utility about activities that may be potential cybersecurity
threats.
(h) Ethics
standards governing the Cybersecurity Monitor.
(1) During the period of a person's service
with the cybersecurity monitor, the person must not:
(A) have a direct financial interest in the
provision of electric service in the state of Texas; or have a current contract
to perform services for any entity as described by PURA §31.051 or a
corporation described by PURA §32.053.
(B) serve as an officer, director, partner,
owner, employee, attorney, or consultant for ERCOT or any entity as described
by PURA §31.051 or a corporation described by PURA §32.053;
(C) directly or indirectly own or control
securities in any entity, an affiliate of any entity, or direct competitor of
any entity as described by PURA §31.051 or a corporation described by PURA
§32.053, except that it is not a violation of this rule if the person
indirectly owns an interest in a retirement system, institution or fund that in
the normal course of business invests in diverse securities independently of
the control of the person; or
(D)
accept a gift, gratuity, or entertainment from ERCOT, any entity, an affiliate
of any entity, or an employee or agent of any entity as described by PURA
§31.051 or a corporation described by PURA §32.053.
(2) The cybersecurity monitor must
not directly or indirectly solicit, request from, suggest, or recommend to any
entity, an affiliate of any entity, or an employee or agent of any entity as
described by PURA §31.051 or a corporation described by PURA §32.053,
the employment of a person by any entity as described by PURA §31.051 or a
corporation described by PURA §32.053 or an affiliate.
(3) The commission may impose post-employment
restrictions for the cybersecurity monitor and its staff.
(i) Confidentiality standards. The
cybersecurity monitor and commission staff must protect confidential
information and data in accordance with the confidentiality standards
established in PURA, the ERCOT protocols, commission rules, and other
applicable laws. The requirements related to the level of protection to be
afforded information protected by these laws and rules are incorporated in this
section.
(j) Reporting requirement.
All reports prepared by the cybersecurity monitor must reflect the
cybersecurity monitor's independent analysis, findings, and expertise. The
cybersecurity monitor must prepare and submit to the commission:
(1) monthly, quarterly, and annual reports;
and
(2) periodic or special reports
on cybersecurity issues or specific events as directed by the commission or
commission staff.
(k)
Communication between the Cybersecurity Monitor and the commission.
(1) The personnel of the cybersecurity
monitor may communicate with the commission and commission staff on any matter
without restriction consistent with confidentiality requirements.
(2) The cybersecurity monitor must:
(A) immediately report directly to the
commission and commission staff any cybersecurity concerns that the
cybersecurity monitor believes would pose a threat to continuous and adequate
electric service or create an immediate danger to the public safety, and notify
the affected utility or utilities of the information reported to the commission
or commission staff;
(B) regularly
communicate with the commission and commission staff, and keep the commission
and commission staff apprised of its activities, findings, and
observations;
(C) coordinate with
the commission and commission staff to identify priorities; and
(E) coordinate with the commission and
commission staff to assess the resources and methods for cybersecurity
monitoring, including consulting needs.
(l) ERCOT's responsibilities and support
role. ERCOT must provide to the cybersecurity monitor any access, information,
support, or cooperation that the commission determines is necessary for the
cybersecurity monitor to perform the functions described by subsection (f) of
this section.
(1) ERCOT must conduct an
internal cybersecurity risk assessment, vulnerability testing, and employee
training to the extent that ERCOT is not otherwise required to do so under
applicable state and federal cybersecurity and information security
laws.
(2) ERCOT must submit an
annual report to the commission on ERCOT's compliance with applicable
cybersecurity and information security laws by January 15 of each year or as
otherwise determined by the commission.
(3) Information submitted in the report under
paragraph (2) of this subsection is confidential and not subject to disclosure
under chapter 552, Government Code, and must be protected in accordance with
the confidentiality standards established in PURA, the ERCOT protocols,
commission rules, and other applicable laws.
(m) Participation in the cybersecurity
monitor program.
(1) A transmission and
distribution utility, a corporation described in PURA §32.053, and a
municipally owned utility or electric cooperative that owns or operates
equipment or facilities in the ERCOT power region to transmit electricity at 60
or more kilovolts must participate in the cybersecurity monitor
program.
(2) An electric utility,
municipally owned utility, or electric cooperative that operates solely outside
the ERCOT power region may elect to participate in the cybersecurity monitor
program.
(A) An electric utility, municipally
owned utility, or electric cooperative that elects to participate in the
cybersecurity monitor program must annually:
(i) file with the commission its intent to
participate in the program and to contribute to the costs of the cybersecurity
monitor's activities in the project established by commission staff for this
purpose; and
(ii) complete and
submit to ERCOT the participant agreement form available on the ERCOT website
to furnish information necessary to determine and collect the monitored
utility's share of the costs of the cybersecurity monitor's activities under
subsection (n) of this section.
(B) The cybersecurity monitor program year is
the calendar year. An electric utility, municipally owned utility, or electric
cooperative that elects to participate in the cybersecurity monitor program
must file its intent to participate and complete the participant agreement form
under subparagraph (A) of this subsection for each calendar year that it
intends to participate in the program.
(i)
Notification of intent to participate and a completed participant agreement
form may be submitted at any time during the program year, however, an electric
utility, municipally owned utility, or electric cooperative that elects to
participate in an upcoming program year is encouraged to complete these steps
by December 1 prior to the program year in order to obtain the benefit of
participation for the entire program year.
(ii) The cost of participation is determined
on an annual basis and will not be prorated.
(iii) A monitored utility that operates
solely outside of the ERCOT power region may discontinue its participation in
the cybersecurity monitor program at any time but is required to pay the annual
cost of participation for any calendar year in which the monitored utility
submitted a notification of intent to participate.
(3) Each monitored utility must
designate one or more points of contact who can answer questions the
Cybersecurity Monitor may have regarding a monitored utility's cyber and
physical security activities.
(n) Funding of the Cybersecurity Monitor.
(1) ERCOT must use funds from the rate
authorized by PURA §39.151(e) to pay for the cybersecurity monitor's
activities.
(2) A monitored utility
that operates solely outside of the ERCOT power region must contribute to the
costs incurred for the cybersecurity monitor's activities.
(A) On an annual basis, ERCOT must calculate
the non-refundable, fixed fee that a monitored utility that operates solely
outside of the ERCOT power region must pay in order to participate in the
cybersecurity monitor program for the upcoming calendar year.
(B) ERCOT must file notice of the fee in the
project designated by the commission for this purpose and post notice of the
fee on the ERCOT website by October 1 of the preceding program year.
(C) Before filing notice of the fee as
required by paragraph (2)(B) of this subsection, ERCOT must obtain approval of
the fee amount and calculation methodology from the commission's executive
director.
