(a) Purpose. This section establishes requirements for the commission's cybersecurity coordination program, the cybersecurity monitor program, the cybersecurity monitor, and participation in the cybersecurity monitor program; and establishes the methods to fund the cybersecurity monitor.
(b) Applicability. This section is applicable to all electric utilities, including transmission and distribution utilities; corporations described in Public Utility Regulatory Act (PURA) §32.053; municipally owned utilities; electric cooperatives; and the Electric Reliability Council of Texas (ERCOT).
(c) Definitions. The following words and terms when used in this section have the following meanings, unless the context indicates otherwise:
(1) Cybersecurity monitor -- The entity selected by the commission to serve as the commission's cybersecurity monitor and its staff.
(2) Cybersecurity coordination program -- The program established by the commission to monitor the cybersecurity efforts of all electric utilities, municipally owned utilities, and electric cooperatives in the state of Texas.
(3) Cybersecurity monitor program -- The comprehensive outreach program for monitored utilities managed by the cybersecurity monitor.
(4) Monitored utility -- A transmission and distribution utility; a corporation described in PURA §32.053; a municipally owned utility or electric cooperative that owns or operates equipment or facilities in the ERCOT power region to transmit electricity at 60 or more kilovolts; or an electric utility, municipally owned utility, or electric cooperative that operates solely outside the ERCOT power region that has elected to participate in the cybersecurity monitor program.
(d) Selection of the Cybersecurity Monitor. The commission and ERCOT will contract with an entity selected by the commission to act as the commission's cybersecurity monitor. The cybersecurity monitor must be independent from ERCOT and is not subject to the supervision of ERCOT. The cybersecurity monitor operates under the supervision and oversight of the commission.
(e) Qualifications of Cybersecurity Monitor.
(1) The cybersecurity monitor must have the qualifications necessary to perform the duties and responsibilities under subsection (f) of this section.
(2) The cybersecurity monitor must collectively possess technical skills necessary to perform cybersecurity monitoring functions, including the following:
(3) The cybersecurity monitor staff are subject to background security checks as determined by the commission.
(4) Every cybersecurity monitor staff member who has access to confidential information must each have a federally-granted secret level clearance and maintain that level of security clearance throughout the term of the contract.
(f) Responsibilities of the cybersecurity monitor. The cybersecurity monitor will gather and analyze information and data provided by ERCOT and voluntarily disclosed by monitored utilities and cybersecurity coordination program participants to manage the cybersecurity coordination program and the cybersecurity monitor program.
(1) Cybersecurity Coordination Program. The cybersecurity coordination program is available to all electric utilities, municipally owned utilities, and electric cooperatives in the state of Texas. The cybersecurity coordination program must include the following functions:
(2) Cybersecurity Monitor Program. The cybersecurity monitor program is available to all monitored utilities. The cybersecurity monitor program must include the functions of the cybersecurity coordination program listed in paragraph (1) of this subsection in addition to the following functions:
(g) Authority of the Cybersecurity Monitor.
(1) The cybersecurity monitor has the authority to conduct monitoring, analysis, reporting, and other activities related to information voluntarily provided by monitored utilities.
(2) The cybersecurity monitor has the authority to request, but not to require, information from a monitored utility about activities that may be potential cybersecurity threats.
(h) Ethics standards governing the Cybersecurity Monitor.
(1) During the period of a person's service with the cybersecurity monitor, the person must not:
(2) The cybersecurity monitor must not directly or indirectly solicit, request from, suggest, or recommend to any entity, an affiliate of any entity, or an employee or agent of any entity as described by PURA §31.051 or a corporation described by PURA §32.053, the employment of a person by any entity as described by PURA §31.051 or a corporation described by PURA §32.053 or an affiliate.
(3) The commission may impose post-employment restrictions for the cybersecurity monitor and its staff.
(i) Confidentiality standards. The cybersecurity monitor and commission staff must protect confidential information and data in accordance with the confidentiality standards established in PURA, the ERCOT protocols, commission rules, and other applicable laws. The requirements related to the level of protection to be afforded information protected by these laws and rules are incorporated in this section.
(j) Reporting requirement. All reports prepared by the cybersecurity monitor must reflect the cybersecurity monitor's independent analysis, findings, and expertise. The cybersecurity monitor must prepare and submit to the commission:
(1) monthly, quarterly, and annual reports; and
(2) periodic or special reports on cybersecurity issues or specific events as directed by the commission or commission staff.
(k) Communication between the Cybersecurity Monitor and the commission.
(1) The personnel of the cybersecurity monitor may communicate with the commission and commission staff on any matter without restriction consistent with confidentiality requirements.
(2) The cybersecurity monitor must:
(l) ERCOT's responsibilities and support role. ERCOT must provide to the cybersecurity monitor any access, information, support, or cooperation that the commission determines is necessary for the cybersecurity monitor to perform the functions described by subsection (f) of this section.
(1) ERCOT must conduct an internal cybersecurity risk assessment, vulnerability testing, and employee training to the extent that ERCOT is not otherwise required to do so under applicable state and federal cybersecurity and information security laws.
(2) ERCOT must submit an annual report to the commission on ERCOT's compliance with applicable cybersecurity and information security laws by January 15 of each year or as otherwise determined by the commission.
(3) Information submitted in the report under paragraph (2) of this subsection is confidential and not subject to disclosure under chapter 552, Government Code, and must be protected in accordance with the confidentiality standards established in PURA, the ERCOT protocols, commission rules, and other applicable laws.
(m) Participation in the cybersecurity monitor program.
(1) A transmission and distribution utility, a corporation described in PURA §32.053, and a municipally owned utility or electric cooperative that owns or operates equipment or facilities in the ERCOT power region to transmit electricity at 60 or more kilovolts must participate in the cybersecurity monitor program.
(2) An electric utility, municipally owned utility, or electric cooperative that operates solely outside the ERCOT power region may elect to participate in the cybersecurity monitor program.
(3) Each monitored utility must designate one or more points of contact who can answer questions the Cybersecurity Monitor may have regarding a monitored utility's cyber and physical security activities.
(n) Funding of the Cybersecurity Monitor.
(1) ERCOT must use funds from the rate authorized by PURA §39.151(e) to pay for the cybersecurity monitor's activities.
(2) A monitored utility that operates solely outside of the ERCOT power region must contribute to the costs incurred for the cybersecurity monitor's activities.
Source Note: The provisions of this §25.367 adopted to be effective June 4, 2020, 45 TexReg 3620