The New York Public Service Commission will allow the state's largest gas and electric utilities to transfer property among themselves and other utilities in the U.S. and Canada if they suffer a cyberattack, a move that illustrated the growing concern over evolving cyberthreats against energy infrastructure and the potential for supply chain compromises.
The commission's July 15 decision was in response to a February petition by several utilities seeking preapproval to transfer assets or lease equipment among utilities participating in the Cyber Mutual Assistance Program that coordinates resources for companies affected by cyberattacks.
Utilities will be able to request services, equipment and personnel assistance to respond to a cybersecurity event or resources to replace equipment that was damaged or compromised. Participants impacted by a cyberattack would not be required to request or receive help and would not be required to provide it.
The commission's order followed the ransomware attack on the Colonial Pipeline Co. that affected energy access along the East Coast and sharpened focus on efforts to protect critical energy infrastructure from cyberthreats. S&P Global Ratings in a July 14 report pointed to "more credit-relevant cyber events in the last six months than in the previous six years." Almost all recent attacks involved ransomware demands and highlighted attackers' ability to choose targets regardless of geography or sector, the report said. "Swift action remains vital" and can help limit the extent of damage and help mitigate concerns about the potential impact on a company's brand, reputation and competitive position following a cyberattack, Ratings said.
Utility mutual assistance programs have long been used to help restore normal operations after storms and other natural disasters, the commission said in its order (21-M-0106). Petitioners cited several notable cyberattacks that happened recently and said large utilities face millions of attempts per day of parties trying to access their systems, the commission said.
Commission Chair John Howard said in a statement that preapproving transfers of utility property and equipment under the Cyber Mutual Assistance Program is in the public interest because it is critical for utilities to be able to recover and return to normal operations as soon as possible after a cyberattack.
"New York is a hub for significant financial, governmental, manufacturing, and transportation infrastructure that has higher than normal risk of cyber-attack for either criminal or geopolitical reasons," Howard said. "Our utilities' participation in this type of mutual assistance program is both appropriate and timely in light of the increased recent cyber-attacks on critical infrastructure."
Most of New York's major electric and gas utilities participate in the Cyber Mutual Assistance Program, along with 155 other entities including gas and electric utilities, regional transmission organizations and independent system operators. The petitioners included Consolidated Edison Inc., Orange and Rockland Utilities Inc., National Grid PLC, Central Hudson Gas & Electric Corp., New York State Electric & Gas Corp., Rochester Gas and Electric Co. and National Fuel Gas Distribution Corp.