Dive Brief:

• A group of New York utilities in February asked the state's Public Service Commission (PSC) to confirm that they have the authority to require and enforce Data Security Agreements (DSA) for entities seeking access to customer data or utility systems, such as energy service companies (ESCOs) or distributed energy resource suppliers (DERS). 
• In comments filed Monday with the PSC, third-party providers largely rejected the proposal, describing it as an "overreach" and "burdensome." 
• The utilities' request follows a March 2018 cybersecurity incident that affected New York ESCOs and exposed the utilities and their customers to additional risk.

Dive Insight:

The increasing threat of cyberattacks on critical infrastructure, including the country's energy grid, is a top concern in the power sector. And while utilities, regulators and third-party energy stakeholders agree on the importance of enhanced security measures, comments submitted to the PSC show costs remain a big concern among the involved parties.

Consumer Power Advocates (CPA), a coalition of not-for-profit commercial health care and educational customers in Consolidated Edison's service territory, said that perfect cybersecurity "is not possible to achieve, and if it were, it would come at a cost that would make business impossible to transact cost-effectively."

"Utilities are, by their nature, risk-averse. So are market participants. Each left to its own devices would likely seek to shift as much risk to the other as possible, even if each also recognizes that cybersecurity is important," CPA added in its comments to the commission. 

Colorado-based renewable energy developer AES Distributed Energy, which owns a number of solar facilities in New York, said DERS should be exempted from the proposed regulations. 

"Requiring AES to maintain cybersecurity insurance for each project is an unnecessary and onerous requirement and would likely hinder market penetration and development," attorneys for AES said in their comments.

This sentiment was echoed by the Retail Energy Supply Association (RESA) and others. They all urged the PSC to take a stakeholder's role in the marketplace into consideration. 

"Protections should not be overly burdensome or duplicative, and standardization of cybersecurity protocols should not be achieved at the expense of tailored solutions that address the unique aspects of each stakeholder's role in the marketplace," RESA said.

In their February request to the PSC, Consolidated Edison, Central Hudson Gas & Electric, National Fuel Gas Distribution, New York State Electric & Gas, National Grid and others, claimed that energy service entities (ESE) have protested the proposed data security agreement's "reasonable and minimal data privacy and cybersecurity standards," and have refused to sign without a decision from the commission.

"The protection of sensitive customer data, and utility digital control systems from cyber-attack that could result in the disabling of energy, telecommunications or water service is a priority responsibility of the Department of Public Service (DPS)," spokesman John Chirlin told Utility Dive. "Department staff is currently reviewing a cybersecurity proposal from the State's Utilities as well as numerous stakeholder comments."