MPSC updates rules to make reporting of cybersecurity plans and attacks mandatory

Published on April 02, 2018 by Chris Galford

© Shutterstock

The Michigan Public Service Commission (MPSC) recently proposed new rules that would require all investor-owned and cooperative utilities to provide an annual cybersecurity report.

Included in those reports would be cybersecurity programs and planning and a description of employee cybersecurity training. Such operators in Michigan are also now required to notify the MPSC as soon as a cybersecurity incident occurs and results in either loss of service, financial damage or breach of sensitive business or customer data.

“The Commission is working with multiple stakeholders to take a proactive approach to address cybersecurity threats, and to examine programs and procedures designed to protect system resiliency and reliability,” Sally Talberg, chairman of the MPSC, said.

The burden on investor-owned utilities, such as Consumers Energy Co. and DTE Electric Co., will increase, requiring that they include in their annual reports an overview of major past and future investments in cybersecurity efforts.

The overall drive behind these changes are based on reports of U.S. energy facilities and the grid being targeted by criminal elements, something which puts the reliability of the grid as a whole at risk.

As a result, the MPSC will hold a public hearing on the proposed rules known as the Technical Standards for Electric Service on May 8 in Lansing. The commission will accept written comments on the rules until May 29.