Physical and Cyber Security

The Division of Enforcement inspects physical plant of energy providers to see if it meets industry standards and monitors cyber security plans developed by the electric and gas utilities for completeness and best practices.

The Division of Enforcement inspects physical plant of energy providers to see if it meets industry standards. These inspections require a review of physical security systems employed by both gas and electric utilities. Facility perimeters, controlled spaces, production spaces, and restricted spaces are reviewed for physical deterrence implementation methods, types of security systems employed, threat level assessments and risk mitigation responses. Topical areas such as lighting, hardware, control systems, access systems, and entry points are evaluated.

Cyber Security, more appropriately referred to as Cyber Safety, is a more recent activity assigned to the Division of Enforcement. The Division of Enforcement monitors cyber security plans developed by the electric and gas utilities for completeness and best practices. Current standards are evolving, both nationally and sector specific, regarding cyber intrusion, detection, prevention and response. The Division of Enforcement participates in national and regional educational opportunities and drill opportunities. Program initiatives include:

  • sharing of best practices amongst states,
  • collaborating with other agencies,
  • piloting projects involving detection sharing techniques of classified information between government entities and private utilities.

The Division of Enforcement has worked extensively with the Federal Energy Regulatory Commission (FERC) Office of Energy Infrastructure Security in sharing of strategic frameworks and assessment techniques.

Activities

  • The Department of Energy’s Division of Enforcement participates on the NH ACEPS Critical Infrastructure and Key Resources Protection subcommittee.
  • The Department of Energy’s Division of Enforcement participates on the NH ACEPS Cyber Security Subcommittee.
  • The Department of Energy’s Division of Enforcement participates on the NARUC Critical Infrastructure Subcommittee (both Staff and Commissioner levels)
  • The Division of Enforcement has completed preliminary reviews of electric utilities' physical and cyber safety plans.
  • The Division of Enforcement has initiated state regulatory meetings regarding cyber safety reviews.
  • The Division of Enforcement has organized coordinated cyber safety reviews of electric utilities.
  • The Division of Enforcement has organized multi-state regional reviews of cyber safety initiatives of certain electric utilities.
  • The Division of Enforcement has organized Federal cyber safety reviews of certain New Hampshire electric utilities.
  • The Department of Energy’s Division of Enforcement has completed physical security reviews of New Hampshire gas utilities.
  • The Department of Energy’s Division of Enforcement conducts physical security reviews of LNG Plants within the state.
  • The Department of Energy’s Division of Enforcement has completed Control Room inspections of New Hampshire gas utilities.
  • The Department of Energy’s Division has completed Scada and telemetering reviews of New Hampshire gas utilities.

History of The Department of Energy's Division of Enforcement's Role in Physical and Cyber Security

  • 2001: In the wake of September 11th, 2001, the Public Utilities Commission created an internal Security Team headed by the former Director of the Safety Division and staffed primarily by industry engineers and technical analysts within the Commission. Initially, the security team, on behalf of the Commission, reviewed physical security measures for all major New Hampshire utilities. This was accomplished in coordination with the former New Hampshire Department of Safety’s Office of Emergency Management.
    The Division also had a major role in the Technical Assistance program to review New Hampshire’s Emergency Operations Plan (EOP) and terrorism annex, as well as department and agency standard operating guidelines.
  • 2002: RSA 21-P:48 named the Chairman to represent the Public Utilities Commission on the Governor's Advisory Council on Emergency Preparedness. The Council advises the Governor on issues relating to the state's ability to respond to both natural and man-made disasters, and the preparation and maintenance of a state disaster plan. In 2008 this was expanded to include the NH PUC Director of Safety.
  • 2005: The PUC Safety Division, on behalf of the Public Utilities Commission, implemented rules for gas utilities that required notifications of security breaches and threats that would impair operations. It also required written security plans to protect facilities, and actions required to mitigate potential threats.
  • 2006: RSA 21-P:5-a created a state Division of Homeland Security and Emergency Management within the New Hampshire Department of Safety. This eliminated the former New Hampshire Department of Safety's Office of Emergency Management. NH HSEM was authorized with overseeing the state-level planning, preparation, exercise, response to and mitigation of terrorist threats, incidents, natural and human-caused disasters, and wide-scale threats to public safety. All state agencies are required to cooperate with the agency director for carrying out those duties.
    The PUC Safety Division's role of monitoring public utilities' security efforts plays a vital role in helping New Hampshire accomplish its' mission. The PUC Safety Division not only inspects and oversees security measures utilized by the utilities, but also acts as a technical resource for NH HSEM.
  • 2010: The PUC Safety Division's role expanded within the Public Utilities Commission to include reviewing cyber security measures in addition to physical security measures.
  • 2013: The PUC Safety Division, on behalf of the Public Utilities Commission, enhanced the rules for gas utilities to develop written security plans to include preventive measures for supervisory control and data acquisition, control centers, critical supply locations and cybersecurity.
  • 2014: The PUC Safety Division, on behalf of the Public Utilities Commission, implemented rules for electric utilities that required notifications of security breaches and threats that would impair operations. It also required written risk-based security plans that included threat level assessments, determining critical assets, creating security measures for those assets, response actions, tracking, and awareness training of employees. These plans included physical security and cybersecurity threats.
  • 2021: HB2 transferred authority from the former Safety Division of the Public Utilities Commission to the Division of Enforcement of the newly formed Department of Energy.