Physical and Cyber Security

The Division of Enforcement inspects physical plant of energy providers to see if it meets industry standards. These inspections require a review of physical security systems employed by both gas and electric utilities. Facility perimeters, controlled spaces, production spaces, and restricted spaces are reviewed for physical deterrence implementation methods, types of security systems employed, threat level assessments and risk mitigation responses. Topical areas such as lighting, hardware, control systems, access systems, and entry points are evaluated.

Cyber Security, more appropriately referred to as Cyber Safety, is a more recent activity assigned to the Division of Enforcement. The Division of Enforcement monitors cyber security plans developed by the electric and gas utilities for completeness and best practices. Current standards are continually evolving, both nationally and sector specific, regarding cyber intrusion, detection, prevention and response. The Division of Enforcement participates in national and regional educational opportunities and drill opportunities. Program initiatives include:

• sharing of best practices amongst states,
• collaborating with other agencies,
• piloting projects involving detection sharing techniques of classified information between government entities and private utilities.

The Division of Enforcement has worked extensively with the Federal Energy Regulatory Commission (FERC) Office of Energy Infrastructure Security in sharing of strategic frameworks and assessment techniques.

• Physical & Cyber Safety Rules–Gas
• Physical & Cyber Safety Rules–Electric

Tools and Resources for Utilities: (The following links are included for your information and convenience)

Cybersecurity & Infrastructure Security Agency (CISA) Tools

• Infrastructure Security
• Insider Threat Mitigation
• Tools to Support Information Sharing
• Incident Reporting Form 
• Cyber Security Evaluation Tool (CSET®) | CISA
  • The Cyber Security Evaluation Tool (CSET®) is a stand-alone desktop application that guides asset owners and operators through a systematic process of evaluating Operational Technology and Information Technology. On June 30, 2021, CSET was updated to include a new module: Ransomware Readiness Assessment (RRA). The RRA is a self-assessment based on a tiered set of practices to help organizations better assess how well they are equipped to defend against and recover from a ransomware incident.

US Department of Energy Cybersecurity

• US Department of Energy Cybersecurity
• Cybersecurity Capability Maturity Model (C2M2)

National Institute of Standards and Technology (NIST)

• Critical Infrastructure Resources | NIST
  • Energy Sector
    • Department of Energy's Energy Sector Cybersecurity Framework Implementation Guidance
    • National Association of Regulatory Utility Commissioners’ Cybersecurity Preparedness Evaluation Tool (A tool to help Public Utility Commissions examine a utility’s cybersecurity risk management programs and their capability improvements over time.)
    • National Association of Regulatory Utility Commissioners’ Understanding Cybersecurity Preparedness: Questions for Utilities (A tool to help Public Utility Commissions ask questions to utilities to help them better understand their current cybersecurity risk management programs and practices.)
  • Water and Wastewater Systems Sector
    • American Water Works Association's Process Control System Security Guidance for the Water Sector and Cybersecurity Guidance Tool
    • Water Environment Association of Texas' Cyber Security: A Practical Application of NIST Cybersecurity Framework (webinar)
• SP 800-82 Rev. 3 (Draft), Guide to Operational Technology (OT) Security | CSRC (nist.go

National Association of Regulatory (NARUC)

• Critical Infrastructure, Cybersecurity and Resilience - Cybersecurity

Activities

• The Department of Energy
  • Division of Enforcement participates on:
    • NH Advisory Council on Emergency Preparedness and Security (ACEPS) Critical Infrastructure and Key Resources Protection subcommittee.
    • NH Advisory Council on Emergency Preparedness and Security (ACEPS) Cyber Security Subcommittee.
    • National Association of Regulatory Utility Commissioners (NARUC) Critical Infrastructure Subcommittee (both Staff and Commissioner levels)
  •  Division of Enforcement has:
    • Organized coordinated cyber safety reviews of electric utilities.
    • Organized multi-state regional reviews of cyber safety initiatives of certain electric utilities.
    • Organized Federal cyber safety reviews of certain New Hampshire electric utilities.
    • Initiated state regulatory meetings regarding cyber safety reviews.
    • Conducted physical security reviews of LNG Plants within the state.
  • Division of Enforcement has completed:
    • Control Room inspections of New Hampshire gas utilities.
    • Scada and telemetering reviews of New Hampshire gas utilities.
    • Physical security reviews of New Hampshire gas utilities.
    • Preliminary reviews of electric utilities' physical and cyber safety plans.

History of The Department of Energy's Division of Enforcement's Role in Physical and Cyber Security

• 2001: In the wake of September 11th, 2001, the Public Utilities Commission created an internal Security Team headed by the former Director of the Safety Division and staffed primarily by industry engineers and technical analysts within the Commission. Initially, the security team, on behalf of the Commission, reviewed physical security measures for all major New Hampshire utilities. This was accomplished in coordination with the former New Hampshire Department of Safety’s Office of Emergency Management.
  The Division also had a major role in the Technical Assistance program to review New Hampshire’s Emergency Operations Plan (EOP) and terrorism annex, as well as department and agency standard operating guidelines.
• 2002: RSA 21-P:48 named the Chairman to represent the Public Utilities Commission on the Governor's Advisory Council on Emergency Preparedness. The Council advises the Governor on issues relating to the state's ability to respond to both natural and man-made disasters, and the preparation and maintenance of a state disaster plan. In 2008 this was expanded to include the NH PUC Director of Safety.
• 2005: The PUC Safety Division, on behalf of the Public Utilities Commission, implemented rules for gas utilities that required notifications of security breaches and threats that would impair operations. It also required written security plans to protect facilities, and actions required to mitigate potential threats.
• 2006: RSA 21-P:5-a created a state Division of Homeland Security and Emergency Management within the New Hampshire Department of Safety. This eliminated the former New Hampshire Department of Safety's Office of Emergency Management. NH HSEM was authorized with overseeing the state-level planning, preparation, exercise, response to and mitigation of terrorist threats, incidents, natural and human-caused disasters, and wide-scale threats to public safety. All state agencies are required to cooperate with the agency director for carrying out those duties.
  The PUC Safety Division's role of monitoring public utilities' security efforts plays a vital role in helping New Hampshire accomplish its' mission. The PUC Safety Division not only inspects and oversees security measures utilized by the utilities, but also acts as a technical resource for NH HSEM.
• 2010: The PUC Safety Division's role expanded within the Public Utilities Commission to include reviewing cyber security measures in addition to physical security measures.
• 2013: The PUC Safety Division, on behalf of the Public Utilities Commission, enhanced the rules for gas utilities to develop written security plans to include preventive measures for supervisory control and data acquisition, control centers, critical supply locations and cybersecurity.
• 2014: The PUC Safety Division, on behalf of the Public Utilities Commission, implemented rules for electric utilities that required notifications of security breaches and threats that would impair operations. It also required written risk-based security plans that included threat level assessments, determining critical assets, creating security measures for those assets, response actions, tracking, and awareness training of employees. These plans included physical security and cybersecurity threats.
• 2021: HB2 transferred authority from the former Safety Division of the Public Utilities Commission to the Division of Enforcement of the newly formed Department of Energy.