August 25, 2023

How prepared are New Mexico utilities when it comes to cybersecurity?

Of the 26 utilities that responded to a bench request last year inquiring about cybersecurity practices, only four of them reported practices that are considered mature, meaning they are likely able to withstand threats.

The New Mexico Public Regulation Commission discussed the responses to the bench request and what steps should be taken next during its Thursday meeting.

“We live in a society where utilities are light, or water or energy are deeply woven into our daily lives. These utilities like many things today are vulnerable to threats, not just physical, including environmental, but digital as well,” McLee Kerolle, a technical advisor, told the regulators. “Imagine waking up one day and finding your city in darkness due to a cyber attack.”

He highlighted examples of cybersecurity breaches in the past, including a 2020 hack into the PRC’s system that left its electronic docket down for several hours and a hack of a U.S. government contractor’s system that resulted in hackers obtaining data from hundreds of electric utilities.

But, Kerolle said, cybersecurity is about more than just protecting the system from hackers. It’s also about accidental damage to the system.

“Cybersecurity is less about the cause of the breach and more about the effect,” he said.

On a global scale, a 2020 analysis found that less than half of the electric utilities rated their cybersecurity as high.

While Kerolle did not name utilities in terms of those that may not have adequate cybersecurity, he included the names of the top four New Mexico utilities that meet high cybersecurity standards. Those utilities include the Public Service Company of New Mexico, Xcel Energy (Southwestern Public Service Company), EPCOR and Western Farmers Electric Cooperative.

In addition to having mature cybersecurity practices, those four utilities comply with what is known as the North American Electric Reliability Corporation Critical Infrastructure Protection, or NERC CIP. NERC CIP are mandatory standards that entities owning or managing facilities that make up part of the U.S. or Canadian electric grid must comply with. The Federal Energy Regulatory Commission initially approved these standards in 2008. Only four of the 26 utilities are subject to NERC CIP standards and being subject to those requirements creates an incentive for those utilities. Kerolle explained that the utilities that are subject to NERC CIP standards could face fines of $1 million a day should they be in non-compliance.

The PRC’s inquiry into cybersecurity started as an effort spearheaded by former Commissioner Joseph Maestas, who is now the state auditor. The PRC received answers to the initial bench request in November shortly before the regulatory body transitioned from an elected commission to one with appointed members.

About half of the utilities responded using “yes, no” answers to the questions in the initial bench request. The PRC wants more detailed information from many of the utilities and may issue a bench request in the future to try to gain more knowledge about cybersecurity practices.

Many of the utilities that responded to the PRC bench request have a low level of cybersecurity, which Kerolle said is concerning. But, he acknowledged, that could be because the inquiry did not ask specific questions that required more detailed answers or utilities might have been hesitant to provide in-depth information due to confidentiality concerns.

The 26 utilities were ranked on levels with level one being the lowest level of cybersecurity and level three being the highest. Sixteen of the utilities ranked in level one while six were level two and four were ranked level three.

“As we look ahead, remember that cybersecurity is not a destination, but a journey,” Kerolle said. “Let’s ensure that we’re not just on the right path, but we’re also moving forward with a purpose and determination.”

ETA emission requirements

In other PRC news, the commission is starting an inquiry process into how much carbon dioxide PNM is emitting. This comes because the Energy Transition Act states that utilities that receive approval for a financing order and issue energy transition bonds to assist in closure of a coal-fired power plant cannot emit more than 400 pounds of carbon dioxide per megawatt-hour starting Jan. 1, 2023. Compliance with this is measured and verified every three years. 

Only one utility has sought a financing order to close a coal-fired power plant—PNM. However, PNM continues to emit more than 400 pounds of carbon dioxide per megawatt hour. 

This is in part due to factors like supply chains and delays in replacement power projects.

Director of policy administration Arthur O’Donnell emphasized that the PRC is not trying to assess blame. He said the PRC staff has met with PNM, including a meeting a couple weeks ago to go over where the utility is in the process.

The fact that PNM has not yet achieved emissions of less than 400 pounds per megawatt hour does not necessarily mean that PNM is out of compliance with the Energy Transition Act.

Commissioner James Ellison explained that the ETA has two requirements that trigger the 400 pounds of carbon dioxide per megawatt-hour limits. The first is the financing order, which PNM has received. The second is that the energy transition bonds are issued. PNM has not yet issued energy transition bonds and Ellison said the PRC anticipates the utility will do so next year.

The inquiry will result in a rulemaking regarding carbon intensity under the Energy Transition Act. Ellison abstained from voting on opening the inquiry and beginning the rulemaking process.