Press Release

PUC Enhances Cyber Rulemaking to Meet Next-Generation Utility Security Challenges

Published on 4/24/2025

Filed under: Electric Gas Pipeline Telecommunications Water and Wastewater

Commission Seeks Stakeholder Input on Updated Cyber Standards for Public Utilities

HARRISBURG – The Pennsylvania Public Utility Commission (PUC) today took another key step in its ongoing review of utility cybersecurity regulations, voting 5-0 to issue a Supplemental Advance Notice of Proposed Rulemaking (ANOPR) that seeks additional public input on proposed revisions to the PUC’s existing cybersecurity reporting and planning requirements for utilities.

Utilities and the essential systems they operate are increasingly prime targets for bad actors — and the Commission is taking decisive steps to ensure that Pennsylvania’s cybersecurity regulations are robust, adaptive, and aligned with the real-world risks facing our critical infrastructure.

Today’s next steps by the Commission continue a broad study of cyber-related regulations, including the reporting of cyber incidents and utility self-certification of cybersecurity planning. It follows the review of extensive stakeholder comments on whether the PUC’s regulations remain adequate in the face of evolving cyber threats, and how best to ensure the cybersecurity fitness of regulated utilities.

Strengthening Cybersecurity Readiness in a Changing Landscape

The Supplemental ANOPR reflects significant developments in the cybersecurity landscape since 2022 – including continued warnings from national security officials about the vulnerability of critical infrastructure, and new proposed federal rules to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), led by the Cybersecurity & Infrastructure Security Agency (CISA) at the U.S. Department of Homeland Security.

In response to these developments, the Commission is requesting additional public input on specific topics related to the cybersecurity fitness of utilities and licensed entities under PUC jurisdiction. The Commission has also included new working proposals, developed by PUC Staff, which outline potential changes to the PUC’s regulatory framework – including revised incident reporting rules, new classification structures for utilities, and requirements for compliance with recognized cybersecurity standards.

Summary of Proposed Revisions

As outlined in today’s order, the PUC Staff Working Proposals include:

• Restructuring and consolidating cybersecurity regulations into new chapters of the PUC’s Code, focused on risk-based standards and incident response.
  
  
• Eliminating duplicative or outdated requirements, including the removal of cyber-related elements from general accident reporting and security planning and readiness regulations.
  
  
• Introducing new utility classifications for determining the appropriate level of cybersecurity oversight and requirements.
  
  
• Mandating annual cybersecurity certifications, with references to established federal standards.
  
  
• Establishing updated cyber incident reporting procedures, including defined timelines and notification methods.

The Staff proposals are intended to provide additional clarity and serve as a basis for further discussion. A full list of questions for stakeholder comment is included in Appendix A of the Supplemental ANOPR, while the draft regulatory language is included in Appendix B.

Comment Period and Filing Instructions

The Commission welcomes comments from interested stakeholders – including utilities, industry organizations, consumer advocates, and members of the public – regarding the proposed revisions. Stakeholders who previously filed comments are thanked for their participation and are encouraged to review and respond to the new questions and proposals.

Written comments referencing Docket No. L-2022-3034353 must be submitted within 60 days of publication of this Supplemental ANOPR in the Pennsylvania Bulletin.

Comments may be filed electronically through the PUC’s eFiling system or sent by mail. Filings that include confidential or proprietary information must be submitted by overnight delivery.

For additional filing instructions, visit: www.puc.pa.gov/filing-resources/efiling

About the PUC

The Pennsylvania Public Utility Commission balances the needs of consumers and utilities; ensures safe and reliable utility service at reasonable rates; protects the public interest; educates consumers to make independent and informed utility choices; furthers economic development; and fosters new technologies and competitive markets in an environmentally sound manner.

Visit the PUC’s website at puc.pa.gov for recent news releases and video of select proceedings. You can also follow us on X (formerly Twitter), Facebook, LinkedIn, Instagram, and YouTube. Search for the “Pennsylvania Public Utility Commission” or “PA PUC” on your favorite social media channel for updates on utility issues and other helpful consumer information.

# # #

Docket No.: L-2022-3034353

Contact:

• Nils Hagen-Frederiksen
  Press Secretary
  717-418-2701
  nhagen-fre@pa.gov