ORDER NUMBER
G-385-22
IN THE MATTER OF
the Utilities Commission Act, RSBC 1996, Chapter 473
and
British Columbia Utilities Commission
Establishment of a Two-Year Pilot of a Cybersecurity Framework for Public Utilities
BEFORE:
David Morton, Chair
on December 23, 2022
ORDER
WHEREAS:
A. The BCUC has general supervision of all public utilities pursuant to section 23 of the Utilities Commission Act (UCA). Further, pursuant to section 38 of the UCA, a public utility must provide and maintain its property and equipment in a condition that enables it to provide service to the public that the BCUC considers is in all respects adequate, safe, efficient, just and reasonable;
B. BCUC staff conducted a high-level cybersecurity survey in 2022, the results of which indicate a wide variance in the ability of public utilities to mitigate cybersecurity risk;
C. The BCUC has observed increasing rates and severity of cyber-attacks globally and within Canada and the significant costs to recover from cybersecurity incidents;
D. The BCUC has developed a framework to address cybersecurity risk for public utilities (Cybersecurity Framework). The Cybersecurity Framework is flexible and scalable based on size and risk of the public utility and makes use of existing industry guidance for regulatory efficiency;
E. The BCUC proposes to introduce the Cybersecurity Framework on a two-year pilot basis to assess its effectiveness in addressing public utility cybersecurity risk (Pilot). At the completion of the Pilot, the BCUC will consider adopting the Cybersecurity Framework on a permanent basis; and
F. The BCUC considers that a public utility comment process to consider the establishment of the Pilot is warranted.
NOW THEREFORE the BCUC orders as follows:
1. A regulatory timetable is established, as set out in Appendix A to this order.
2. Public utilities are invited to submit letters of comment for the BCUC’s consideration on the following:
i) The establishment of the Pilot;
ii) The Cybersecurity Framework for Public Utilities attached as Appendix B1 to this order; and
iii) The Annual Cybersecurity Declaration for Public Utilities attached as Appendix B2 to this order.
3. Letters of comment must be submitted by the date established in the regulatory timetable attached as Appendix A to this order in the Letter of Comment Form and be submitted on the BCUC’s website, or submitted by email to commission.secretary@bcuc.com, mail, courier or personal delivery to the British Columbia Utilities Commission, Suite 410, 900 Howe Street, Vancouver, BC V6Z 2N3.
DATED at the City of Vancouver, in the Province of British Columbia, this 23rd day of December 2022.
BY ORDER
Original signed by:
D. M. Morton
Commissioner
Attachment
British Columbia Utilities Commission
Establishment of a Two-year Pilot of a Cybersecurity Framework for Public Utilities
REGULATORY TIMETABLE
| Action |
Date (2023) |
| Letters of comment from Public Utilities |
Thursday, March 2 |
| Further process |
To be determined |