Oklahoma Administrative Code (Last Updated: March 11, 2021) |
TITLE 165. Corporation Commission |
Chapter 35. Electric Utility Rules |
Subchapter 33. Homeland Security and Critical Infrastructure |
SECTION 165:35-33-5. Utility Security Plan
Latest version.
- (a) Each electric utility is required to prepare and make available for inspection, a "Homeland Security and Critical Infrastructure Plan" ("Plan") that has been prepared with reference to the applicable NERC Security Guidelines and Standards or equivalent cybersecurity framework and standard as guidance with a defined cybersecurity strategy.(b) The Plan shall be marked as "Highly Sensitive Confidential" and designate those facilities that the utility considers to be Critical Infrastructure (physical assets and computer software as defined in OAC 165:35-33-3 above), and shall set forth the utility's measures to secure such facilities from extended service interruption. The Plan shall also include an estimate of the costs necessary to achieve such measures.(c) The Plan shall remain on site at the utility's business office in accordance with OAC 165:35-33-7(g) below and shall have the most current version of the redlined Plan Update Report attached to the clean version of the utility's latest Plan. At the utility's option, changes will either be redlined or a history of changes may be maintained.(d) The Plan shall list all locations deemed by the utility to be critical, as well as identification of any subsequently increased security measures. All locations and security measures shall be identified by code known only to the utility and designated state government officials and their designees.(e) Any subsequent security measures identified in the Plan shall contain an estimate of the cost necessary to implement such measures, a description of the measures necessary to adequately secure each specific location and an estimated schedule for completion of each measure.(f) All locations identified by the Plan that require additional security measures shall be prioritized by the utility.(g) Beginning December 30, 2005 and on July 1 of each year thereafter, Commission Staff shall submit an Annual Report marked as "Highly Sensitive Confidential" to the Commission, summarizing the results of Staff's review of a utility's Plan (and any Plan Update Reports), along with any recommendations that Staff may have regarding such Plan(s).(h) Beginning December 30, 2005, where the Attorney General elects to submit recommendations to the Commission regarding a utility's Plan, such recommendations shall be marked as "Highly Sensitive Confidential" and shall also be due by July 1 of each subsequent year thereafter.