Mich. Admin. Code R. 460.3506 - Cybersecurity program
Rule 506.
(1) An
electric utility or cooperative shall develop, implement, and maintain a
cybersecurity program. At a minimum, the cybersecurity program must include
procedures to do all of the following:
(a)
Protect against the unauthorized acquisition, access, use, or disclosure of
customer, electric utility, or cooperative information.
(b) Protect against the unauthorized
destruction, degradation, or disruption of electric utility or cooperative
information or communication systems, networks, or infrastructure.
(c) Identify and mitigate software
vulnerabilities.
(d) Implement a
least-privileged electronic access approach to electric utility or cooperative
assets and information.
(e) Manage
cybersecurity risks relating to vendors and suppliers.
(f) Respond to and recover from a
cybersecurity incident as detailed in a cybersecurity incident response
plan.
(g) Determine appropriate
training requirements for cybersecurity staff and ensure they are
met.
(h) Inventory the electric
utility's or cooperative's information technology and operations technology
hardware and software assets.
(2) In addition to the requirements under
subrule (1) of this rule, an electric utility or cooperative shall do all of
the following:
(a) Conduct annual assessments
of the cybersecurity program using the United States National Institute of
Standards and Technology Cybersecurity Framework, the Department of Energy
Cybersecurity Capability Maturity Model, or a similar tool.
(b) Conduct an annual exercise to test the
procedures to ensure the effectiveness of the program.
(c) At least quarterly, conduct cyber threat
simulations, such as phishing, to test employee awareness and responsiveness to
cyber threats.
(d) At least
annually, conduct cybersecurity awareness and procedure training.
(3) By March 31 of each year, on
forms suitable to the commission, an electric utility or cooperative shall file
with the commission a written attestation, signed by an officer of the electric
utility or cooperative who is authorized to manage the operations of the
cybersecurity program, that the electric utility or cooperative maintains a
cybersecurity program in compliance with this rule.
Notes
State regulations are updated quarterly; we currently have two versions available. Below is a comparison between our most recent version and the prior quarterly release. More comparison features will be added as we have more versions to compare.
No prior version found.