- (a) Each utility shall develop, maintain, and follow a written physical security plan designed to protect the utility’s critical equipment and facilities from breaches of security. For purposes of this section, “critical equipment and facilities” means utility infrastructure without which the utility could not provide safe and reliable service to its customers.
(b) The plan shall be risk-based and incorporate:
- (1) A threat level assessment;
- (2) A list of critical equipment and facilities to which the plan applies;
- (3) Defined security measures for critical equipment and facilities;
- (4) Response procedures and notifications upon discovery of a breach in security;
- (5) Defined process to track events; and
- (6) Employee awareness training programs.
- (c) Each utility shall develop, maintain, and follow a written information cyber security plan designed to protect the utility’s critical cyber assets. For purposes of this section, “critical cyber assets” means those electronic data, communications, and computer network systems without which the utility could not provide safe reliable service to its customers.
(d) The plan shall be risk-based and incorporate:
- (1) A threat level assessment;
- (2) A list of critical cyber assets;
- (3) Defined security measures for critical cyber assets;
- (4) Response procedures and notifications upon discovery of a breach in security;
- (5) Defined process to track events; and
- (6) Employee awareness training programs.
- (e) Each utility shall submit to the department annually one electronic copy of each of its physical security plan and cyber security plan. If any such plan contains confidential information, the utility shall so notify the department in writing to provide the department with an opportunity to review the confidential information at the utility’s offices in New Hampshire.
- (f) On the 15th day of the month following the last day of each quarter, each utility shall file Form E-37 “Quarterly Report of Equipment Theft, Sabotage, and Breaches of Security,” pursuant to En 308.11 reporting all material breaches of security as defined within the plans.
Source. #14101, eff 10-22-24, EXPIRES: 10-22-34 (see Revision Note at chapter heading for En 300)