|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|Maintaining a robust cybersecurity strategy to safeguard and protect the confidentiality, integrity and availability of our critical infrastructure assets as well as all other information systems and the information residing in them is critically important to our business. We face various cyber threats, including malware intrusion, computer viruses, unauthorized access attempts, ransomware attacks, social engineering attacks, hacktivism and potential insider threats. In addition to the cybersecurity threats faced by any business with a cyber presence, as an owner and operator of critical infrastructure assets, we are subject to cybersecurity threats from domestic and foreign threat actors who wish to disrupt our electricity delivery operations and/or the ERCOT bulk power grid. With an ever-increasing share of our operational and administrative activity being dependent on our information systems, we strive to create a company-wide culture of cyber safety that continually monitors risk.
Our Cybersecurity Strategy
Our cybersecurity strategy is built on “defense-in-depth” as recommended by the National Institute of Standards and Technology. We have processes in place to identify, assess, and manage material risks from cybersecurity threats. We have developed and implemented, and we continue to develop and implement, protective measures to reduce risk, manage incidents, and sustain our security posture. For example, in our efforts to lower the risk of ransomware attacks, we have increased our cybersecurity operations by strengthening our defense-in-depth approach to protections and controls, operational resiliency, cyber hygiene and monitoring. Specific steps include tool deployments to mitigate ransomware threats and impacts, as well as implementation of practices and enhancements to minimize the risk of ransomware launching and spreading across the organization. These efforts also include the ongoing identification, review and mitigation of vulnerabilities to our owned or operated systems. An additional protective measure to reduce risk with respect to the unauthorized access to confidential and sensitive data in Oncor’s possession includes our data risk management (DRM) program. Our DRM program focuses on data loss prevention, including as the result of unauthorized access or acquisition, by taking proactive steps to limit confidential and sensitive information from being managed or distributed electronically in an unsecure manner. Led by our executive leadership team, as well as a governance committee and operational stakeholders, our DRM group provides formal guidance, including policies and standards, to reduce our data risk. We continue to participate, review, assess and adjust our mix of activities to improve our grid operations, digital perimeter security and information security. For example, we are evaluating and implementing additional governance focused defensive measures as a result of new National Institute of Standards and Technology guidance.
We have policies and procedures in place to identify, protect, detect, respond and recover from cybersecurity incidents. The life cycle of our incident response includes: (i) preparation through employee training and drills, including regular simulation exercises that include management from various departments in addition to representatives from our information technology security team; (ii) detection and analysis of the cybersecurity incident; (iii) assembling the appropriate response team and escalating the incident to the appropriate parties internally and externally; (iv) containment, eradication, recovery and monitoring; and (v) post incident activity to document the root cause and discuss areas of improvement.
In accordance with our policies and procedures, we investigate any technological, computer, or network security event or incident within our networks or involving confidential and sensitive data maintained by Oncor, including events or incidents involving third-party vendors that interface with our networks or otherwise hold confidential and sensitive data maintained by Oncor. With respect to certain of our third-party vendors, we may also require such third-party vendors to notify us of any cybersecurity incidents and/or vulnerabilities that may impact our operations or involve confidential and sensitive data maintained by Oncor. Multiple security operations centers monitor our digital environment at all times for anomalies, threats, and indicators of compromise. We have a variety of tests performed by internal and external parties related to the integrity of our networks, cyber protections and policies and procedures. Third-party and internal security testing of our network, applications, perimeter, physical equipment and other areas of security are used to test cybersecurity readiness. When a cybersecurity threat either newly materializes or escalates, we elevate communication both internally and externally to ensure situational intelligence is both known and shared to help in defending against that threat.
We are also subject to mandatory and enforceable regulatory standards for critical infrastructure protection, which include cybersecurity-related standards. We are subject to periodic audits by Texas RE of our compliance with critical infrastructure protection standards. In addition, we are required to file an emergency operation plan with the PUCT, including our procedures relating to addressing cyber incidents.
We also participate in, and work with, multiple federal, state, industry, and academic groups dedicated to cybersecurity, such as the U.S. Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency, the Federal Bureau of Investigations’ InfraGard, an ERCOT critical infrastructure protection working group, the Electricity Information Sharing and Analysis Center, and the Texas Information Sharing and Analysis Organization. This includes information-sharing and coordination with ERCOT, the PUCT, and other ERCOT market participants with a view toward protecting and enhancing the ERCOT grid from cyber and physical attacks and response preparation. In addition, we participate on various technical and advisory boards, such as the advisory board of the Energy Sector Security Consortium, Inc., a nonprofit organization that supports energy sector organizations with the security of their critical technology infrastructures, and the Electricity Subsector Coordinating Council. We believe that our participation and membership within these groups and organizations contributes to security improvements that directly impact our cyber operations.
We believe that cyber safety is everyone’s responsibility at Oncor. We take proactive steps to train, re-train, educate and test our workforce on cyber safety practices and work to strengthen the cyber community within our company. We require an annual cybersecurity training of all credentialled individuals, and each year we hold an annual cyber awareness month, which includes informational events, speakers and additional training resources to increase our workforce’s engagement in cyber safety.
While we have not experienced a cybersecurity incident to date that has had a material impact on Oncor, we have experienced, and expect to continue to experience, threats and attempted intrusions into our technology systems and platforms. Our third-party vendors have been subject, and will likely continue to be subject, to acts that disrupt or attempt to disrupt the services they provide to us. Our technology team works to evaluate third-party solutions purchased, implemented or upgraded to ensure they meet our cybersecurity requirements. Threat actors could also attempt to use our third-party vendors as a conduit to attack us. We are subject to evolving cyber risks related to adversaries attacking our technology infrastructure and platforms and the technology infrastructure and platforms of third-party vendors. See “Item 1A. Risk Factors—Risk Related to Our Business and Operations—Cyber-attacks on us or our third-party vendors could disrupt business operations, initiate the loss or disclosure of critical operating or confidential data, have an adverse impact on our reputation, and expose us to significant liabilities.” A future cybersecurity incident could potentially have a material impact on our business, operations and financial condition. In addition, non-compliance with electric industry specific regulations or violation of laws could have financial penalties, as well as impact our reputation, which could materially impact our results of operations or financial condition. Cybersecurity risk has also contributed to, and is expected to continue to contribute to, increased capital expenditures and operation and maintenance expenses, including as a result of the need for additional hardware, software, equipment, personnel, training and third-party service providers, as well as increased cyber insurance costs.
Our Cybersecurity Team
Our management is responsible for assessing, managing and mitigating all risks relative to our business, including material risks from cybersecurity threats. Within our management team, assessment, management, and mitigation of cybersecurity threats is primarily overseen by our technology group, which has extensive experience in cybersecurity, technology, and digital grid operations. Our technology group is led by Joel Austin, our senior vice president and chief digital officer, and Malia Hodges, our senior vice president and chief information officer. Mr. Austin has over 35 years of technology operations, utility industry, and leadership experience, including more than 16 years of cybersecurity oversight experience. Ms. Hodges has 26 years of technology operations, utility industry, and leadership experience, including seven years as our chief information officer, with responsibility in that role for management of Oncor’s technology function, including cybersecurity. Both Mr. Austin and Ms. Hodges are long-time members of the Edison Electric Institute security and technology policy committee, which focuses on working with federal agencies on cybersecurity risks relevant to the electric industry. Mr. Austin has testified on cybersecurity issues facing the State of Texas and the electric utility industry in front of multiple Texas legislative sub-committees and been asked to discuss cybersecurity risks with members of the U.S. Congress. Mr. Austin and Ms. Hodges also work closely and regularly with PUCT staff and PUCT commissioners on cybersecurity risks and mitigations. We also have a designated chief information security officer who has over 43 years of experience in cybersecurity, a master’s degree in cybersecurity and a doctorate degree in cybersecurity/information assurance. Within our technology group, we maintain a dedicated cybersecurity group and 24/7/365 team that responds to
and protects against cybersecurity risks. Our collective cybersecurity staff consists of a group of employees and contractors located inside and outside the state of Texas with a wide range of specialized skills and experience, including through service in the U.S. military and federal agencies, cybersecurity-related certifications, membership and advisory and board positions with industry groups and non-profit organizations focused on cybersecurity, and training in the cyber defense tools and methods we deploy, as well as various higher education degrees related to cybersecurity.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Our cybersecurity strategy is built on “defense-in-depth” as recommended by the National Institute of Standards and Technology. We have processes in place to identify, assess, and manage material risks from cybersecurity threats. We have developed and implemented, and we continue to develop and implement, protective measures to reduce risk, manage incidents, and sustain our security posture. For example, in our efforts to lower the risk of ransomware attacks, we have increased our cybersecurity operations by strengthening our defense-in-depth approach to protections and controls, operational resiliency, cyber hygiene and monitoring. Specific steps include tool deployments to mitigate ransomware threats and impacts, as well as implementation of practices and enhancements to minimize the risk of ransomware launching and spreading across the organization. These efforts also include the ongoing identification, review and mitigation of vulnerabilities to our owned or operated systems. An additional protective measure to reduce risk with respect to the unauthorized access to confidential and sensitive data in Oncor’s possession includes our data risk management (DRM) program. Our DRM program focuses on data loss prevention, including as the result of unauthorized access or acquisition, by taking proactive steps to limit confidential and sensitive information from being managed or distributed electronically in an unsecure manner. Led by our executive leadership team, as well as a governance committee and operational stakeholders, our DRM group provides formal guidance, including policies and standards, to reduce our data risk. We continue to participate, review, assess and adjust our mix of activities to improve our grid operations, digital perimeter security and information security. For example, we are evaluating and implementing additional governance focused defensive measures as a result of new National Institute of Standards and Technology guidance.
We have policies and procedures in place to identify, protect, detect, respond and recover from cybersecurity incidents. The life cycle of our incident response includes: (i) preparation through employee training and drills, including regular simulation exercises that include management from various departments in addition to representatives from our information technology security team; (ii) detection and analysis of the cybersecurity incident; (iii) assembling the appropriate response team and escalating the incident to the appropriate parties internally and externally; (iv) containment, eradication, recovery and monitoring; and (v) post incident activity to document the root cause and discuss areas of improvement.
In accordance with our policies and procedures, we investigate any technological, computer, or network security event or incident within our networks or involving confidential and sensitive data maintained by Oncor, including events or incidents involving third-party vendors that interface with our networks or otherwise hold confidential and sensitive data maintained by Oncor. With respect to certain of our third-party vendors, we may also require such third-party vendors to notify us of any cybersecurity incidents and/or vulnerabilities that may impact our operations or involve confidential and sensitive data maintained by Oncor. Multiple security operations centers monitor our digital environment at all times for anomalies, threats, and indicators of compromise. We have a variety of tests performed by internal and external parties related to the integrity of our networks, cyber protections and policies and procedures. Third-party and internal security testing of our network, applications, perimeter, physical equipment and other areas of security are used to test cybersecurity readiness. When a cybersecurity threat either newly materializes or escalates, we elevate communication both internally and externally to ensure situational intelligence is both known and shared to help in defending against that threat.
We are also subject to mandatory and enforceable regulatory standards for critical infrastructure protection, which include cybersecurity-related standards. We are subject to periodic audits by Texas RE of our compliance with critical infrastructure protection standards. In addition, we are required to file an emergency operation plan with the PUCT, including our procedures relating to addressing cyber incidents.
We also participate in, and work with, multiple federal, state, industry, and academic groups dedicated to cybersecurity, such as the U.S. Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency, the Federal Bureau of Investigations’ InfraGard, an ERCOT critical infrastructure protection working group, the Electricity Information Sharing and Analysis Center, and the Texas Information Sharing and Analysis Organization. This includes information-sharing and coordination with ERCOT, the PUCT, and other ERCOT market participants with a view toward protecting and enhancing the ERCOT grid from cyber and physical attacks and response preparation. In addition, we participate on various technical and advisory boards, such as the advisory board of the Energy Sector Security Consortium, Inc., a nonprofit organization that supports energy sector organizations with the security of their critical technology infrastructures, and the Electricity Subsector Coordinating Council. We believe that our participation and membership within these groups and organizations contributes to security improvements that directly impact our cyber operations.
We believe that cyber safety is everyone’s responsibility at Oncor. We take proactive steps to train, re-train, educate and test our workforce on cyber safety practices and work to strengthen the cyber community within our company. We require an annual cybersecurity training of all credentialled individuals, and each year we hold an annual cyber awareness month, which includes informational events, speakers and additional training resources to increase our workforce’s engagement in cyber safety.
While we have not experienced a cybersecurity incident to date that has had a material impact on Oncor, we have experienced, and expect to continue to experience, threats and attempted intrusions into our technology systems and platforms. Our third-party vendors have been subject, and will likely continue to be subject, to acts that disrupt or attempt to disrupt the services they provide to us. Our technology team works to evaluate third-party solutions purchased, implemented or upgraded to ensure they meet our cybersecurity requirements. Threat actors could also attempt to use our third-party vendors as a conduit to attack us. We are subject to evolving cyber risks related to adversaries attacking our technology infrastructure and platforms and the technology infrastructure and platforms of third-party vendors. See “Item 1A. Risk Factors—Risk Related to Our Business and Operations—Cyber-attacks on us or our third-party vendors could disrupt business operations, initiate the loss or disclosure of critical operating or confidential data, have an adverse impact on our reputation, and expose us to significant liabilities.” A future cybersecurity incident could potentially have a material impact on our business, operations and financial condition. In addition, non-compliance with electric industry specific regulations or violation of laws could have financial penalties, as well as impact our reputation, which could materially impact our results of operations or financial condition. Cybersecurity risk has also contributed to, and is expected to continue to contribute to, increased capital expenditures and operation and maintenance expenses, including as a result of the need for additional hardware, software, equipment, personnel, training and third-party service providers, as well as increased cyber insurance costs.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|While we have not experienced a cybersecurity incident to date that has had a material impact on Oncor, we have experienced, and expect to continue to experience, threats and attempted intrusions into our technology systems and platforms. Our third-party vendors have been subject, and will likely continue to be subject, to acts that disrupt or attempt to disrupt the services they provide to us. Our technology team works to evaluate third-party solutions purchased, implemented or upgraded to ensure they meet our cybersecurity requirements. Threat actors could also attempt to use our third-party vendors as a conduit to attack us. We are subject to evolving cyber risks related to adversaries attacking our technology infrastructure and platforms and the technology infrastructure and platforms of third-party vendors. See “Item 1A. Risk Factors—Risk Related to Our Business and Operations—Cyber-attacks on us or our third-party vendors could disrupt business operations, initiate the loss or disclosure of critical operating or confidential data, have an adverse impact on our reputation, and expose us to significant liabilities.” A future cybersecurity incident could potentially have a material impact on our business, operations and financial condition. In addition, non-compliance with electric industry specific regulations or violation of laws could have financial penalties, as well as impact our reputation, which could materially impact our results of operations or financial condition. Cybersecurity risk has also contributed to, and is expected to continue to contribute to, increased capital expenditures and operation and maintenance expenses, including as a result of the need for additional hardware, software, equipment, personnel, training and third-party service providers, as well as increased cyber insurance costs.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|Cybersecurity risk is considered a significant corporate risk by management. Our technology security team provides our management with a weekly cyber update that discusses cybersecurity threats impacting Oncor. Management of our cybersecurity risks begins at the individual employee level, with each employee having responsibility for operating in a cyber safe manner, and flows up to our board of directors, which has overall oversight over Oncor’s corporate risk management efforts. The board of directors has delegated its risk management oversight to the Audit Committee, whose charter provides that it is responsible for discussing with management our major risk exposure, and the steps management takes to monitor and control such exposure, including our risk assessment and risk management process, guidelines, policies and practices.
Our senior leadership team, which includes Mr. Austin and Ms. Hodges, has established a risk management framework to actively manage, mitigate and report on the various risks faced by Oncor. Pursuant to that framework, as frequently as necessary, but not less than quarterly, members of our senior leadership team and additional members of management meet to review and assess various operational, functional, legal and other types of risks facing the company, including risks related to cybersecurity. Discussions at these risk management forums include mitigation strategies and actions to provide oversight and assign responsibility for ongoing treatment and monitoring each specific risk. Risk management information collected at these meetings is then distributed at least quarterly to the Audit Committee of our board of directors and/or our full board of directors. Our risk management efforts, including risks related to cybersecurity, are reported on to the Audit Committee and/or the full board of directors at least quarterly. Mr. Austin and Ms. Hodges also provide separate written reports on cybersecurity risks and activities to both the Audit Committee and the full board of directors, with specific discussion time devoted to cybersecurity at the Audit Committee and/or the full board of directors at least quarterly.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Within our management team, assessment, management, and mitigation of cybersecurity threats is primarily overseen by our technology group, which has extensive experience in cybersecurity, technology, and digital grid operations.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Both Mr. Austin and Ms. Hodges are long-time members of the Edison Electric Institute security and technology policy committee, which focuses on working with federal agencies on cybersecurity risks relevant to the electric industry. Mr. Austin has testified on cybersecurity issues facing the State of Texas and the electric utility industry in front of multiple Texas legislative sub-committees and been asked to discuss cybersecurity risks with members of the U.S. Congress. Mr. Austin and Ms. Hodges also work closely and regularly with PUCT staff and PUCT commissioners on cybersecurity risks and mitigations.
|Cybersecurity Risk Role of Management [Text Block]
|Cybersecurity risk is considered a significant corporate risk by management. Our technology security team provides our management with a weekly cyber update that discusses cybersecurity threats impacting Oncor. Management of our cybersecurity risks begins at the individual employee level, with each employee having responsibility for operating in a cyber safe manner, and flows up to our board of directors, which has overall oversight over Oncor’s corporate risk management efforts. The board of directors has delegated its risk management oversight to the Audit Committee, whose charter provides that it is responsible for discussing with management our major risk exposure, and the steps management takes to monitor and control such exposure, including our risk assessment and risk management process, guidelines, policies and practices.
Our senior leadership team, which includes Mr. Austin and Ms. Hodges, has established a risk management framework to actively manage, mitigate and report on the various risks faced by Oncor. Pursuant to that framework, as frequently as necessary, but not less than quarterly, members of our senior leadership team and additional members of management meet to review and assess various operational, functional, legal and other types of risks facing the company, including risks related to cybersecurity. Discussions at these risk management forums include mitigation strategies and actions to provide oversight and assign responsibility for ongoing treatment and monitoring each specific risk. Risk management information collected at these meetings is then distributed at least quarterly to the Audit Committee of our board of directors and/or our full board of directors. Our risk management efforts, including risks related to cybersecurity, are reported on to the Audit Committee and/or the full board of directors at least quarterly. Mr. Austin and Ms. Hodges also provide separate written reports on cybersecurity risks and activities to both the Audit Committee and the full board of directors, with specific discussion time devoted to cybersecurity at the Audit Committee and/or the full board of directors at least quarterly.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|false
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The board of directors has delegated its risk management oversight to the Audit Committee, whose charter provides that it is responsible for discussing with management our major risk exposure, and the steps management takes to monitor and control such exposure, including our risk assessment and risk management process, guidelines, policies and practices.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our senior leadership team, which includes Mr. Austin and Ms. Hodges, has established a risk management framework to actively manage, mitigate and report on the various risks faced by Oncor. Pursuant to that framework, as frequently as necessary, but not less than quarterly, members of our senior leadership team and additional members of management meet to review and assess various operational, functional, legal and other types of risks facing the company, including risks related to cybersecurity. Discussions at these risk management forums include mitigation strategies and actions to provide oversight and assign responsibility for ongoing treatment and monitoring each specific risk. Risk management information collected at these meetings is then distributed at least quarterly to the Audit Committee of our board of directors and/or our full board of directors. Our risk management efforts, including risks related to cybersecurity, are reported on to the Audit Committee and/or the full board of directors at least quarterly. Mr. Austin and Ms. Hodges also provide separate written reports on cybersecurity risks and activities to both the Audit Committee and the full board of directors, with specific discussion time devoted to cybersecurity at the Audit Committee and/or the full board of directors at least quarterly.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Cybersecurity risk is considered a significant corporate risk by management. Our technology security team provides our management with a weekly cyber update that discusses cybersecurity threats impacting Oncor. Management of our cybersecurity risks begins at the individual employee level, with each employee having responsibility for operating in a cyber safe manner, and flows up to our board of directors, which has overall oversight over Oncor’s corporate risk management efforts. The board of directors has delegated its risk management oversight to the Audit Committee, whose charter provides that it is responsible for discussing with management our major risk exposure, and the steps management takes to monitor and control such exposure, including our risk assessment and risk management process, guidelines, policies and practices.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef