FERC Mandates Reporting of Attempted Cybersecurity Breaches

The Federal Energy Regulatory Commission (FERC) has ordered the North American Electric Reliability Corp. (NERC) to broaden, within six months, its Critical Infrastructure Protection (CIP) reliability standards to include mandatory reporting of cybersecurity incidents that could harm the bulk electric system (BES).

FERC’s Order No. 848issued on July 19 directs NERC to develop and submit modifications to CIP standards to mandate reporting of cybersecurity incidents that “compromise, or attempt compromise” of an entity’s electronic security perimeter (ESP) or associated electronic access control or monitoring system (EACMS). An ESP is essentially a border surrounding a network to which cyber systems are connected to the grid using a routable protocol. EACMS are cyber assets that control or monitor electronic access of ESP or cyber systems.

Under NERC’s CIP-008-5 reliability standard (Cyber Security—Incident Reporting and Response Planning), incidents must be reported only if they have “compromised or disrupted one or more reliability tasks.” However, as FERC explained in a notice of proposed rulemaking (NOPR) that was issued on December 21, 2017,  the threshold under current standards “may understate the true scope of cyber-related threats facing the grid.” In particular, FERC was concerned that the lack of any reported incidents in 2015 and 2016 suggests a gap in the current mandatory reporting requirement. The 2017 State of Reliability report by NERC, the nonprofit entity responsible for enforcing FERC-approved mandatory reliability standards, echoed that concern, FERC said.

“Cyber threats to the bulk power system are ever changing, and they are a matter that commands constant vigilance,” FERC Chairman Kevin J. McIntyre said in a statement on July 19. “Industry must be alert to developing and emerging threats, and a modified standard will improve awareness of existing and future cyber security threats.”

Specific Information and Timeframes

Along with mandating that responsible entities report cybersecurity incidents, FERC wants NERC to require that information in cybersecurity incident reports include “certain minimum information” to improve the quality of reporting and allow for ease of comparison. These include the functional impact of the incident, whether achieved or attempted; the attack vector used; and the level of intrusion achieved or attempted.

FERC also wants NERC to establish deadlines for filing cybersecurity incident reports once a compromise or attempted compromise is identified. Reports should continue to be sent to the Electricity Information Sharing and Analysis Center (E-ISAC)—but now, also to the Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (DHS ICS-CERT) or its successor. The DHS ICS-CERT is “undergoing a reorganization and rebranding effort,” FERC noted, and if it no longer exists, the agency that replaces it would receive the reports.

“With regard to timing, we conclude that NERC should establish reporting timelines for when the responsible entity must submit Cyber Security Incident reports to the E-ISAC and ICS-CERT based on a risk impact assessment and incident prioritization approach to incident reporting,” FERC said. For example, higher-risk incidents—such as detecting malware within the ESP or EACMS—could require the report be submitted within an hour, similar to reporting deadlines in CIP-008-5. Lower-risk incidents, such as detection of attempts at unauthorized access to the ESP or EACMS, could have a reporting timeframe of between eight and 24 hours.

NERC, meanwhile, will also need to file an annual, publicly available summary of the reports (preserving entity anonymity) with FERC.

A New Mandate for the Power Sector

The final rule will likely elicit a mixed reaction from the power industry. Though it has been highly concerned by increasing and potentially more destructive cyber-incidents, the industry does not take well to mandates.

In comments submitted to FERC about its December 2017 NOPR to direct NERC to address the cybersecurity incident reporting gap, a number of trade associations—including the Edison Electric Institute (EEI) and the National Rural Electric Cooperative Association (NRECA)—and a handful of utilities said they would support “existing voluntary reporting practices” as opposed to mandates. EEI and NRECA, specifically, argued that member companies are already engaged in partnerships with government to share threat and vulnerability information.

“Mandating such sharing will overlap with these voluntary efforts and may harm the partnerships and ability of the programs to enhance cybersecurity for the electric grid,” they said. It could also force companies to shift their focus to compliance activity, posing new technical and administrative challenges that could impact participation in information-sharing programs, as power company Eversource noted.

Other entities also raised concerns about the risk of over-reporting, specifically of irrelevant information. Others argued that the reporting requirements already exist under the Department of Energy’s mandate to collect electric event disturbances using Form OE-417, and suggested that FERC instead require responsible entities submit copies of that form to the E-ISAC and ICS-CERT.

EnergySec, a nonprofit dedicated to sharing information about physical and cybersecurity, meanwhile, raised the concern that the proposal was too broad, and that determining incidents that might facilitate future cyber-incidents would be “highly subjective and could easily be construed to include systems and networks that are outside the scope of [FERC’s] authority.”

Responding to those concerns, FERC said that it had directed NERC to ensure the scope of new reporting requirements was tailored “to provide better information on cybersecurity threats and vulnerabilities without imposing an undue burden on responsible entities.” FERC said it wasn’t convinced that the rule would adversely impact existing voluntary information sharing or pose an incremental compliance burden.

—Sonal Patel is a POWER associate editor (@sonalcpatel, @POWERmagazine)