On December 21, 2017, the Federal Energy Regulatory Commission (FERC) unanimously voted to direct the North American Electric Reliability Corporation (NERC) to modify existing CIP Reliability Standard (CIP-008-5) “Cybersecurity Incident Reporting and Response Planning standards,” citing concerns that current reporting “understates the true scope of cyber related threats facing the bulk electric system.”
FERC Chairmen Kevin McIntyre stated “Cyber security is critical to protecting the nation’s energy infrastructure and we need to be vigilant and proactive in doing so.” The Chairman’s comments are consistent with the Administration’s previously expressed concerns over cybersecurity risks to the energy sector. White House Cybersecurity Executive Order (EO) 13800 issued in May of 2017 included a stand-alone section expressing concerns over the impact of a “prolonged power outage associated with a significant cyber incident ” on the nation’s national security.
The Notice of Proposed Rulemaking (NOPR) issued pursuant to section 215 (d)(5) of the Federal Power Act, would direct NERC to modify the definition of a mandatory reportable cyber incident to incidents that “compromise, or attempt to compromise, a responsible entity’s Electronic Security Perimeter or associated Electronic Access Control or Monitoring Systems.” Current CIP standards only require reporting of cyber incidents that compromise or disrupt reliability requirements. Comments on the NOPR are due on February 26, 2018.
The NOPR cites to a number of statistics as the rationale for proposing to greatly expand the definition of a reportable cybersecurity incident. NERC’s 2017 State of Reliability report indicated there were no reportable cyber incidents in both 2015 and 2016. It also cites to a 2016 U.S. Department of Energy (DOE) Electric Disturbance Reporting Form which showed four reported cybersecurity incidents and fifty nine incidents in which ICS-CERT provided assistance to the energy sector. (The NOPR does note that ICS-CERT statistics for the energy sector includes both the electric and oil/natural gas sector.)
The NOPR also proposes to direct NERC to:
- Create new categories of data that responsible entities must submit with mandatory reported cyber incidents
- Set a deadline for responsible entities to file cyber incident reports (current requirements only have a mandatory time period for initial reporting)
- Add a reporting requirement to ICS-CERT as well as to the ES-ISAC
- Create a new, publicly available report with anonymized data of all cyber incident reports to be submitted to FERC
FERC’s actions underpin the agency’s continuing concerns over cyber risks to the grid and are consistent with FERC’s other actions in 2017—from proposing new security management controls for grid cyber systems in October or earlier concerns over cyber risk to supply chain for the bulk electric utility sector. All of this, coupled with follow-up actions from White House EO 13800 and ongoing alerts from the U.S. Department of Homeland Security about nation state attacks against Critical Infrastructure (CI) will mean an active 2018 cybersecurity risk and compliance agenda.