On December 21, 2017 the Federal Energy Regulatory Commission (FERC) proposed a rule to direct the North American Electric Reliability Corporation (NERC) to clarify and expand the scope of cyber incident reporting. The rule envisions that the NERC will require reporting of cyber incidents when there is a compromise of or even an attempt to compromise certain network infrastructure.
If the rule is finalized, cyber incidents would have to be reported to both the Electricity Information Sharing and Analysis Center (E-ISAC), which is required under the current standard, and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which is an office within the Department of Homeland Security (DHS).
In 2016 the federal government issued guidance on how the private sector can exchange certain types of cyber threat information with the government and, in accordance with the Cybersecurity Act of 2015 (“Act”), retain liability protection. According to this guidance, private-sector entities may share “cyber threat indicators” and “defensive measures” (which are specific terms defined by law) through DHS’s Automated Indicator Sharing (AIS) initiative, an online web form, email or certain other information-sharing programs. However, the guidance explicitly notes that private-sector entities “will not receive liability protection under the Act” if they share cyber-related information in a manner that is not consistent with the Act’s implementing guidelines.
If the NERC’s standards are updated as proposed in the rule, the standards should be tailored to and incorporate, to the greatest extent possible, existing federal guidelines and procedures. Similarly, regardless of whether the rule is finalized, private-sector entities should consider participating in the AIS initiative as part of their broader cybersecurity strategies.