The Federal Energy Regulatory Commission (FERC) has directed the North American Electric Reliability Corporation (NERC) to revise its Reliability Standards to develop enhanced Cyber Security Incident reporting requirements. The goal of these requirements, which will require the reporting of Cyber Security Incidents that compromise or attempt to compromise electronic security perimeters or associated electronic access control or monitoring systems, is to “improve awareness of existing and future cyber security threats and potential vulnerabilities.” FERC gave NERC six months to prepare and file the revised Reliability Standards.
In December 2017, FERC proposed that NERC develop revisions to its Reliability Standards to require the reporting of Cyber Security Incidents that compromise, or attempt to compromise, a responsible entity’s Electronic Security Perimeter (ESP) or associated Electronic Access Control or Monitoring Systems (EACMS). FERC had said the lack of reportable incidents in 2015 and 2016 was due to not requiring reporting of attempts to compromise cyber systems. The NERC 2017 State of Reliability report suggested that incidents that must be reported should be redefined to be more “granular” and to include incidents that may be “precursors to something more serious.” NERC explained that “[w]hile there were no reportable cyber security incidents during 2016 and therefore none that caused a loss of load, this does not necessarily suggest that the risk of a cyber security incident is low.”
Under NERC’s existing rules, regulated entities must report Cyber Security Incidents only if they have actually “compromised or disrupted one or more reliability tasks.” In its proposal, FERC explained that this reporting threshold may understate the true scope of cyber-related threats facing the Bulk Electric System (BES). In an effort to improve awareness of existing and future cyber security threats and vulnerabilities, FERC suggested that NERC develop and submit modifications to the existing Reliability Standards to augment the reporting of Cyber Security Incidents, including incidents that might facilitate subsequent efforts to harm the reliable operation of the BES.
Consistent with NERC’s recommendation in the 2017 State of Reliability report, FERC’s directive consists of four elements, all of which are intended to broaden or “augment the current Cyber Security Incident reporting requirement.” NERC must develop revised Reliability Standards to incorporate these four elements:
- Responsible entities must report Cyber Security Incidents that compromise, or attempt to compromise, a responsible entity’s ESP or associated EACMS.
- Required information in Cyber Security Incident reports should include certain minimum information to improve the quality of reporting and allow for ease of comparison by ensuring that each report includes specified fields of information.
- Filing deadlines for Cyber Security Incident reports should be established once a compromise or disruption to reliable BES operation, or an attempted compromise or disruption, is identified by a responsible entity.
- Cyber Security Incident reports should continue to be sent to the Electricity Information Sharing and Analysis Center (E-ISAC), rather than FERC, but the reports should also be sent to the Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team.
FERC also directed NERC to file an annual, public and anonymized summary of the reports with FERC. FERC explained that it does not view these changes as a wholesale change in cyber incident reporting that would supplant or otherwise preempt other voluntary reporting, as some commenters had suggested. Instead, FERC views these rules as a new “baseline understanding” that, along with the “additional context from voluntary reports received by the E-ISAC, [will] allow NERC and the E-ISAC to share that information broadly through the electric industry to better prepare entities to protect their critical infrastructure."
FERC considered whether a broader reporting requirement would be better implemented under the NERC Rules of Procedures instead of a mandatory reporting requirement under the Reliability Standards. FERC determined, however, that broadening the mandatory reporting under a Reliability Standard is more aligned with the magnitude of the current threat environment, and is more likely to improve awareness of existing and future threats and vulnerabilities. FERC also stated that if NERC wanted to collect data outside the scope of this proposed Reliability Standard, NERC could use its information request process to supplement information reported under the mandatory reporting requirement.
FERC directed NERC to submit the required modifications within six months.