The North American Electric Reliability Corporation (NERC) petitioned the Federal Energy Regulatory Commission (FERC) on March 7 to approve a revised reliability standard for electric utilities aimed at enhancing existing cybersecurity incident reporting. The proposed CIP-008-6 reliability standard would expand the scope of the type of assets subject to incident reporting and the categories of incidents affecting those systems that must be reported. If FERC approves the standard as proposed, compliance will require more comprehensive internal controls for identifying, reviewing, and reporting cyber incidents affecting electric utilities.

CIP-008-6 addresses the Commission’s directive from Order No. 848 to develop modifications to require reporting of Cyber Security Incidents that compromise, or attempt to compromise, a Responsible Entity’s Electronic Security Perimeter (ESP) or associated Electronic Access Control or Monitoring Systems (EACMS) to the Electricity Information Sharing and Analysis Center (E-ISAC) and the US Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).[1]

The proposed standard specifies processes and procedures that must be included in Cyber Security Incident response plans, implementation and testing of these plans, maintenance of these plans, as well as requiring certain mandatory reporting on Cyber Security Incidents. The revisions broaden the scope of these features while adding granularity to specific requirements. The goal of such reporting would be to facilitate information sharing on threats among relevant entities. Some of the key revisions include the following:

  • Responsible Entities must implement a process that includes criteria to evaluate and define attempts to compromise certain cyber systems, and must use response plans to respond to and retain records of those attempts.
  • Responsible Entities must make an initial report within designated timelines: one hour after an entity determines that a cybersecurity incident has occurred, or by the end of the next calendar day after an attempt to compromise a BES Cyber System, an ESP, or an EACMS. The notification must include certain attributes concerning the incident as well: (i) the functional impact; (ii) the attack vector used; and (iii) the level of intrusion that was achieved or attempted. That information must be included within specified timelines depending on when an entity obtains the attribute information.

If approved, Responsible Entities will likely have more than one-and-a-half years to implement the new requirements based on NERC’s proposed Implementation Plan. Interested parties have the opportunity to submit comments and interventions concerning NERC’s petition in FERC Docket No. RD19-3. The due date for those filings is April 11, 2019.