On June 20, 2019, the Federal Energy Regulatory Commission (“FERC”) approved a North American Electric Reliability Corp. (“NERC”) petition to adopt Reliability Standard CIP-008-6 to strengthen the reporting requirements for attempts to compromise the operation of the United States’ bulk electric system. The prior Critical Infrastructure Protection (“CIP”) Reliability Standards only required reporting where an incident compromised or disrupted one or more reliability tasks. The new standard applies to all registered entities subject to the CIP Reliability Standards.
The NERC petition was a product of Order No. 848, in which FERC ordered NERC, the nation’s Electric Reliability Organization, to revise the requirements for cybersecurity incident reporting. That order had highlighted a growing concern that older Reliability Standards may underestimate the threat posed to the power grid. Reliability Standard CIP-008-6 expands reporting requirements to include compromises or attempts to compromise Electric Security Perimeters, Electronic Access Control or Monitoring Systems, and Physical Security Perimeters associated cyber systems. Reliability Standard CIP-008-6 also encompasses disruptions or attempted disruptions to the operation of a bulk electric system.
Each entity has some flexibility in developing criteria for suspicious activity based on its system architecture. Once a responsible entity has determined that a cybersecurity incident meets the criteria for an attempted compromise of an applicable system, the entity must report the incident by the end of the next calendar day to the Electricity Information Sharing and Analysis Center and the Department of Homeland Security’s National Cybersecurity and Communications Integration Center. Reliability Standard CIP-008-6 also addresses the information to be included in cybersecurity incident reports and requires a responsible entity to initiate an incident response plan following an attempt to compromise cyber systems.
FERC’s efforts to bolster the security of the power grid reflect increasing concerns about cyberattacks targeting critical infrastructure. Ukraine’s power grid blackout in 2016, which caused Kiev to lose power for about an hour, underscored the vulnerability of power grids.