Editor’s note: This is the fifth in a continuing end-of-year series. See our previous posts on trade secrets, state regulation and law enforcement, HIPAA compliance, and emerging threats. Our last post will focus on federal regulation and law enforcement.
In 2015, a sophisticated cyberattack hit six of Ukraine’s energy providers simultaneously, causing a blackout for hundreds of thousands of Ukrainians. The U.S. has thus far evaded similar attacks, but the energy sector remains of vital strategic importance. Because it has long been considered a prime target for cyber threats, from cybercriminals and foreign states alike, regulators, especially at the federal level, have shown particular attention to this sector. Below, I look back at developments in energy sector cybersecurity in 2016 and ahead to what 2017 may bring.
Federal Regulation Continues to Evolve
On the federal level, 2016 has seen the release of updated Critical Infrastructure Protection (CIP) requirements by the North American Electric Reliability Corporation (NERC), the non-profit empowered by the Federal Energy Regulatory Commission (FERC) with authority to oversee grid security. The CIP plan is a set of nine standards and some 45 requirements that cover a broad variety of cybersecurity protocols. Under the CIP plan, utilities are required to identify critical cyber assets and ensure they are protected by electronic security measures, such as encryption and two-factor authentication. They must develop plans for incident reporting and recovery, and train personnel on response plans. The CIP standards even govern physical security measures, such as security guards and visitor logs. Version 5 of the CIP standards is fully phased in on April 1, followed quickly by version 6 in July, but companies cannot afford to rest on their compliance laurels: version 7 drafting is already underway! Look for more CIP updates in 2017.
State Involvement on the Rise
Federal regulation gets most of the attention, but NERC’s mandatory reliability standards only covers about 20% of the energy distribution grid (lines operating at 100 kV and above) – meaning the other 80% is left to be regulated at the state or local level. Thus the state-level response to increasing cyber threats is of vital importance. 2016 saw several states stepping in and offering more cyber regulations. Connecticut’s Public Utilities Regulatory Authority, for example, established a new cybersecurity oversight plan for utilities in the state and created a yearly voluntary forum for industry and government personnel to confer on cyber threats and responses. Energy commissions in approximately a dozen other states have rules or orders of some sort addressing cybersecurity. That, of course, leaves a majority of states without any such regulation (at least by the relevant energy authority — state attorneys general can regulate through their consumer protection and privacy authority). It seems likely that 2017 will bring more organization and more regulation on the state level.
Will Voluntary Information-Sharing Take Off?
In December of 2015 Congress passed two pieces of legislation that were designed to encourage voluntary sharing of cybersecurity information among companies. The Fixing America’s Surface Transport Act, or FAST Act, empowers FERC to define “Critical Energy Infrastructure Information.” Such information will be exempt from FOIA disclosure and receive protection from dissemination by government personnel, on the theory that companies will be more likely to share sensitive information about cyber threats with the government if they have assurances about who it will be shared with.
FERC finally issued regulations defining “Critical Energy Infrastructure Information” in November 2016, but the FAST Act’s sharing provisions may already be obsolete. The Cybersecurity Information Sharing Act of 2015, covered here on the blog in February, has the same goal — encouraging data sharing and collaboration by providing mandatory protections for the disclosed information — but it applies to all industries and government agencies (not just the energy sector) and all “cyber threat indicators” (not just Critical Energy Infrastructure Information). The government is certainly on board, as all agencies are required under the statute to participate in information sharing by the middle of this month. But has the private sector followed suit? Will they in 2017? As of now, the answer is unclear.
As 2016 draws to a close, a cyberattack like the one that brought down Ukraine’s electricity grid in 2015 has yet to materialize in the U.S. But it does not seem any less likely now than it was a year ago, either. Oh, and in addition to worrying about sabotage by foreign agents, energy companies, like any company, still have to be prepared to prevent and respond to “normal” threats such as data breaches or ransomware. The regulatory landscape and the cyber threats faced will continue to evolve in 2017 — and the energy sector, perhaps more so than any other sector, should be prepared to stay up-to-date, compliant, and protected.