On July 19, the Federal Energy Regulatory Commission (“FERC” or “Commission”), pursuant to its authority under section 215 of the Federal Power Act, issued a final rule directing the North American Electric Reliability Corporation (“NERC”) to develop modifications to NERC’s Reliability Standards as they relate to cyber security incidents. Issuance of the final rule is timely. A recent news article described hackers’ successful infiltration of the control rooms of multiple electric utilities. According to the article, and many others like it, attacks by both independent and state-sponsored hackers pose an on-going and constant threat to the security of the nation’s bulk power system.
In response to the escalating nature of these incidents, FERC’s new rule requires NERC to “augment the mandatory reporting of Cyber Security Incidents, including incidents that might facilitate subsequent efforts to harm the reliable operation of the bulk electric system (BES).” NERC’s Critical Infrastructure Protection Standards apply to responsible entities, which include large utilities, as well as transmission and generation facilities, which combined comprise the nation’s bulk power system. In addition to lowering the threshold for a “reportable cyber event,” the final rule also directs NERC to change current reporting requirements to ensure that information is also shared with the Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). Finally, the final rule charges NERC with preparing “an annual, public, and anonymized summary” of cyber incidents each year and filing it with the Commission.
FERC issued its initial Notice of Proposed Rulemaking (“NOPR”) on cyber security reporting in December of 2017, as a result of what FERC deemed an “understatement” of the true scope of cyber security threats. According to the NOPR, while NERC reported zero Reportable Cyber Security Incidents in 2016, the Department of Energy’s report for the same period contained four cyber security incidents, and ICS-CERT reported that it had responded to 59 incidents in the energy sector in 2016. Based on this data, FERC concluded in the NOPR that “the current reporting threshold in [the NERC Reliability Standard] may not reflect the true scope and scale of cyber-related threats facing responsible entities.”
FERC Chairman Kevin McIntyre reiterated FERC’s growing concern with respect to cyber threats in a statement accompanying the final rule: “Industry must be alert to developing and emerging threats, and a modified standard will improve awareness of existing and future cyber security threats…Cyber threats to the bulk power system are ever changing, and they are a matter that commands constant vigilance,” McIntyre stated. FERC’s final rule attempts to close the gap and eliminate disparities in the reporting of cyber incidents in the current reporting environment. Whereas NERC’s current standards obligate responsible entities to report a cyber incident only when it has “compromised or disrupted” one or more “reliability tasks,” FERC’s new rule requires NERC to adopt standards that include not only successful incidents, but also any “attempt to compromise” an entities’ Electronic Security Perimeter or associated Electronic Access Control or Monitory Systems, as those terms are defined by NERC.
In an effort to create consistency in reporting and to enable better data for assessing the true scope and scale of cyber-related threats, FERC set out the minimum reporting attributes that should be in included in any standards developed by NERC. Those attributes include: 1) the functional impact of the attempted or achieved incident; 2) the attack vector of the attempted or achieved incident; and 3) the level of intrusion of the attempted or achieved incident. FERC expressly left NERC the discretion to augment the list “should it determine that additional information would benefit situational awareness of cyber threats.” FERC’s deference to NERC on this critical issue is also based, in part, on NERC’s experience with the myriad of diverse technical systems used by those entities subject to NERC’s standards.
FERC also granted NERC substantial discretion in establishing reporting timelines for reporting cyber incidents based on a “risk impact assessment and incident prioritization approach to incident reporting.” This approach allows NERC to require immediate reporting (i.e., one hour) for those incidents that pose an immediate and high risk to the BES, while allowing a longer timeframe (i.e., eight to 24 hours) for lower risk incidents. Finally, FERC voiced its support for the adoption of an on-line reporting tool aimed at streamlining reporting and reducing administrative reporting burdens on responsible entities.
The final rule will take effect 60 days following its publication in the Federal Register; new NERC’s standards will likely not be developed and implemented until early 2019.