Under a notice of proposed rulemaking to be released today, December 21, the Federal Energy Regulatory Commission (FERC) is proposing to direct the North American Electric Reliability Corporation (NERC) to revise the Critical Infrastructure Protection (CIP) reliability standards to require electric utilities to report all cyberattacks on the electric security perimeters surrounding their key electric infrastructure as well as the associated electronic access control and monitoring devices that protect those perimeters.
This proposal is driven in part by FERC’s concern that the existing CIP reliability standards only require regulatory reporting if an attack has an impact on bulk-power system reliability. As a result, attacks that are successfully thwarted or prevented by electric utilities are not reported. According to FERC, this lack of reporting inadvertently creates an underreporting of the threat to reliability posed by these attacks.
In addition to requiring reporting for any cybersecurity incidents that compromise or attempt to compromise covered assets, the proposal would also direct NERC to modify the existing CIP reliability standards to provide greater specificity for the information utilities will need to report. These reports would be sent to both the Electricity Information Sharing and Analysis Center (E-ISAC) operated by NERC and the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) within a specified time period. Finally, the proposal would require NERC to submit to FERC an annual report with “anonymized” information about the reported attacks.
Given the expanding nature of the cyber threat to electric infrastructure in the United States and the sheer number of attempts to compromise electric utility systems, the overwhelming majority of which are successfully defeated, this reporting requirement could result in a significant regulatory reporting burden for owners of Medium Impact and High Impact BES Cyber Systems. Specificity regarding what activities represent reportable incidents and the amount of information that will need to be reported will be the key factor in determining the extent of the regulatory burden on electric utilities. During the open meeting, the commissioners asked for suggestions from the industry on ways that FERC’s goals could be met in an efficient manner.