FERC Tightens Cyber Incident Reporting RulesEngineering360 News Desk | July 20, 2018
Evidence of attempts to compromise the U.S. bulk electric power system will now need to be reported under a new rule from the U.S. Federal Energy Regulatory Commission (FERC) modifying Critical Infrastructure Reliability Standards.
FERC directed the North American Electric Reliability Corp. (NERC) to develop modifications to improve mandatory reporting of cyber security incidents, including attempts that might lead to efforts to harm reliability, all within the next six months. (Read the FERC order)
Under the current Critical Infrastructure Protection Reliability Standard CIP-008-5 (Cyber Security – Incident Reporting and Response Planning), incidents must be reported only if they have compromised or disrupted one or more reliability tasks.
In announcing the FERC action, Chairman Kevin J. McIntyre said, “Industry must be alert to developing and emerging threats, and a modified standard will improve awareness of existing and future cyber security threats.”
Commissioner Neil Chatterjee said, "Both the Department of Homeland Security and Federal Bureau of Investigation have issued multiple public reports describing intrusion campaigns by Russian government cyber actors against our critical infrastructure, including the electric grid." He said the intrusions represent an "unsettling uptick in attempts to undermine America’s critical infrastructure systems."
The final rule directs NERC to modify the standard to expand the current reporting requirement, including:
- Responsible entities must report cyber security incidents that compromise, or attempt to compromise, a responsible entity’s electronic security perimeter (ESP) or associated electronic access control or monitoring systems (EACMS).
- Cyber security incident reports should be standardized to improve the quality of reporting and allow for ease of comparison across reports, analysis and trending.
- Cyber security incident reports will continue to be sent to the Electricity Information Sharing and Analysis Center (E-ISAC). Reports would also be sent to the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
The FERC also directed NERC to consider the threat level when developing reporting thresholds and timelines. It directed NERC to consider the function of the EACMS and the nature of the attempted compromise or successful intrusion when developing reporting thresholds so that only cyber security incidents meeting a certain threat level would have to be reported.
NERC also must develop reporting timelines that correspond to the adverse or attempted adverse impact to the grid that the loss, compromise or misuse of the bulk electric system cyber assets could have on reliable operation. Prioritizing incident reporting will allow responsible entities to devote resources to reporting the most significant cyber security incidents faster than less significant events.