FERC takes initial step to address internal network threats through cyber standards

The Federal Energy Regulatory Commission voted unanimously Jan. 20 to solicit comments on a proposal to direct the North American Electric Reliability Corporation to develop new or modified cyber reliability standards for the bulk power system.

Once the commission receives comments on the draft notice of proposed rulemaking, it will determine whether to adjust the provisions of a final rule directing NERC to develop such reliability standards.

If FERC goes forward, NERC will be tasked with creating critical infrastructure protection reliability standards, requiring entities to monitor the internal security networks of their high- and medium-impact bulk electric system cyber systems, according to a FERC release (RM22-3).

"This is a subject that all of us are keenly aware of, and I appreciate the unanimity that we have around the concerns that are hopefully going to be addressed by this proceeding," Commissioner James Danly said during FERC's Jan. 20 monthly meeting.

The draft received bipartisan support from the commission, with members pointing to the importance of improved cyber security within the bulk power system.

Commissioner Allison Clements said cyberattacks pose an ongoing threat that will require the electric system to constantly work to catch up and keep up, adding that the NOPR is "certainly a good step in the right direction."

Clements and Commissioner Willie Phillips called on NERC to quickly take action, especially given the many steps included in developing such procedures.

"I hope that NERC will find a way to expedite the process so that the benefits and protections of internal network monitoring can be realized as soon as possible," Phillips said.

New standards

Current reliability standards focus on preventing hackers from accessing these systems at the network perimeter, FERC said. But the NOPR would focus on standards dedicated to internal network security monitoring, an area not addressed by existing standards.

This change aims to help improve communications inside the network, with early detection helping to limit a hacker's ability to take control of important equipment, FERC said. Faster detection can help facilitate more efficient mitigation and recovery from cyberattacks while also improving vulnerability assessments.

For example, the 2020 SolarWinds attack showed how a system perimeter breach can occur with a trusted vendor that then is able to infiltrate internally. There have been several other high-profile cyberattacks recently, including the Colonial Pipeline ransomware attack in May 2021 that forced the operator to shut down the oil pipeline for nearly a week, affecting millions of people along the East Coast.

Additionally, the draft NOPR requests comments on potentially using such standards for networks with low-impact bulk electric system cyber systems.

Comments on the draft NOPR are due 60 days after its publication in the Federal Register.