The Federal Energy Regulatory Commission on Dec. 21 issued a proposal to address concerns that a gap in existing mandatory reliability standards may result in those standards understating "the true scope of cyber-related threats facing the bulk-power system."
The notice of proposed rulemaking would direct the North American Electric Reliability Corp., or NERC, to revise the standards to require that utilities and other relevant entities report not only those incidents that actually compromise certain cyber systems but also any attempts to compromise those systems.
Current standards mandate the reporting only of successful incursions into an electronic security perimeter, or ESP, or associated electronic access control or monitoring systems, or EACMS, thereby creating a reporting gap. The NOPR said that gap may limit the awareness of industry, NERC and FERC regarding existing or developing threats.
During the agency's Dec. 21 monthly open meeting, FERC staff said the NOPR was developed in response to NERC's 2017 State of Reliability Report, which noted that "the number of cyber security vulnerabilities continues to increase as does the number of threat groups," even though "there were no reportable cyber security incidents during 2016."
In contrast, staff recounted that the U.S. Department of Homeland Security's industrial control systems cyber emergency response team, or ICS-CERT, responded to 59 cybersecurity incidents within the energy sector, including the electric subsector, during the same year.
"One thing that has been observed and studied across many industries — not just electricity, but aviation, medicine and other industries — is a well-established ... statistical correlation between minor issues or near misses that are far more frequent, and then, up at the top of the pyramid, rare, major events," Commissioner Cheryl LaFleur said. "In the safety world, they call that the safety pyramid. You need to learn from the things that don't happen but that could have happened in order to prevent the big thing that you're afraid of happening."
NERC has revised its critical infrastructure protection reliability standards several times since FERC approved the first version in 2008. But the Foundation for Resilient Societies in January asked FERC to revise them again in light of successful attacks on Ukraine's power system and other recent events. Specifically, the foundation pressed the commission to require the development of a new "enhanced" standard aimed at detecting, reporting, mitigating and removing malware on electric utility computer systems.
In its Dec. 21 NOPR, FERC explained that it would not propose additional measures aimed at detection, mitigation and removal of malware, suggesting that the scope of existing standards and certain ongoing efforts to improve those standards are adequate.
"However, we propose to direct broader reporting requirements," FERC said. "Currently, incidents must be reported only if they have 'compromised or disrupted one or more reliability tasks,' and we propose to require reporting of certain incidents even before they have caused such harm or if they did not themselves cause any harm."
In addition to extending the reporting requirements to cover attempted, not just successful, incursions into an ESP or EACMS, the NOPR would have NERC standardize the information that must be reported about those events to make comparisons easier. At a minimum, FERC said each report should describe, whenever possible, the actual or intended "functional impact" of the attack; the method used by the attacker to exploit a vulnerability; and the extent to which the attack penetrated, or attempted to penetrate, the system.
The NOPR would also direct NERC to develop a timeline for entities to file a full account of reportable cyber events that reflects "the actual and potential threat to reliability, with more serious incidents reported in a more timely fashion." FERC explained that such a timeline "should minimize potential burdens on responsible entities."
Finally, among other things, FERC proposed to require that the reports be sent to ICS-CERT as well as NERC, and that NERC file an annual anonymized and aggregated summary of all reported cyber incidents.
Staff stressed during the FERC meeting that by singling out for reporting attacks on the ESP and the EACMS, the applicability of the proposal is limited to high and medium impact bulk electric operational cyber systems. When asked by Commissioner Neil Chatterjee to elaborate on the types of intrusion that would trigger the reporting requirement, staff said the agency is not interested in attacks on business, enterprise, IT or email systems.
"We are not looking for, say, a report on every phishing attack," staff continued. "What we are looking for are true penetrations into the operational systems. So we're talking control centers ..."
"... not Nigerian princes," Chatterjee quipped in response.
Chatterjee also stressed the importance of making sure the new reporting requirement does not impose any unnecessary additional burden on the industry, and to that end he encouraged stakeholders to "roll up their sleeves, dig in on the NOPR, and give us your suggestions on how the proposal could be improved." For his part, Commissioner Robert Powelson, a former state commissioner, said FERC needs to find a way to "socialize these new data points back to the states." (FERC dockets RM18-2, AD17-9)