While addressing a gap in existing mandatory reliability standards that may result in those standards understating "the true scope of cyber-related threats facing the bulk-power system" might seem uncontroversial, many stakeholders insist that more work needs to be done before federal regulators begin requiring that even unsuccessful attempts to compromise certain cybersystems be reported.
For instance, a joint filing by the Edison Electric Institute and the National Rural Electric Cooperative Association warned that the Federal Energy Regulatory Commission's proposal to establish a new mandatory reporting requirement may have unintended consequences on existing efforts to detect, analyze and share threat and vulnerability information through voluntary partnerships.
"Common to these sharing partnerships is the fact that they are voluntary, based on trust, and focused on enhancing critical infrastructure cybersecurity," EEI and NRECA said. "Mandating such sharing may weaken the ability of electric companies to participate in these programs by shifting their focus to compliance activity."
Even some stakeholders that support establishing a mandatory reporting requirement say more clarity is needed with respect to determining exactly what constitutes a reportable event. The nation's independent system operators and regional transmission organizations "observe tens of thousands of interactions with their [electronic security perimeters, or ESPs] each day, and determining with certainty which of these interactions was made with a nefarious motive, or which of them could have had some more serious consequences had they not been stopped at the ESP, would be nearly impossible," the ISO/RTO Council told FERC.
The North American Electric Reliability Corp., which is responsible for developing and enforcing mandatory reliability standards for the power sector, has revised its critical infrastructure protection standards several times since FERC approved the first version in 2008. After the Foundation for Resilient Societies in early 2017 asked FERC to require the standards be revised again in light of events such as two successful attacks on Ukraine's power system, the agency proposed to have NERC broaden the reporting requirements to cover unsuccessful and successful incursions into an ESP or associated electronic access control or monitoring systems.
In that December 2017 notice of proposed rulemaking, FERC recounted that NERC in its annual state of reliability report indicated that "no reportable cyber security incidents" occurred in 2016 even though the U.S. Department of Homeland Security's cyber emergency response team responded to 59 cybersecurity incidents within the energy sector, including the electric subsector, during that year.
Some question need to expand existing standards
NERC in its comments on the proposal questioned the need to expand the reliability standards, saying the "challenge is to scope any additional mandatory reporting requirement in a manner that collects meaningful data about security risks without creating an unduly burdensome reporting requirement."
Of particular concern to NERC is that it be given the flexibility to "precisely outline the parameters of an 'attempt to compromise'" and to differentiate among the different types of electronic access control or monitoring systems to which the standards apply as necessary to ensure that only suspicious activity is reported.
NERC accordingly asked the commission not to mandate that a new reliability standard be developed or an existing standard modified but to instead let the data be collected through alternative approaches such as an existing data request process under NERC's rules of procedure. That process "provides many of the same benefits as reliability standards;" it is mandatory and enforceable but differs from the standards development process in that a data request can easily be revised or updated as necessary, NERC said.
Comments submitted jointly by the American Public Power Association, Electricity Consumers Resource Council and Transmission Access Policy Study Group similarly stressed the importance of flexibility and urged FERC to consider whether any existing tools could be used to gather information on unsuccessful cyber incursions.
EEI and NRECA recommended that FERC stick with the conclusion it reached in 2008 when it found that cyber incident reporting "should not be triggered by ineffectual and untargeted attacks that proliferate on the internet." The groups said the problem is that firewalls can turn away "thousands to millions" of potential compromise attempts a day, each of which might have to be inspected and analyzed to "'find the needle in the haystack' based on a determination of a sender's intent."
The Large Public Power Council suggested that FERC hold a technical conference aimed at establishing a threshold for determining which attempts to compromise the relevant systems warrant reporting. "A reporting standard that is overly broad in scope could lead to the collection of an overwhelming amount of information, much of which may prove to yield little actionable information, while burdening responsible entities and potentially obscuring more valuable information," the LPPC said.
Like NERC, the LPPC also suggested that the existing data request process is a good alternative, asserting that "it seems appropriate to remove the data collection process from the enforcement process associated with mandatory reliability standards."
The ISO/RTO Council, however, disagreed.
"The purpose of the reporting requirements is to share valuable information about cybersecurity risks with industry," the council said. "If the information were provided only pursuant to a request, then the requests (and responses) would need to be continual to ensure that all necessary information is provided, and a standing requirement to report would achieve the same result without the administrative burden of handling multiple data requests."
The Foundation for Resilient Societies similarly said NERC's data request is a "poor fit for a standing order for data on cybersecurity incidents that occur continually." (FERC dockets RM18-2, AD17-9)
