Arlington, Virginia — US federal regulators Thursday directed the nation's grid electric reliability organization to expand requirements to report cybersecurity incidents to include unsuccessful attacks that might lay the groundwork for future successful attempts to disrupt grid reliability.
The Federal Energy Regulatory Commission gave the North American Electric Reliability Corp. six months to establish the new reporting requirement.
FERC Order 848 reflects a proposal the agency issued in December 2017 aimed at addressing concerns that the existing mandatory reliability standards may be understating the scope of the cyber-related threats to the nation's power grid (RM18-2, AD17-9).
Current standards require the industry to report only those incidents that have successfully "compromised or disrupted one or more reliability tasks" by attacking power grids systems known as an electronic security perimeter, or ESP, or associated electronic access control or monitoring systems, or EACMS. Since unsuccessful attacks are not being conveyed, FERC said it was concerned that a reporting gap exists that may limit awareness of existing or developing threats.
For instance, the agency noted that a 2017 NERC State of Reliability Report said the number of cybersecurity vulnerabilities and threat groups continue to increase even though no cybersecurity incidents were reported during 2016. In contrast, staff recounted that a Department of Homeland Security cyber-emergency response team responded to 59 cybersecurity incidents within the energy sector, including the power industry, during the same year.
FERC therefore proposed to direct NERC to revise the standards to require that the industry report not just those incidents that actually compromise ESP and the EACMS but also any failed attempts to compromise those systems.
By limiting the reporting requirement to the ESP and EACMS, the agency said the proposal would only apply to penetrations into operational systems that could really harm grid reliability, not such things as "Nigerian prince" attacks -- as described by Commissioner Neil Chatterjee -- on business, enterprise, IT or email systems.
The commission also proposed to have NERC standardize the information to be reported and the timeline for submitting those reports.
ORDER 848 BROADENS REPORTING REQUIREMENTS
Order 848 largely reflects the proposal, including requiring responsible entities to report cybersecurity incidents that compromise or attempt to compromise their ESP or associated EACMS.
The final rule also adopted the proposal's requirement to standardize the information to be reported. Order 848 said the reports should not be sent to FERC, but rather to other organizations best equipped to assess threats and communicate them to industry, including the NERC-operated Electricity Information Sharing and Analysis Center and Homeland Security's Industrial Control Systems Cyber Emergency Response Team.
Certain parties commenting on the earlier proposal expressed concern that the new reporting requirements could be overly prescriptive and burdensome. But the commission stressed that the final rule does not require a wholesale change in cyber incident reporting that supplants or may otherwise chill voluntary reporting but rather is a "measured broadening of the existing reporting requirement."
Moreover, the agency said since the industry is already required to keep track of attempts to compromise the ESP or EACMS, "the additional burden to report that data appears reasonable."
FERC nevertheless directed NERC to establish certain incident reporting thresholds that ensure that only serious cybersecurity incidents are reported. Order 848 also told NERC to develop reporting timelines that prioritize the reporting of the most significant cybersecurity incidents before less significant events.
Finally, the agency said that the broadening of mandatory reporting pursuant to reliability standard requirements as opposed to a standing data request "is more aligned with the seriousness and magnitude of the current threat environment, and more likely to improve awareness of existing and future cybersecurity threats and potential vulnerabilities."
ADVERSARIES GROWING 'BOLDER AND MORE SOPHISTICATED': CHATTERJEE
In a statement, Chatterjee stressed the importance of protecting the nation's electric grid from cybersecurity threats, citing multiple reports describing intrusion campaigns by Russian government cyber actors against critical U.S. infrastructure, including the electric grid.
"I am deeply concerned by these threats as our adversaries continue to grow only bolder and more sophisticated with each passing day," Chatterjee said. He added that the record shows that FERC has no choice but to act to ensure that NERC, Homeland Security, and others have the information they need to understand the evolving threats.
Chatterjee also praised the final rule for allowing NERC to work with industry stakeholders to ensure that the new reporting standards are not overly prescriptive and burdensome.
The final rule takes effect 60 days after publication in the Federal Register.
--Glen Boshart, S&P Global Market Intelligence, firstname.lastname@example.org
--Edited by Richard Rubin, email@example.com