At its open meeting on November 21, FERC announced organizational changes to enhance the agency’s focus on cybersecurity threats and challenges to electric infrastructure. Commission staff unveiled five “focus areas” related to grid cybersecurity and announced organizational changes within the Office of Energy Projects (OEP) and Office of Electric Reliability (OER) designed to better position Commission resources to address cybersecurity concerns.
New Strategic Focus Areas
Commission staff developed the following five focus areas based on their review of threat reports (public and nonpublic), global cybersecurity events, North American Electric Reliability Corporation (NERC) CIP standards, and OEP’s specialized security program for hydropower projects.
- Supply Chain/Insider Threat/Third-Party Authorized Access
This is not the first time the Commission has made supply chain and third-party (or vendor) management security a priority. In 2016, the Commission directed NERC to develop mandatory supply chain risk management controls, which have since been approved and are set to take effect next year.
- Industry Access to Timely Information on Threats and Vulnerabilities
While some electric asset owners and operators receive some information through their participation in NERC’s Electricity Information Sharing and Analysis Center (E-ISAC) and certain federal initiatives, this focus area reflects Commission staff’s view that “many entities” still have “limited threat intelligence capabilities and access to information.”
- Cloud/Managed Security Service Provider
This focus on cloud and managed security recognizes that these services can provide substantial operational and security benefits to entities, if deployed in a secure manner. As currently written, the existing CIP reliability standards do not account for the use of cloud services in operating the grid and protecting the IT infrastructure, which could prevent utilities from leveraging these products and the enhanced security and efficiencies they provide.
- Adequacy of Security Controls
With this focus area, Commission staff highlighted the potential that large numbers of assets that individually present a low risk to grid cybersecurity could have a significant aggregate effect if they were lost or degraded in large numbers. This focus area will also address hydroelectric facilities connected to lower impact assets and natural gas pipelines, which are currently not subject to mandatory cybersecurity controls.
- Internal Network Monitoring and Detection
Mandatory monitoring and detection are not currently required for internal networks under the NERC CIP standards. This focus area underscores the risk of lax internal monitoring practices, especially if a malicious actor has already breached a network and remains undetected by the entity.
Commission staff also discussed several organizational changes aimed at bolstering the agency’s cybersecurity resources. The OEP’s Division of Dam Safety and Inspections established a new security-focused group that will address both cybersecurity and physical security concerns at jurisdictional hydropower facilities. The new group’s responsibilities will include performing special cyber and physical inspections, conducting security and vulnerability surveys, and serving as the lead on the resolution of cyber and physical issues under FERC’s Dam Safety Program. In addition, OER has been organizationally realigned to include a new division focused exclusively on cybersecurity.