FERC, CFTC, and State Energy Law Developments

The Federal Energy Regulatory Commission (FERC or the Commission) issued Order No. 848 on July 19, directing the North American Electric Reliability Corporation (NERC) to augment the cyber incident reporting requirements under the Critical Infrastructure Protection (CIP) reliability standards. The directive adopts the proposals from the December 2017 Notice of Proposed Rulemaking (NOPR) and reflects the Commission’s view that FERC and NERC need to significantly improve their awareness of the breadth and frequency of the cybersecurity risks that electric utilities encounter.

Read the full Lawflash.

Officials at the US Department of Homeland Security (DHS) confirmed yesterday to The Wall Street Journal that state-sponsored hackers successfully gained remote access to the control rooms of US electric utilities and likely had the ability to disrupt power flows. The report describes the activities as part of a long-running campaign targeting US utilities and suggests that the attacks are still ongoing. This is not the first time that a federal government agency has publicly confirmed the actual or potential threat posed by hackers to critical infrastructure (see our previous post on state-sponsored attacks). Instead, it marks yet another confirmed instance of hackers gaining access to the secure networks used by industrial control systems in what has become a disconcerting trend in recent years, and continues to underline the importance of strong vendor and supply chain cybersecurity controls.

The commissioners from the Federal Energy Regulatory Commission (FERC) and the Nuclear Regulatory Commission (NRC) held a joint meeting on June 7 to discuss grid reliability and cybersecurity. FERC and NRC staff provided presentations on the recent and ongoing activities of both agencies to promote a stable, resilient, and secure grid. The presentations were largely a summary of recent agency activities and served to continue the practice of both independent regulatory agencies meeting to discuss items of common interest.

Revised Reliability Standard clarifies obligations for electronic access controls at less critical assets and places more focus on risks posed by certain portable electronic devices.

The Federal Energy Regulatory Commission (the Commission) issued a final rule (Order No. 843) on April 19, approving proposed reliability standard CIP-003-7. The currently-effective version of the standard, CIP-003-6, contains the cybersecurity requirements applicable to low impact BES Cyber Systems. The low impact category covers the BES Cyber Systems associated with less critical substations, generators, and other BES facilities. The final rule adopts NERC’s proposed reliability standard CIP-003-7, which revises the existing standard by clarifying a utility’s obligations for implementing electronic access controls for low impact BES Cyber Systems, introduces security requirements for certain portable devices, and requires utilities to have a policy for reliability-related emergencies known as CIP Exceptional Circumstances that involve low impact BES Cyber Systems.

On the heels of the news reports describing cyberattacks on the energy sector that have continued to accumulate over the last few years, the US Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) issued a technical alert on March 15 describing ongoing attacks on critical infrastructure by hackers associated with the Russian government. The alert described the cyberattacks as part of a “multi-stage intrusion campaign by Russian government cyber actors” that targeted the energy sector networks, as well as computer systems used by entities in the nuclear, water, aviation, and critical manufacturing sectors. The alert is the latest in a string of reported cyberattacks on industrial control systems (ICS) in recent years, and can only serve to ratchet up the regulatory pressure on these industries to demonstrate their resilience in the face of these well-organized attacks.

The North American Electric Reliability Corporation (NERC) filed a Notice of Penalty summarizing an agreement by an unidentified electric utility to pay a $2.7 million penalty in connection with self-reported violations of the Critical Infrastructure Protection reliability standards related to sensitive data exposure by a vendor. Although the utility did not directly cause the improper data handling—and indeed the violation resulted from vendor noncompliance with utility policies—the Western Electricity Coordinating Council nevertheless concluded that the utility failed to adequately implement its information protection program by not preventing or immediately detecting the vendor’s actions and submitted the settlement to NERC. 

For more detail, read our LawFlash.

At today’s open meeting, the Federal Energy Regulatory Commission (FERC) proposed to approve new Critical Infrastructure Protection (CIP) Reliability Standards developed by the North American Electric Reliability Corporation (NERC) to protect the cybersecurity of the supply chains for critical utility systems. While recognizing the benefits of using a global supply chain to produce the assets used to operate the bulk electric system, FERC staff’s accompanying presentation recognized that relying on a global supply chain “also enables opportunities for adversaries to directly or indirectly affect the management or operations of generation and transmission companies in a manner that may result in risks to end users, such as through the insertion of counterfeits, unauthorized production, tampering, theft, or insertion of malicious software.”

Under a notice of proposed rulemaking to be released today, December 21, the Federal Energy Regulatory Commission (FERC) is proposing to direct the North American Electric Reliability Corporation (NERC) to revise the Critical Infrastructure Protection (CIP) reliability standards to require electric utilities to report all cyberattacks on the electric security perimeters surrounding their key electric infrastructure as well as the associated electronic access control and monitoring devices that protect those perimeters.

As evidence that cyberattacks continue to threaten electric infrastructure in the United States, a report issued on December 14 by cybersecurity firm FireEye indicates that critical infrastructure industrial control systems (ICS) could be susceptible to a new type of malware. FireEye reported that the malware—dubbed “TRITON”—triggered the emergency shutdown capability of an industrial process within a critical infrastructure ICS. This is not the first time that hackers have successfully targeted ICS. In 2013, hackers believed to be operating on behalf of a state-actor managed to take partial control of the Bowman Avenue Dam near Rye Brook, New York. More recently, reports emerged this past summer that hackers gained access to the operational grid controls of US-based energy firms. Because of the destructive potential of these types of breaches, critical electric and other utility infrastructure will remain highly prized targets for future cyberattacks.

As the pace of reported cyberattacks on ICS continues to pick up, scrutiny of electric utilities’ compliance with the Critical Infrastructure Protection (CIP) reliability standards by the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) is likely to increase. It is highly likely that electric utilities will receive data requests or informal outreach from FERC or NERC in the near future to determine whether those utilities have similar equipment that could be exploited, and if so, what steps they have taken to mitigate the threat. Even in the absence of such requests, these events provide a good opportunity for electric utilities to test the sufficiency of their CIP compliance programs in identifying and remediating such threats.

The recent “WannaCry” ransomware cyberattack highlights the need for firms to engage in proactive prevention and protection. Ransomware (malware that encrypts data pending an extortion payment) is a recurring cyber threat that is growing more pervasive and profitable for criminals. This most recent attack this month by the WannaCry virus highlights the potential global impact, speed and acceleration, and scope of the ransomware problem.

Ransomware as one unique form of cyberattack has been an increasing global and domestic cybersecurity problem over the last several years. Ransomware targets have included businesses, hospitals, schools, and even police departments. Worryingly, some recent forms of ransomware are becoming more sophisticated and resilient.

In response to the recurring nature of this type of cyberattack, Morgan Lewis partner Mark Krotoski and associate Martin Hirschprung authored a LawFlash offering some steps for proactive prevention and protection as well as some thoughts on the legal issues that may arise following these types of cyberattacks.

Read the LawFlash >>