FERC Staff issued an October 4 report on Commission-led critical infrastructure protection (CIP) reliability audits completed during fiscal year 2019. The report provides lessons learned and identifies voluntary practices that FERC Staff observed during those audits that could improve the protection of electric infrastructure from cyberattacks.
Facing what it deems an “unprecedented number of FOIA requests” for nonpublic information related to utility violations of the North American Electric Reliability Corporation (NERC) critical infrastructure protection (CIP) requirements governing cybersecurity compliance for critical electric infrastructure, FERC Staff has issued a white paper proposing to make publicly available additional information regarding those violations, including the names of the utilities involved. If adopted, this proposal could increase the risk of a serious and successful attack on the nation’s electric infrastructure with no benefit other than a “name and shame” approach to CIP enforcement.
FERC recently approved proposed Reliability Standard CIP-008-6, which expands the mandatory reporting requirements for Cyber Security Incidents that attempt to compromise the operation of the bulk power system. Under the new standard, electric utilities will need to implement more comprehensive internal controls for identifying, reviewing, and reporting cyber incidents and attempted cyber intrusions than are currently required. The new standard goes into effect on January 1, 2021.
As we reported, NERC developed the revised standard in response to the Commission’s directive to broaden the scope of mandatory reporting of Cyber Security Incidents. In particular, the Commission was concerned with the risk posed by malicious intrusion attempts that might facilitate subsequent efforts to harm the reliable operation of the bulk power system.
The supply chain risks facing electric utilities have long been a concern for industry stakeholders and regulators alike. Reflecting those concerns, NERC submitted a report on May 28 to FERC recommending the expansion of requirements addressing supply chain cybersecurity risks for electric utilities, concluding that the scope of those requirements needed to expand to match the scope of the cybersecurity risk. The development of such revised standards will itself be a lengthy process and subject to additional FERC review.
FERC Staff issued a report on March 29 on Commission-led critical infrastructure protection (CIP) reliability audits completed for fiscal years 2016 through 2018. The report provides lessons learned from those audits, as well as voluntary recommendations on cybersecurity practices to enhance the protection of electric infrastructure from cyberattacks. Even though many of these recommendations go beyond what is necessary for compliance with the mandatory CIP reliability standards, FERC is likely to view implementation of these recommendations as evidence of a strong cybersecurity culture that proactively addresses best cybersecurity practices and evolving threats. That can, in turn, have positive ramifications for utilities undergoing cybersecurity reviews by FERC, NERC, or the Regional Entities.
The North American Electric Reliability Corporation (NERC) petitioned the Federal Energy Regulatory Commission (FERC) on March 7 to approve a revised reliability standard for electric utilities aimed at enhancing existing cybersecurity incident reporting. The proposed CIP-008-6 reliability standard would expand the scope of the type of assets subject to incident reporting and the categories of incidents affecting those systems that must be reported. If FERC approves the standard as proposed, compliance will require more comprehensive internal controls for identifying, reviewing, and reporting cyber incidents affecting electric utilities.
The US Government Accountability Office (GAO) issued a report on December 18, 2018, identifying significant weaknesses in the Department of Homeland Security’s (DHS) Transportation Security Administration’s (TSA) Pipeline Security Program management and recommending improvements to address those weaknesses. The report was driven by a recognition that “pipelines increasingly rely on sophisticated networked computerized systems and electronic data, which are vulnerable to cyber attack or intrusion,” and that “new threats to the nation’s pipeline systems have evolved to include sabotage by environmental activists and cyber attack or intrusion by nations.”
A new report by the National Infrastructure Advisory Council (NIAC) concludes that the nation is not prepared to adequately respond to a catastrophic power outage. The NIAC is a special advisory council composed of representatives from private industry, state and local government, and academia that is tasked with providing the president with advice on issues facing the nation’s 16 federally designated critical infrastructure sectors. The NIAC issued the report after it was tasked with examining the nation’s ability to respond to and recover from a “catastrophic power outage of a magnitude beyond modern experience, exceeding prior events in severity, scale, duration, and consequence.” The NIAC generally considers these to be limited- or no-notice events with a long duration (i.e., lasting weeks or months due to damage) impacting a broad geographic area (e.g., multiple states and affecting tens of millions of people) that could be further complicated by a cyber or physical attack.
Central to the NIAC’s report is examining the extent to which a catastrophic power outage that causes a failure in one critical infrastructure sector could lead to severe cascading impacts and force other critical sectors to operate in a degraded state for an extended period of time. The report reflects the NIAC’s view that, while the roles and responsibilities for emergency authorities are understood generally, the actual implementation of roles and responsibilities in response to a catastrophic power outage (e.g., cyber and physical attacks and larger-scale disasters) is still very much unclear. In this regard, the report stresses the importance of strong federal leadership in responding to and recovering from large-scale emergencies.
The Senate Energy and Natural Resources Committee on November 15 favorably advanced the nominations of Dr. Rita Baranwal (Assistant Secretary of Energy (Nuclear Energy)) and Bernard McNamee (Member, Federal Energy Regulatory Commission) to the full US Senate.
Eighteen governors, members of the Governors’ Wind & Solar Energy Coalition, issued an open letter on November 9 to the Federal Energy Regulatory Commission (FERC) to encourage the development of needed electric transmission that they claim existing federal efforts are insufficient to address.