FERC, CFTC, and State Energy Law Developments

The recent “WannaCry” ransomware cyberattack highlights the need for firms to engage in proactive prevention and protection. Ransomware (malware that encrypts data pending an extortion payment) is a recurring cyber threat that is growing more pervasive and profitable for criminals. This most recent attack this month by the WannaCry virus highlights the potential global impact, speed and acceleration, and scope of the ransomware problem.

Ransomware as one unique form of cyberattack has been an increasing global and domestic cybersecurity problem over the last several years. Ransomware targets have included businesses, hospitals, schools, and even police departments. Worryingly, some recent forms of ransomware are becoming more sophisticated and resilient.

In response to the recurring nature of this type of cyberattack, Morgan Lewis partner Mark Krotoski and associate Martin Hirschprung authored a LawFlash offering some steps for proactive prevention and protection as well as some thoughts on the legal issues that may arise following these types of cyberattacks.

Read the LawFlash >>

The White House’s newly released National Electric Grid Security and Resilience Action Plan contains dozens of directives to various federal agencies for enhancing the electric grid’s resilience in the face of cyber threats, physical attacks, and natural disasters. Many of the directives build on different programs that federal agencies already run, but for the first time, this action plan synthesizes those disparate initiatives and focuses them on three goals: protecting the grid’s vulnerabilities, improving responses to contingencies, and building a more resilient system.

Notably, the action plan realizes that many of these directives can only be achieved with public utilities’ participation and that cost recovery of investments for grid resiliency is essential if the government expects significant private investment to address the existing system vulnerabilities.

Read the full LawFlash: White House Releases Checklist to Improve Grid Resiliency.

On December 7, the Energy Bar Association sponsored a discussion on FERC-led audits of entities’ compliance with the North American Electric Reliability Corporation’s (NERC’s) critical infrastructure protection (CIP) Reliability Standards. Staff members from FERC and NERC led the discussion and fielded questions from industry participants. This session provided the first public peek into the process for the CIP audits.

While FERC has the authority to conduct its CIP audits with or without NERC and the regional entities charged with front-line enforcement of the Reliability Standards, the panelists explained that FERC wanted to coordinate with NERC and the regional entities to leverage their collective compliance and enforcement experience.

On November 17, FERC adopted regulations to enhance the protection of Critical Energy Infrastructure Information (CEII) using its new statutory authority from the Fixing America’s Surface Transportation Act (FAST Act), which added Section 215A to the Federal Power Act.

In addition to finalizing the new protections for CEII promised in the initial notice of proposed rulemaking, the final rule also adopts a prohibition on the disclosure of CEII under the Freedom of Information Act (FOIA). The FAST Act had, for the first time, exempted CEII from FOIA disclosure. In the past, FERC had taken the position that it would not disclose CEII in response to FOIA requests, but there was no explicit statutory basis for doing so. With the new statute and implementing regulations, there is no longer any legal doubt regarding the FOIA-exempt nature of CEII.

Despite the apparent strict nature of these protections, the degree to which CEII will be protected remains to be seen. Although CEII is FOIA-exempt under the FAST Act, FERC continues to provide procedures whereby interested parties can submit requests for CEII and be granted access if such interested parties show a legitimate need and commit to non-disclosure. In the past, FERC has generally been willing to share CEII upon request; the new regulations provide modest additional regulatory procedures for such requests, but it is possible that FERC will continue its policy of making CEII easily available to interested parties. The language in the FAST Act does allow FERC to decline to disclose CEII, but—so far—FERC has not chosen to take that route.

On July 21, FERC directed NERC to develop a new or modified “forward-looking, objective-driven” Reliability Standard that addresses supply chain risk management for industrial control system hardware, software, and computing and networking services (“cyber controls”) associated with BES operations. FERC required the standard to address

  • software integrity and authenticity;
  • vendor remote access;
  • information system planning; and
  • vendor risk management and procurement controls.

FERC is concerned that a “gap” exists in the CIP Reliability Standards, which has been highlighted by recent events where malware campaigns have targeted supply chain vendors in BES cyber control systems.

FERC expressed concern that vulnerable systems may be attacked either through hardware or software components of a cyber-control system or a third-party service provider may be attacked who has access to sensitive IT infrastructure or that holds or maintains sensitive data.

On July 21, prompted by cyberattacks highlighting cyber system vulnerabilities that may be exploited to attack the operation and maintenance of interconnected networks, FERC sought comment from industry participants on possible modifications to the CIP Reliability Standards that could address the cybersecurity of control centers used to monitor and control the BES in real time.

The Commission seeks comment on the following:

  • The operational impact of forming a separation between the internet and BES control center cyber systems performing transmission operator functions through use of physical (hardware) or logical (software means).
  • Whether rules should be implemented concerning “application whitelisting,” computer administration practices that would prevent unauthorized programs from running on a system network. FERC believes that application whitelisting could be a more effective mitigation tool than other mitigation measures because whitelisting allows only software applications and processes that are reviewed and tested before use in the system network.

On June 16, the Federal Energy Regulatory Commission (FERC) issued a Notice of Proposed Rulemaking to amend its regulations protecting Critical Energy Infrastructure Information. FERC’s proposed revisions are in response to directives in the recently passed Section 215A of the Federal Power Act and aim to address longstanding industry concerns by strengthening existing information protections and allowing FERC to penalize its personnel for unauthorized, knowing, and willful disclosures of this sensitive information. The proposal would also allow FERC to voluntarily share this information in response to grid emergencies and enable individuals to challenge the designation of information as Critical Energy Infrastructure Information in federal court.

The electric utility industry has spent vast amounts of money on cybersecurity, an investment that has steadily escalated since the Critical Infrastructure Protection (CIP) Reliability Standards became effective in 2008. Those investments, and the increasingly strict CIP Reliability Standards, were intended to address fears that hackers could use the industrial control systems and other computer systems that control the electric system to cause a blackout. Until recently, that threat was hypothetical. Now, for the first time, public reports have emerged of hackers taking down part of an electric grid.

In late December 2015, hackers allegedly infected several of Ukraine’s power authorities, causing blackouts that lasted several hours and affected thousands of people. Ukrainian authorities confirmed that malicious software infected several control systems, which disabled those systems and resulted in a power outage. The malware, known to have been involved in attacks since 2007, was reportedly embedded in Microsoft Office documents and was retrofitted to include code targeting power stations and other critical infrastructure. Although the geopolitical circumstances in Ukraine are drastically different from those faced by electric utilities in the United States, the attack provides a “proof of concept,” demonstrating that it is possible for an attacker to cause a widespread blackout—the threat is no longer hypothetical.

“A cyber incident is not the time to be creating emergency procedures or considering for the first time how best to respond.” — US Department of Justice

The dramatic increase in the scale and sophistication of some recent cyber breaches has seen the collapse of traditional disaster-recovery practices, thus increasing legal and regulatory exposure. Join us and guest Peter Trahon, executive director of EY and former chief of the FBI’s Cyber Division, for a one-hour webinar to discuss these changes in cybersecurity.

TOPICS WILL INCLUDE:

  • The current cyber threat landscape
  • The evolving role of the general counsel’s office in an organization’s cybersecurity program
  • When an organization should notify law enforcement of a cyber breach
  • Observations and leading practices in cybersecurity and breach response management

For more information, please contact Anette Andersson at aandersson@morganlewis.com or +1.202.739.5838.

Our Participants:

  • Stephen M. Spina

Cyber attacks are increasingly becoming a regular part of an electric utility’s day-to-day business risks. News agencies provide an ongoing stream of reports on the increasing sophistication and danger of these attacks: 30,000 workstations disabled By a malicious virus at a Saudi oil firm, a generator’s control system infected By malware carried on a USB drive, and a generator restart delayed for three weeks By a malware inadvertently uploaded to control systems By a technician. Of the cyber incidents reported to the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (“ICSCERT”) between October 2011 and September 2012, forty one percent of incidents involved the energy sector, By far the largest number of incidents By sector.