FERC, CFTC, and State Energy Law Developments

American national security officials believe that spies working on behalf of an adversarial nation-state successfully carried out an attack against US companies by compromising a key hardware supply chain, according to a report issued October 4 by Bloomberg Businessweek. The report details how the attackers implemented a “seeding” attack by installing tiny, malicious microchips on motherboards—a type of computer circuit board that houses processing and other essential components—that were assembled in Chinese factories. The exploit apparently had a ripple effect, as the compromised motherboards were ultimately installed in commercial servers that are widely distributed in the United States. One official estimates that the attack affected almost 30 companies, including a major bank and government contractors, and may have enabled the attackers to communicate with or infiltrate the sabotaged servers.

The North American Electric Reliability Corporation (NERC) on September 18 requested Federal Energy Regulatory Commission (FERC) approval of a new Critical Infrastructure Protection (CIP) Reliability Standard, CIP-012-1. The proposed standard would require electric utilities with defined “Control Centers” to implement controls that protect sensitive data communicated between any applicable control centers. Driving the standard is a concern that these control centers can only perform their real-time reliability functions if they can receive and transmit sensitive operational data in a secure manner.

The Federal Energy Regulatory Commission (FERC or the Commission) issued Order No. 848 on July 19, directing the North American Electric Reliability Corporation (NERC) to augment the cyber incident reporting requirements under the Critical Infrastructure Protection (CIP) reliability standards. The directive adopts the proposals from the December 2017 Notice of Proposed Rulemaking (NOPR) and reflects the Commission’s view that FERC and NERC need to significantly improve their awareness of the breadth and frequency of the cybersecurity risks that electric utilities encounter.

Read the full Lawflash.

Officials at the US Department of Homeland Security (DHS) confirmed yesterday to The Wall Street Journal that state-sponsored hackers successfully gained remote access to the control rooms of US electric utilities and likely had the ability to disrupt power flows. The report describes the activities as part of a long-running campaign targeting US utilities and suggests that the attacks are still ongoing. This is not the first time that a federal government agency has publicly confirmed the actual or potential threat posed by hackers to critical infrastructure (see our previous post on state-sponsored attacks). Instead, it marks yet another confirmed instance of hackers gaining access to the secure networks used by industrial control systems in what has become a disconcerting trend in recent years, and continues to underline the importance of strong vendor and supply chain cybersecurity controls.

On July 19, the Federal Energy Regulatory Commission (FERC) approved most of the revisions proposed by a North American Electric Reliability Corporation (NERC) petition to revise NERC’s rules of procedure (ROP) on operator certification, but rejected certain key changes. FERC concluded that NERC’s proposal to remove those provisions would strip substantive rules from the ROP and move them to NERC manuals, thus defeating the efficacy of FERC review because the ROP is subject to FERC review and approval but NERC manuals are not.

The commissioners from the Federal Energy Regulatory Commission (FERC) and the Nuclear Regulatory Commission (NRC) held a joint meeting on June 7 to discuss grid reliability and cybersecurity. FERC and NRC staff provided presentations on the recent and ongoing activities of both agencies to promote a stable, resilient, and secure grid. The presentations were largely a summary of recent agency activities and served to continue the practice of both independent regulatory agencies meeting to discuss items of common interest.

Revised Reliability Standard clarifies obligations for electronic access controls at less critical assets and places more focus on risks posed by certain portable electronic devices.

The Federal Energy Regulatory Commission (the Commission) issued a final rule (Order No. 843) on April 19, approving proposed reliability standard CIP-003-7. The currently-effective version of the standard, CIP-003-6, contains the cybersecurity requirements applicable to low impact BES Cyber Systems. The low impact category covers the BES Cyber Systems associated with less critical substations, generators, and other BES facilities. The final rule adopts NERC’s proposed reliability standard CIP-003-7, which revises the existing standard by clarifying a utility’s obligations for implementing electronic access controls for low impact BES Cyber Systems, introduces security requirements for certain portable devices, and requires utilities to have a policy for reliability-related emergencies known as CIP Exceptional Circumstances that involve low impact BES Cyber Systems.

On the heels of the news reports describing cyberattacks on the energy sector that have continued to accumulate over the last few years, the US Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) issued a technical alert on March 15 describing ongoing attacks on critical infrastructure by hackers associated with the Russian government. The alert described the cyberattacks as part of a “multi-stage intrusion campaign by Russian government cyber actors” that targeted the energy sector networks, as well as computer systems used by entities in the nuclear, water, aviation, and critical manufacturing sectors. The alert is the latest in a string of reported cyberattacks on industrial control systems (ICS) in recent years, and can only serve to ratchet up the regulatory pressure on these industries to demonstrate their resilience in the face of these well-organized attacks.

The North American Electric Reliability Corporation (NERC) filed a Notice of Penalty summarizing an agreement by an unidentified electric utility to pay a $2.7 million penalty in connection with self-reported violations of the Critical Infrastructure Protection reliability standards related to sensitive data exposure by a vendor. Although the utility did not directly cause the improper data handling—and indeed the violation resulted from vendor noncompliance with utility policies—the Western Electricity Coordinating Council nevertheless concluded that the utility failed to adequately implement its information protection program by not preventing or immediately detecting the vendor’s actions and submitted the settlement to NERC. 

For more detail, read our LawFlash.

The Federal Energy Regulatory Commission (FERC) issued an order on January 18 approving four Emergency Operations (EOP) reliability standards: EOP-004-4 (Event Reporting), EOP-005-3 (System Restoration from Blackstart Resources), EOP-006-3 (System Restoration Coordination), and EOP-008-2 (Loss of Control Center Functionality). The newly-approved standards are intended to enhance the requirements for system restoration and related personnel training.