FERC, CFTC, and State Energy Law Developments

At its open meeting on November 21, FERC announced organizational changes to enhance the agency’s focus on cybersecurity threats and challenges to electric infrastructure. Commission staff unveiled five “focus areas” related to grid cybersecurity and announced organizational changes within the Office of Energy Projects (OEP) and Office of Electric Reliability (OER) designed to better position Commission resources to address cybersecurity concerns.

New Strategic Focus Areas

Commission staff developed the following five focus areas based on their review of threat reports (public and nonpublic), global cybersecurity events, North American Electric Reliability Corporation (NERC) CIP standards, and OEP’s specialized security program for hydropower projects.

  1. Supply Chain/Insider Threat/Third-Party Authorized Access

    This is not the first time the Commission has made supply chain and third-party (or vendor) management security a priority. In 2016, the Commission directed NERC to develop mandatory supply chain risk management controls, which have since been approved and are set to take effect next year.

Facing what it deems an “unprecedented number of FOIA requests” for nonpublic information related to utility violations of the North American Electric Reliability Corporation (NERC) critical infrastructure protection (CIP) requirements governing cybersecurity compliance for critical electric infrastructure, FERC Staff has issued a white paper proposing to make publicly available additional information regarding those violations, including the names of the utilities involved. If adopted, this proposal could increase the risk of a serious and successful attack on the nation’s electric infrastructure with no benefit other than a “name and shame” approach to CIP enforcement.

FERC recently approved proposed Reliability Standard CIP-008-6, which expands the mandatory reporting requirements for Cyber Security Incidents that attempt to compromise the operation of the bulk power system. Under the new standard, electric utilities will need to implement more comprehensive internal controls for identifying, reviewing, and reporting cyber incidents and attempted cyber intrusions than are currently required. The new standard goes into effect on January 1, 2021.

As we reported, NERC developed the revised standard in response to the Commission’s directive to broaden the scope of mandatory reporting of Cyber Security Incidents. In particular, the Commission was concerned with the risk posed by malicious intrusion attempts that might facilitate subsequent efforts to harm the reliable operation of the bulk power system.

The supply chain risks facing electric utilities have long been a concern for industry stakeholders and regulators alike. Reflecting those concerns, NERC submitted a report on May 28 to FERC recommending the expansion of requirements addressing supply chain cybersecurity risks for electric utilities, concluding that the scope of those requirements needed to expand to match the scope of the cybersecurity risk. The development of such revised standards will itself be a lengthy process and subject to additional FERC review.

FERC Staff issued a report on March 29 on Commission-led critical infrastructure protection (CIP) reliability audits completed for fiscal years 2016 through 2018. The report provides lessons learned from those audits, as well as voluntary recommendations on cybersecurity practices to enhance the protection of electric infrastructure from cyberattacks. Even though many of these recommendations go beyond what is necessary for compliance with the mandatory CIP reliability standards, FERC is likely to view implementation of these recommendations as evidence of a strong cybersecurity culture that proactively addresses best cybersecurity practices and evolving threats. That can, in turn, have positive ramifications for utilities undergoing cybersecurity reviews by FERC, NERC, or the Regional Entities.

The North American Electric Reliability Corporation (NERC) petitioned the Federal Energy Regulatory Commission (FERC) on March 7 to approve a revised reliability standard for electric utilities aimed at enhancing existing cybersecurity incident reporting. The proposed CIP-008-6 reliability standard would expand the scope of the type of assets subject to incident reporting and the categories of incidents affecting those systems that must be reported. If FERC approves the standard as proposed, compliance will require more comprehensive internal controls for identifying, reviewing, and reporting cyber incidents affecting electric utilities.

The US Government Accountability Office (GAO) issued a report on December 18, 2018, identifying significant weaknesses in the Department of Homeland Security’s (DHS) Transportation Security Administration’s (TSA) Pipeline Security Program management and recommending improvements to address those weaknesses. The report was driven by a recognition that “pipelines increasingly rely on sophisticated networked computerized systems and electronic data, which are vulnerable to cyber attack or intrusion,” and that “new threats to the nation’s pipeline systems have evolved to include sabotage by environmental activists and cyber attack or intrusion by nations.”

A new report by the National Infrastructure Advisory Council (NIAC) concludes that the nation is not prepared to adequately respond to a catastrophic power outage. The NIAC is a special advisory council composed of representatives from private industry, state and local government, and academia that is tasked with providing the president with advice on issues facing the nation’s 16 federally designated critical infrastructure sectors. The NIAC issued the report after it was tasked with examining the nation’s ability to respond to and recover from a “catastrophic power outage of a magnitude beyond modern experience, exceeding prior events in severity, scale, duration, and consequence.” The NIAC generally considers these to be limited- or no-notice events with a long duration (i.e., lasting weeks or months due to damage) impacting a broad geographic area (e.g., multiple states and affecting tens of millions of people) that could be further complicated by a cyber or physical attack.

Central to the NIAC’s report is examining the extent to which a catastrophic power outage that causes a failure in one critical infrastructure sector could lead to severe cascading impacts and force other critical sectors to operate in a degraded state for an extended period of time. The report reflects the NIAC’s view that, while the roles and responsibilities for emergency authorities are understood generally, the actual implementation of roles and responsibilities in response to a catastrophic power outage (e.g., cyber and physical attacks and larger-scale disasters) is still very much unclear. In this regard, the report stresses the importance of strong federal leadership in responding to and recovering from large-scale emergencies.

The US Department of Homeland Security (DHS) announced the formation of the Information and Communications Technology (ICT) Supply Chain Risk Management Task Force (the Task Force) on October 30. The Task Force is a partnership between government and private sector partners created to “examine and develop consensus recommendations to identify and manage risk to the global ICT supply chain.” The announcement came at the conclusion of National Cybersecurity Awareness Month and follows other government industry initiatives, such as the Oil and Natural Gas Pipeline Cybersecurity Initiative, that have been developed to manage risks posed by increasingly global supply chains.

On October 18, the Federal Energy Regulatory Commission (FERC or Commission) issued Order No. 850, adopting a suite of reliability standards proposed by the North American Electric Reliability Corporation (NERC) to address the cybersecurity risks posed by supply chains for industrial control system assets and services in critical electric utility environments. The final rule largely adopts the proposals from the Commission’s Notice of Proposed Rulemaking (NOPR). But the Commission also directs NERC to expand the scope of the new requirements to include Electronic Access or Control Monitoring Systems (EACMS) and to evaluate the need to further expand the scope of the requirements to include Physical Access Control Systems (PACS) and Protected Cyber Assets (PCAs).

Despite fears that the Commission would shorten the implementation period for the new requirements, the Commission adopted the 18-month implementation period that was originally proposed by NERC.