The final rule reflects regulator concerns that the cyber threats facing electric utilities are largely underreported.
The Federal Energy Regulatory Commission (FERC or the Commission) issued Order No. 848 on July 19, directing the North American Electric Reliability Corporation (NERC) to augment the cyber incident reporting requirements under the Critical Infrastructure Protection (CIP) reliability standards. The directive adopts the proposals from the December 2017 Notice of Proposed Rulemaking (NOPR) and reflects the Commission’s view that FERC and NERC need to significantly improve their awareness of the breadth and frequency of the cybersecurity risks that electric utilities encounter.
To meet that objective, the final rule directs NERC to modify the existing CIP reliability standards to broaden the scope of mandatory cyber incident reporting. Today, utilities must report Cyber Security Incidents under Reliability Standard CIP-008-5 only if the incident has “compromised or disrupted one or more reliability tasks.” Under the final rule, electric utilities will have to report all cyberattacks that occur at key electronic touchpoints on their network infrastructure, even if they are “zero consequence” attacks, such as attacks that are detected and remediated before any harm occurs. The final rule also directs NERC to increase the scope of assets covered by the mandatory reporting requirement, standardize the manner and timing of the reporting process, and require utilities to share threat information with the US Department of Homeland Security (DHS).
NERC has six months from the effective date of the final rule to submit modifications to the reliability standards. The final rule becomes effective 60 days after publication in the Federal Register.
The final rule, which will significantly expand the existing reporting requirement under Reliability Standard CIP-008-5, directs NERC to make the following changes:
Lower Reporting Threshold
The order directs NERC to modify the reliability standards to require the reporting of Cyber Security Incidents that “compromise, or attempt to compromise,” a responsible entity’s electronic security perimeter (ESP), as well as the associated electronic access control and monitoring (EACMS) devices, which include firewalls, authentication services, security event monitoring systems, and intrusion detection and alerting systems, that protect those perimeters. The lowered reporting threshold is notable for two reasons.
First, it means that reporting will be mandatory even for unsuccessful attacks and attacks that have no impact on utility operations. FERC did not clearly define when an attack constitutes an “attempt to compromise” a utility’s system, beyond stating that it could involve an unauthorized access attempt or other confirmed suspicious activity. FERC will instead give NERC the flexibility to establish an appropriate reporting threshold based on those parameters.
Second, the inclusion of EACMS assets in the new requirement will significantly expand the scope of utilities’ reporting obligations. In response to the NOPR, various industry commenters called upon FERC to either limit the inclusion of, or completely exclude, EACMS from the scope of the new requirements in order to limit the reporting burden on electric utilities. FERC remained convinced that EACMSs should be included in the new requirements because those devices are the primary defensive systems protecting the most critical BES Cyber Systems (those considered high and medium impact under the CIP reliability standards). However, FERC agreed in the final rule that NERC should limit the scope of the EACMS assets covered by the new requirements by focusing on several key functions they provide. Here, too, FERC opted to give NERC the flexibility to craft the specific reporting threshold for EACMS devices, so long as it encompasses the following EACMS functions: (i) authentication; (ii) monitoring and logging; (iii) access control; (iv) interactive remote access; and (v) alerting.
Standardized Incident Reporting
FERC adopted the NOPR proposal to require a minimum set of attributes comprising a mandatory Cyber Security Incident report. FERC stated that the reports should include, at a minimum: (i) the functional impact, where possible, that the Cyber Security Incident achieved or attempted to achieve; (ii) the attack vector that was used to achieve or attempt to achieve the Cyber Security Incident; and (iii) the level of intrusion that was achieved or attempted as a result of the Cyber Security Incident. FERC believes that establishing these information attributes will improve the quality of reporting and allow for ease of comparison by ensuring that each report includes specified fields of information. FERC stressed that any reporting requirement should not take away from efforts to mitigate a potential compromise.
FERC concluded that NERC should establish reporting timelines for when an electric utility must submit Cyber Security Incident reports. The final rule requires that the reporting timelines be prioritized based on the potential risk impact of the incident. Higher risk incidents, such as detecting malware within the ESP and associated EACMS, could trigger a one-hour reporting requirement, whereas it may be more appropriate to report lower risk incidents, such as the detection of attempts at unauthorized access to the ESP or associated EACMS, within eight to 24 hours. Utilities may also be permitted to report other lower-level suspicious activity pertaining to an ESP or its associated EACMS on a longer timeline (e.g., via a monthly report) to assist in the analysis of trends.
FERC concluded that Cyber Security Incident reports should continue to be sent to the Electricity Information Sharing and Analysis Center (E-ISAC) that is run by NERC, similar to the current reporting scheme under Reliability Standard CIP-008-5. The final rule also requires utilities to send reports to the DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) (or its successor). FERC stated that, from a security perspective, reporting directly to E-ISAC and ICS-CERT will result in cyber threat information being provided to the organizations best suited to analyze it and, to the extent necessary, timely inform responsible entities of cyber threats. In addition, NERC will file annually an anonymized report providing an aggregated summary of the information reported by utilities over the course of the year, similar to the annual report issued by ICS-CERT.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers: