As evidence that cyberattacks continue to threaten electric infrastructure in the United States, a report issued on December 14 by cybersecurity firm FireEye indicates that critical infrastructure industrial control systems (ICS) could be susceptible to a new type of malware.
FERC, CFTC, and State Energy Law Developments
The North American Electric Reliability Corporation (NERC) filed a petition on September 26 requesting approval from the Federal Energy Regulatory Commission (FERC or the Commission) for a suite of Reliability Standards that focus on vulnerabilities in vendor products and services and would regulate the utility procurement process.
On December 7, the Energy Bar Association sponsored a discussion on FERC-led audits of entities’ compliance with the North American Electric Reliability Corporation’s (NERC’s) critical infrastructure protection (CIP) Reliability Standards.
On November 17, FERC adopted regulations to enhance the protection of Critical Energy Infrastructure Information (CEII) using its new statutory authority from the Fixing America’s Surface Transportation Act (FAST Act), which added Section 215A to the Federal Power Act.
On July 21, FERC directed NERC to develop a new or modified “forward-looking, objective-driven” Reliability Standard that addresses supply chain risk management for industrial control system hardware, software, and computing and networking services (“cyber controls”) associated with BES operations.
On July 21, prompted by cyberattacks highlighting cyber system vulnerabilities that may be exploited to attack the operation and maintenance of interconnected networks, FERC sought comment from industry participants on possible modifications to the CIP Reliability Standards that could address the cybersecurity of control centers used to monitor and control the BES in real time.
The electric utility industry has spent vast amounts of money on cybersecurity, an investment that has steadily escalated since the Critical Infrastructure Protection (CIP) Reliability Standards became effective in 2008.
“A cyber incident is not the time to be creating emergency procedures or considering for the first time how best to respond.” — US Department of Justice The dramatic increase in the scale and sophistication of some recent cyber breaches has seen the collapse of traditional disaster-recovery practices, thus increasing legal and regulatory exposure.
Cyber attacks are increasingly becoming a regular part of an electric utility’s day-to-day business risks.
Energy partner Stephen M. Spina will speak at Law Seminars International’s two-day conference, Developing Transmission in the Northeast.