BLOG POST

Power & Pipes

FERC, CFTC, and State Energy Law Developments

FERC recently approved proposed Reliability Standard CIP-008-6, which expands the mandatory reporting requirements for Cyber Security Incidents that attempt to compromise the operation of the bulk power system. Under the new standard, electric utilities will need to implement more comprehensive internal controls for identifying, reviewing, and reporting cyber incidents and attempted cyber intrusions than are currently required. The new standard goes into effect on January 1, 2021.

As we reported, NERC developed the revised standard in response to the Commission’s directive to broaden the scope of mandatory reporting of Cyber Security Incidents. In particular, the Commission was concerned with the risk posed by malicious intrusion attempts that might facilitate subsequent efforts to harm the reliable operation of the bulk power system.

Currently, utilities must report Cyber Security Incidents under Reliability Standard CIP-008-5 only if the incident has “compromised or disrupted one or more reliability tasks.” The new standard effectively lowers the reporting threshold by incorporating “compromises or attempts to compromise” the utility’s Electronic Security Perimeter (ESP) or associated Electronic Access Control or Monitoring Systems (EACMS), as well as attempts—even if unsuccessful—to disrupt the operation of a Bulk Electric System (BES) Cyber System. Once a utility determines that an event is a Cyber Security Incident, it must comply with the requirements of CIP-008-6, including initiating a response plan and reporting the incident to the Electricity Information Sharing and Analysis Center (E-ISAC) and the National Cybersecurity and Communications Integration Center (NCCIC). Such reports must contain detailed descriptions on the functional impact of the incident, the type of attack vector employed, and the level of intrusion that the attack achieved or attempted. Depending on the type of attack, initial reports must be submitted within an hour or by the end of the next day after the identification of the incident.

The new standard directs utilities to develop their own process and criteria for identifying attempts to compromise covered assets, and utilities should consider thorough planning prior to the implementation deadline in order to develop a compliant and workable process. Given the sheer volume of low-level attempted intrusions on all internet-facing devices, criteria that provides a meaningful method to differentiate between the “background noise” of internet traffic and genuine attempts at compromise will be key. Failing to do so could result in a substantial paperwork burden for investigating and reporting attempted intrusions.

Utilities, to the extent practicable, may also wish to consider modifications to their network architecture to reduce the amount of attempted connections to their devices, such as by placing covered assets within a larger corporate network where the surrounding network environment is more readily controlled.

The expanded incident reporting requirements under CIP-008-6 reflect a continued trend toward greater regulatory scrutiny of electric utility cybersecurity preparedness. As with mandatory incident reporting, FERC is likely to broaden the requirements associated with other areas of cybersecurity compliance—such as supply chain risk mitigation—in the near future. Recent reliability standard enforcement activity has also reflected this trend. This year alone, NERC has issued multiple seven-figure penalties for violations of the Critical Infrastructure Protection (CIP) suite of standards.