Electric vehicle (EV) charging relies on a complex ecosystem involving multiple entities, including utility operators, third-party data network providers, charging infrastructure owners, and the EVs themselves. The high degree of digital interconnectivity required to run that ecosystem presents significant cybersecurity risks, including the potential for data theft, physical property damage, and electric grid disruptions.
FERC, CFTC, and State Energy Law Developments
FERC has issued its final rule paving the way for incentive-based rate treatment for electric utilities that make certain voluntary cybersecurity investments. As we first noted in 2020 when describing the proposed rule, the final rule provides a new mechanism for promoting cybersecurity of the bulk-power system by rewarding utilities for proactively enhancing their cybersecurity programs beyond the mandatory requirements of the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) reliability standards.
On March 16, FERC approved North American Electric Reliability Corporation (NERC) Reliability Standard CIP-003-9, Cyber Security – Security Management Controls, which introduces two new requirements to the suite of cybersecurity protections for low-impact bulk electric system (BES) cyber systems. The requirements focus on mitigating a supply chain risk that continues to challenge the electric industry: vendor remote access to critical electronic systems. The new rule will ensure these vendor risk mitigation requirements apply across every BES facility in the continental United States.
On March 2, the White House issued the National Cybersecurity Strategy (the Strategy), a broad vision to reinvigorate the federal government’s approach to cybersecurity and address a wide spectrum of long-term challenges. The Strategy reflects the latest significant cybersecurity-focused activity from the Biden administration and contains an ambitious set of goals and initiatives.
The Cybersecurity and Infrastructure Security Agency (CISA) issued a request for information (RFI) on the new cyber incident reporting requirements for critical infrastructure owners as required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
Be sure to check out the latest issue of Empowered, our energy industry newsletter.
The North American Electric Reliability Corporation (NERC) filed its 2022 NERC Standards Report, Status and Timetable for Addressing Regulatory Directives summarizing the progress made and plans for addressing the reliability standard-related directives issued by applicable governmental authorities. NERC reported that since March 29, 2021, the date of NERC’s last annual report, it filed petitions with the Federal Energy Regulatory Commission (FERC) addressing four reliability standards-related directives.
The Federal Register recently published the US Department of Energy’s (DOE) notice of Request for Information (RFI) seeking public input on energy sector supply chains. The RFI requests that stakeholders provide comment on a wide variety of issues concerning supply chains of energy and related technologies.
As has been reported, a recent ransomware attack has caused an interstate pipeline and fuel supplier to much of the eastern United States to shut down its operations. Although the attack did not compromise operational systems, the company opted to cease operations as a precautionary measure.
FERC approved revisions to three Critical Infrastructure Protection (CIP) North American Electric Reliability Corporation (NERC) Reliability Standards to expand the scope of the assets subject to supply chain cybersecurity requirements and related obligations. Supply chain cybersecurity continues to be a focus of NERC, energy industry stakeholders, and government regulatory and securities agencies.