On December 21, 2017, FERC issued a Notice of Proposed Rulemaking (“NOPR”) proposing to direct the North American Electric Reliability Corporation (“NERC”) to modify the cybersecurity incident reporting requirements under the Critical Infrastructure Protection (“CIP”) Reliability Standards. According to FERC, the proposal is intended to “improve awareness of existing and future cyber security threats and potential vulnerabilities.”
FERC’s proposal to augment the cybersecurity reporting requirements stemmed from a petition filed on January 13, 2017 by the Foundation for Resilient Societies (“Resilient Societies”). Resilient Societies requested that FERC initiate a rulemaking to require an enhanced Reliability Standard for malware detection, reporting, mitigation, and removal from the Bulk-Power System. According to Resilient Societies, current reporting methods underreport the actual amount of cybersecurity incidents in the electric grid and an enhanced Reliability Standard is needed to protect against the increasing risks from malware. In the NOPR, FERC declined to propose additional Reliability Standards, as Commission-directed improvements were already underway. However, FERC did find that broader reporting requirements within the existing CIP Reliability Standards are needed.
The current threshold for reporting cybersecurity incidents under the current CIP Reliability Standards is that incidents must be reported only if they have “compromised or disrupted one or more reliability tasks.” In the NOPR, FERC stated that the current reporting threshold may not reflect the actual scope of cybersecurity threats facing responsible entities, and proposed to require reporting of certain incidents even before they have caused such harm or if they did not themselves cause any harm. Additionally, FERC noted that the current CIP Reliability Standards do not establish a specific time-frame for completing a full incident report.
Accordingly, FERC proposed in the NOPR to direct NERC to: (i) develop and submit modifications to the CIP Reliability Standards to improve the reporting of cybersecurity incidents, including incidents that might facilitate subsequent efforts to harm the reliable operation of the bulk electric system; (ii) develop modifications to the CIP Reliability Standards to include the mandatory reporting of cybersecurity incidents that compromise, or attempt to compromise, a responsible entity’s Electronic Security Perimeter or associated Electronic Access Control or Monitoring Systems; (iii) modify the CIP Reliability Standards to specify the required information in cybersecurity incident reports to improve the quality of reporting and allow for ease of comparison by ensuring that each report includes specified fields of information; and (iv) modify the CIP Reliability Standards to establish a deadline for filing a report once a compromise or disruption to reliable bulk electric system operation, or an attempted compromise or disruption, is identified by a responsible entity.
Comments on FERC’s proposal are due February 26, 2018.
For a copy of the NOPR is available here.