On June 20, 2019, FERC issued a letter order granting its approval of the North American Electric Reliability Corporation’s (“NERC”) proposed Reliability Standard CIP-008-06 which broadens the mandatory reporting of cyber security incidents.
In Order No. 848, FERC directed NERC to enhance the mandatory reporting of cyber security incidents, to include additional information in cyber security incident reports, to establish filing deadlines for cyber security incident reports, and to establish that cyber security incident reports be sent to the Electricity Information Sharing and Analysis Center (“E-ISAC”) and the Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (“ICS-CERT”).
On March 7, 2019, NERC filed a petition with FERC containing the proposed Reliability Standard CIP-008-06 to broaden the mandatory reporting of cyber security incidents. In the petition, NERC broadened the definition of “Cyber Security Incident” to include events involving compromises or attempts to compromise Electronic Security Perimeters (“ESP”), Electronic Access Control or Monitoring Systems (“EACMS”), and Physical Security Perimeters associated with light and medium impact bulk electric system (“BES”) Cyber Systems and disruptions or attempts to disrupt the operation of BES Cyber System. NERC also broadened the definition of “Reportable Cyber Security Incident” to include compromises or disruptions of BES Cyber Systems that perform one or more reliability tasks as well as compromises or disruptions to EACMS and ESPs associated with high and medium impact BES Cyber Systems.
Finally, NERC included language to broaden reporting on cyber security incidents to include incidents that attempt to compromise ESPs or EACMS, to require that responsible entities send reports and updates to E-ISAC and ICS-CERT, to introduce certain required categories that must be contained within each report, and to establish a timeline for the reporting of the cyber security incidents.
A copy of the order is available here.