On June 20, 2019, FERC approved revisions to the Midcontinent Independent System Operator, Inc.’s (“MISO”) Tariff which permit MISO to share, without notice to its market participants, confidential information with federal cybersecurity authorities in response to detected cyber intrusions or weaknesses in electric utility infrastructure that have the potential to compromise reliability and call for immediate action. FERC concluded that MISO’s proposal allows for greater information sharing with the appropriate federal agencies before a potential cybersecurity threat becomes an emergency, and appropriately maintains the confidentiality of the information at issue.
MISO’s proposal is the latest in electric industry efforts to improve awareness of cybersecurity threats and potential vulnerabilities, and follows FERC’s issuance of Order No. 848, which directed the North American Electric Reliability Corporation (“NERC”) to modify its Critical Infrastructure Protection Reliability Standards to improve reporting of cybersecurity incidents by requiring entities to report not only incidents that actually compromise or disrupt an entity’s Electronic Security Perimeter or associated Electronic Access Control or Monitoring Systems, but also cybersecurity incidents that attempt to disrupt these systems, including incidents that might facilitate subsequent efforts to harm the reliable operation of the Bulk Power System. MISO’s proposal also follows two Executive Orders aimed at enhancing the security and reliability of critical infrastructure, Improving Critical Infrastructure Security (Executive Order No. 13636, issued in 2013) and Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure (Executive Order No. 13800, issued in 2017).
FERC’s June 20 order approves Tariff revisions that will permit MISO to voluntarily provide confidential information to federal agencies or organizations with cybersecurity responsibilities—such as Homeland Security or the Federal Bureau of Investigation—as well as to NERC, in instances of a “Cyber Exigency,” defined as “[a] suspicious electronic act or event that has the potential to compromise reliability . . . and whose severity reasonably requires that the Transmission Provider obtain expert assistance not normally called upon to counter such an electronic act or to resolve such an event.” According to MISO, such exigency situations might occur even when there is no immediate disruption in electrical service. In such instances, MISO will share confidential information without notifying market participants; appropriate notification, if any, will be determined on a case-by-case basis.
FERC approved MISO’s proposed Tariff revisions over objections from Exelon Corporation, which argued that MISO’s proposal failed to adequately protect the confidential information it proposed to share. FERC largely rejected Exelon’s arguments, though it accepted MISO’s proposal in response to Exelon to narrow the agencies with which MISO may disclose confidential information to those with cybersecurity responsibilities under federal law.
FERC’s June 20 order is available here.