On June 18, 2020, FERC issued a Notice of Inquiry (“NOI”) requesting comment on whether the currently-effective Critical Infrastructure Protection (“CIP”) Reliability Standards adequately address: (i) cybersecurity risks pertaining to data security; (ii) detection of anomalies and events; and (iii) mitigation of cyber security events. FERC also seeks comment on the potential risk of a coordinated cyberattack on geographically distributed targets and whether Commission action, including potential modifications to the CIP Reliability Standards, would be appropriate to address such risk. In addition, FERC staff issued a White Paper seeking comment on a potential new framework for providing transmission incentives to utilities for their cybersecurity investments.
Notice of Inquiry
The NOI explains that when FERC approved the first set of mandatory CIP Reliability Standards addressing cybersecurity in 2008, FERC stated that the North American Electric Reliability Corporation should look to the National Institute of Standards and Technology Cybersecurity Framework (“NIST Framework”) as a source for improving the CIP Reliability Standards. The NIST Framework provides a high-level, strategic view of an organization’s cybersecurity risk management, and sets forth a comprehensive structure to guide cybersecurity activities. According to the NOI, a comparison of the NIST Framework with the current CIP Reliability Standards shows that three NIST Framework categories may not be adequately represented and thus could reflect potential reliability gaps: (i) cybersecurity risks pertaining to data security; (ii) detection of anomalies and events; and (iii) mitigation of cybersecurity events. The NOI acknowledges that differences between the CIP Reliability Standards and the NIST Framework are to be expected, and seeks comment on whether these differences reflect potential gaps in the CIP Reliability Standards that should be addressed.
In addition, the NOI states that the shift to smaller, geographically distributed generation means that an increasing number of generation resources are not required to comply with the full suite of CIP Reliability Standards. The NOI explains that, given this shift, it is worth examining whether a sophisticated threat actor could initiate a coordinated cyberattack targeting geographically distributed generation resources. The NOI seeks comment on the potential risk of a coordinated cyberattack on geographically distributed targets and whether modifications to the CIP Reliability Standards, including potential modifications to the current MW thresholds, would be appropriate to address such risks. In particular, FERC seeks comment on the procedures and security controls that are currently employed to protect against the potential risk of a geographically distributed coordinated cyberattack and whether modifications to the CIP Reliability Standards would be appropriate to address such risks.
The NOI, which is available here, lists specific questions for commenters to address. Comments are due 60 days after the NOI is published in the Federal Register.
Staff White Paper
The White Paper explores a new framework for providing transmission incentives to utilities for investments that exceed the requirements of the CIP Reliability Standards and that produce significant cybersecurity benefits. The White Paper describes the cybersecurity challenges on the Bulk Electric System (“BES”), including the need to adopt a new approach to incentivize cybersecurity investments. The White Paper points out that a limitation of the current CIP Reliability Standards is that the development process does not lend itself to addressing rapidly evolving cybersecurity threats. In addition, because the CIP Reliability Standards apply to BES facilities which are generally 100kV or higher, not all operational technology is covered by the standards—and while facilities that are not covered may be less critical to reliable operations, compromise of those systems may lead to compromise of more critical systems. In terms of establishing incentives, the White Paper states that a necessary first step is to examine the effectiveness of cybersecurity investments in enabling the utility to achieve a level of protection that exceeds the CIP Reliability Standards but also enhances the security of its transmission system. The White Paper further provides that incentives for cybersecurity investments could include both rate of return on equity (“ROE”) and non-ROE incentives, but notes that ROE incentives would apply only to the specific incremental cybersecurity investments identified in an applicant’s filing.
The White Paper proposes two approaches to determine whether a utility’s cybersecurity investments are eligible for incentives, to be utilized independently or in combination. The first approach would permit a utility to voluntarily apply certain CIP Reliability Standard requirements to transmission facilities that are not subject to those requirements, e.g., applying all requirements applicable to medium or high impact systems to low impact systems. The second approach would permit a utility to voluntarily implement portions of the NIST Framework. The White Paper notes that under both approaches, utilities could be eligible for incentives under Federal Power Act section 219 for voluntary cybersecurity investments that exceed the CIP Reliability Standards. Investments made to comply with the mandatory CIP Reliability Standards would not be eligible for incentives. Finally, the White Paper requests comments from interested parties on the topics addressed and whether the Commission should consider alternate approaches.
The staff White Paper, available here, asks for initial comments by August 17, 2020, and reply comments by September 1, 2020.