Security and Resilience (Cyber and Physical)

FERC final rule expands cybersecurity incident reporting

The Federal Energy Regulatory Commission on July 19 issued a final rule that directs the North American Electric Reliability Corp. to develop modifications to critical infrastructure protection reliability standards to improve mandatory reporting of cybersecurity incidents, including attempts that might harm reliable operation of the nation’s bulk electric system.

NERC must develop the modifications within six months of the effective date of the final rule (Docket No. RM18-2). The final rule stems from a notice of proposed rulemaking issued by FERC at the end of 2017.

In its comments on the NOPR, NERC said that consistent with its recommendation in a 2017 State of Reliability Report, it supports broadened reporting of cybersecurity incidents to allow it to obtain and share additional information to improve the security and reliability of the bulk electric system. 

In its February 2018 comments, NERC noted that, working with stakeholders, it had several initiatives underway to collect cybersecurity data, improve cyber security information sharing across the electric sector, and develop security metrics to help measure bulk electric system security.

At the same time, NERC asked that the Commission not direct it to develop modifications to reliability standards and instead, provide NERC the flexibility to collect the data through alternative approaches.

Final rule

In the final rule, FERC directed NERC to develop and submit modifications to reliability standards in order to require the reporting of cybersecurity Incidents that compromise, or attempt to compromise, a responsible entity’s Electronic Security Perimeter (ESP) or associated Electronic Access Control or Monitoring Systems (EACMS).

FERC noted that under the current critical infrastructure protection reliability standard (CIP-008-5), incidents must be reported only if they have compromised or disrupted one or more reliability tasks.

FERC’s directive in the final rule (Order No. 848) consists of four elements intended to augment the current cyber security incident reporting requirement:

  • Responsible entities must report cybersecurity Incidents that compromise, or attempt to compromise, a responsible entity’s ESP or associated EACMS;
  • Required information in cybersecurity Incident reports should include certain minimum information to improve the quality of reporting and allow for ease of comparison by ensuring that each report includes specified fields of information;
  • Filing deadlines for cybersecurity incident reports should be established once a compromise or disruption to reliable bulk electric system operation, or an attempted compromise or disruption, is identified by a responsible entity; and
  • Cybersecurity incident reports should continue to be sent to the Electricity Information Sharing and Analysis Center (E-ISAC), rather than the Commission, but the reports should also be sent to the Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

In addition, NERC will need to file an annual, public, and anonymized summary of the reports with the Commission.

In the final rule, FERC said that it considered comments submitted by NERC and others recommending that broadened cybersecurity incident reporting should be implemented through a NERC request for information  instead of through reliability standard requirements.

“However, on balance, we believe that broadened mandatory reporting pursuant to reliability standard requirements as opposed to a standing data request is more aligned with the seriousness and magnitude of the current threat environment, and more likely to improve awareness of existing and future cybersecurity threats and potential vulnerabilities,” FERC said.

The Commission listed several reasons for its decision. Among other things, it said that a new or modified reliability standard “will ensure that the desired goals of our directive are met because the Commission will have the ability to review and ultimately approve the standard,” as opposed to the opportunity for informal review that the Commission would have of a NERC data request.  

In addition, FERC said it has “well-defined authority and processes under section 215(e) of the FPA [Federal Power Act] to audit and enforce compliance with a reliability standard.”

Minimum reporting attributes and timing

FERC said that while the NOPR comments generally support the proposed minimum set of reporting attributes, some parties (including the American Public Power Association) raised concerns with the proposed reporting attributes, especially in the case of attempts versus actual compromises.

In the Commission’s view, a new or revised cyber security Incident report should include, at a minimum, the information outlined in the NOPR proposal, where available.

Specifically, FERC said the minimum set of attributes to be reported should include: (1) the functional impact, where possible, that the cyber security incident achieved or attempted to achieve; (2) the attack vector that was used to achieve or attempted to achieve the cybersecurity incident; and (3) the level of intrusion that was achieved or attempted or as a result of the cybersecurity incident.

“In addition, we agree that any reporting requirement should not take away from efforts to mitigate a potential compromise,” FERC said.

With respect to timing, FERC said that NERC should establish reporting timelines for when the responsible entity must submit cybersecurity incident reports to the E-ISAC and ICS-CERT based on a risk impact assessment and incident prioritization approach to incident reporting.

This approach would establish reporting timelines that are commensurate with the adverse impact to the bulk electric system that loss, compromise, or misuse of those bulk electric system cyber systems could have on the reliable operation of the bulk electric system, the agency said.

Higher risk incidents could trigger the report to be submitted to the E-ISAC and ICS-CERT within a more urgent timeframe, while for lower risk incidents, an initial reporting timeframe between eight and twenty-four hours would provide an early indication of potential cyberattacks, FERC said.

Under the final rule, the cybersecurity incident reports will need to be provided to E-ISAC and ICS-CERT or its successor.

ICS-CERT is part of the Department of Homeland Security. E-ISAC, which is operated by NERC and functions as an independent group, establishes situational awareness, incident management, coordination, and communication capabilities within the electricity sector through timely, reliable, and secure information exchange.