In an effort to better capture the true scope of cyber threats to the electric grid, the Federal Energy Regulatory Commission on Thursday approved a revised reliability standard that broadens mandatory reporting requirements to include incidents that attempt to compromise the grid.
The current standard only requires reporting of incidents that successfully compromise or disrupt a reliability task, such as an incident causing an outage. As such, there were no reported incidents in 2015 or 2016.
Noting that this did not square with the fact that the Department of Homeland Security responded to 59 cybersecurity incidents within the energy sector in 2016, FERC sought to provide more awareness of threats facing the grid. The commission last year directed the North American Electric Reliability Corp., via Order 848 (RM18-2), to revise the critical infrastructure protection reliability standard governing cybersecurity incident reporting and response planning.
The revised CIP standard approved in Thursday's order (RD19-3) extends mandatory reporting of cyber incidents to attempted attacks and events that have compromised the system without necessarily impacting a reliability task. The standard is slated to take effect around January 1, 2021.
'LEARN FROM EXPERIENCE'
"There's a well-documented statistical relationship ... applied to reliability in all kinds of industrial systems between near misses and actual events so it's very important that we learn from experience," Commissioner Cheryl LaFleur said during the agency's open meeting Thursday. The expanded reporting, she added, would also help the commission "identify emerging issues in areas where we may need to enhance reliability standards."
The new standard expands the definition of a cybersecurity incident to include compromises or attempts to compromise electronic security perimeters, electronic access control or monitoring systems and physical security perimeters associated with high- and medium-impact cyber systems on the bulk electric system, as well as disruptions or attempts to disrupt the operation of a BES cyber system.
Whereas the discovery of malware installed on a component of a BES cyber system, for instance, could go unreported under the current standard if performance of that system's tasks had not been affected, the revised standard would require reporting of the incident regardless of system performance impacts.
In that instance, the responsible entity would need to initiate a response plan and report "the incident to the Electricity Information Sharing and Analysis Center and the Department of Homeland Security's National Cybersecurity and Communications Integration Center," Leigh Anne Faugust, a staffer in FERC's Office of the General Counsel, told commissioners during the meeting.
The revised standard lays out certain baseline information that must be included in cyber incident reports "to improve the quality of reporting and allow for ease of comparison between reports," Faugust said. It also establishes deadlines for completing reports and makes clear who should receive the reports following an incident.
INDUSTRY BUY-IN
"The enhanced reporting requirements will ensure a better baseline understanding of how the threat landscape may exploit vulnerabilities of cyber systems that operate on the bulk power system," and "facilitate the appropriate sharing of threat information through the electric industry to better prepare entities to protect their critical infrastructure," Simon Slobodnik of FERC's Office of Electric Reliability said.
"With a multitude of quickly evolving cyber threats targeting our critical infrastructure, the timely dissemination of threat information to both the government and private sector has taken on increased importance," FERC Chairman Neil Chatterjee said at the meeting.
He added that NERC put forth a revised standard in only six months, and that FERC received no comments in opposition to those revisions. "I think this goes to show that when the commission identifies an important issue that needs to be addressed through a standard, NERC and its standard drafting team are capable of producing timely, high-quality standards with significant industry buy-in," Chatterjee said.