FERC aims to raise the bar for reporting cyber attacks with new NOPR

Dive Brief:

The Federal Energy Regulatory Commission has issued a Notice of Proposed Rulemaking (NOPR) that proposes to direct the North American Electric Reliability Corporation (NERC) to modify its reliability standards in order to improve the mandatory reporting of cybersecurity issues.
The NOPR grew out of a petition filed by the Foundation for Resilient Societies that asked FERC to require additional measures for “malware detection, mitigation, removal and reporting.”
FERC, citing existing and ongoing cybersecurity standards and procedures, declined to propose additional reliability standard measures, but did proposed to seek broader reporting requirements.

Dive Insight:

Cyber attacks on utility infrastructure have made the headlines, but they have not been showing up in NERC reports.

The Department of Homeland Security and the Federal Bureau of Investigation in October issued a joint warning about an “advanced persistent threat” from hackers targeting government entities and a wide range of sectors, including energy, nuclear, aviation and critical manufacturing.

Also in October, FireEye found and stopped spear phishing emails sent to U.S. power companies by what the cybersecurity firm said were “known cyber actors likely affiliated with the North Korean government.” And in September, Symantec warned that a group identified as Dragonfly 2.0 had targeted U.S. and European power sectors.

NERC, on the other hand, did not report any cyber incidents in 2015 and 2016. That lack suggests a “gap in the current mandatory reporting requirements,” according to the FERC NOPR announcement.

The current threshold for the reporting cyber incidents applies only to incidents that “compromised or disrupted one or more reliability tasks.” That low threshold could result in “a lack of timely awareness” among stakeholders, according to the FERC filing. To address that, FERC is proposing that NERC modify its Critical Infrastructure Protection (CIP) Reliability Standards include the mandatory reporting of Cyber Security Incidents that compromise, or attempt to compromise the electronic defenses of the electric power system.

The low threshold for reporting cyber incidents is, in fact, “an enormous gap,” Thomas Popik, chairman and president of the Foundation for Resilient Societies, told Utility Dive in an interview.

The current standard essentially means that only cyberattacks that result in a blackout have to be reported, Popik says. That can lead to a false sense of security; fixing problems without having to report them is “counter productive” because it deprives the rest of the industry of knowledge they should have, he added.

The Foundation for Resilient Societies testified before FERC on the cyber threat last January and made a supplemental filing in February. In response to that filing, FERC received comments from NERC, the International Transmission Co. and trade associations, including the American Public Power Association, the Edison Electric Institute, the Electric Power Supply Association, and the National Rural Electric Cooperative Association. Those commenters all said FERC should not act on Resilient Societies’ petition because current cybersecurity protections are adequate.

One of the hurdles to coming up with more rigorous reporting standards is the financial structure of the power industry, Popik noted. About two-thirds of the generating assets in the U.S. are deregulated. Those entities do not want a lot of compliance expenses, especially if they are applied unevenly, Popik said. As an example, he cited the disparity between a decades-old hydroelectric stations and a new state-of-the-art gas generator with digital controls. The new facility could face higher costs to come into compliance with tougher cybersecurity measures than would the older facility.

“We’ve been banking this drum for a long time,” Popik says. “It is finally getting some attention at FERC.”