Skip to main content
close search
site logo
Dive Brief

FERC moves to shore up potential cyber vulnerabilities

Published April 23, 2018
Robert Walton's headshot
Senior Reporter
Getty Images

Dive Brief:

  • Federal regulators have approved revisions to cybersecurity rules surrounding "transient electronic devices," such as thumb drives and laptops, in the latest effort by the energy sector to shore up its defenses.
  • The Federal Energy Regulatory Commission on Thursday issued a final rule approving a revised Critical Infrastructure Protection reliability standard. The rule directs the North American Electric Reliability Corp. to make changes to standards to "further mitigate the risk of malicious code" from some transient devices.
  • The power industry is increasingly on alert in the face of growing cyber threats, and federal regulators have been refining rules and requirements. But NERC did not report any cyber incidents in 2015 and 2016, and as a result FERC, is also considering changes to mandatory reporting of cybersecurity issues.​

Dive Insight:

FERC directed NERC to revise security standards for third-party transient electronic devices connected to low impact bulk electric system (BES) cyber systems. The devices are among a wide array of potential threats to the electric grid, along with spear phishing attacks and efforts to compromise industrial control systems.

In a statement, NERC said the revised standard represents "the next stage in cyber security standards, improving base-line cyber security posture of responsible entities."

But FERC did not adopt a proposal to "provide clear, objective criteria for electronic access controls for low impact BES Cyber Systems."

Regulators in their order wrote that the current standard for such access controls already "provides a clear security objective that establishes compliance expectations." Regulators declined to adopt the proposal, which had been included in the initial Notice of Proposed Rulemaking directing NERC to update their Critical Infrastructure Protection standards.

Federal officials have been warning of cyber threats increasing in sophistication, and are worried NERC's reporting standards do not reflect the growing threat. The low threshold for reporting cyber incidents is “an enormous gap,” Thomas Popik, chairman and president of the Foundation for Resilient Societies, told Utility Dive in an interview.

In March, an alert from the U.S. Computer Emergency Readiness Team warned Russian hackers have mounted a methodical, long-term campaign to infiltrate and surveil critical U.S. infrastructure, including energy and nuclear. That alert followed warnings from private security firm Dragos, which reported a rise in targeted attempts to infiltrate utility systems coming from North Korea-related hackers.

Most recently, the communications network utilized by Energy Transfer Partner's pipeline system faced a cyberattack and was shut down, along with other gas pipelines. Hackers infiltrated a communications platform provided by Energy Services Group LLC, which impacted five pipelines and resulted in possible late bills for some Duke Energy customers in Ohio.

Recommended Reading

Filed Under: Regulation & Policy

Editors' picks

Company Announcements

View all | Post a press release
Technosylva and KatRisk Join Forces to Expand Wildfire Management and Catastrophe Risk Modelin…
From Technosylva
November 18, 2024
Utility Broadband Alliance 2024 Summit & Plugfest Shatters Attendance Milestone
From Utility Broadband Alliance
November 21, 2024
TESCO Solidifies Leadership in Electric Meter and EV Charging Station Accuracy
From TESCO - The Eastern Specialty Company
November 12, 2024
Oncor System Resiliency Plan Approved by PUCT
From Oncor
November 14, 2024
Editors' picks
Latest in Regulation & Policy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell