Dive Brief:
- Federal regulators issued a final rule Thursday, giving the North American Electric Reliability Corp. (NERC) six months to modify the Critical Infrastructure Protection Reliability Standards, with an aim of expanding reporting requirements for cyber incidents.
- The Federal Energy Regulatory Commission (FERC) also directed NERC to consider the threat level when developing reporting thresholds and timelines, and increased the number agencies who will receive the incident reports.
- The commission issued its notice of proposed rulemaking last year, in response to a petition by the Foundation for Resilient Societies. The group urged FERC to place more focus on “malware detection, mitigation, removal and reporting.”
Dive Insight:
Current rules only require the reporting of a cyber incident if one or more reliability tasks have been disrupted or compromised. NERC will now develop rules that require incident reporting under significantly broader scenarios.
FERC Chairman Kevin J. McIntyre said the modified standard "will improve awareness of existing and future cyber security threats.”
The order directs NERC to update rules focused on incident reporting and response planning. The new rules would require a report if an entity's Electronic Security Perimeter or associated Electronic Access Control or Monitoring System (EACMS) are compromised — or if there is an attempt to compromise them.
The new rules also call for standardizing cyber security incident reports, and sharing them with another agency. Each year, NERC will file a public and anonymized summary of the reports with FERC.
Incident reports will continue to be sent to the Electricity Information Sharing and Analysis Center, and will be shared with the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team.
NERC will have some discretion in developing the reporting rules; FERC's order directs it to "develop requirements based on the function of the EACMS and the nature of the attempted compromise or successful intrusion."
Reporting timelines will also need to be developed that correspond to the potential impact of an intrusion.
"Prioritizing incident reporting will allow responsible entities to devote resources to reporting the most significant Cyber Security Incidents faster than less significant events," FERC said.
Thomas Popik, chairman and president of the Foundation for Resilient Societies, previously told Utility Dive in an interview that the low threshold for reporting cyber incidents is, in fact, “an enormous gap," that can lead to a false sense of security.
As the cyber threat to the grid becomes more widespread and persistent, regulators are rushing to make the power system as secure as possible. In April, FERC approved revisions to cybersecurity rules surrounding "transient electronic devices," such as thumb drives and laptops.