FERC proposes new standard to improve cybersecurity reporting
FERC proposed a revised Critical Infrastructure Protection (CIP) Reliability Standard to improve mandatory reporting of cybersecurity incidents
FERC proposed a revised Critical Infrastructure Protection (CIP) Reliability Standard to improve mandatory reporting of cybersecurity incidents, including incidents that might facilitate future attempts to harm reliable operation of the country’s bulk electric system.
Under the current CIP Reliability Standard CIP-008-5 (Cyber Security – Incident Reporting and Response Planning), incidents must be reported only if they have compromised or disrupted one or more reliability tasks, FERC said, adding that it is concerned that that threshold may understate the true scope of cyber-related threats facing the grid.
In particular, the lack of any reported incidents in 2015 and 2016 suggests a gap in the current mandatory reporting requirement, FERC said, noting that the 2017 State of Reliability report by NERC echoed that concern.
The Dec. 21 Notice of Proposed Rulemaking (NOPR) would direct NERC to submit modifications to broaden the requirement to include mandatory reporting of cybersecurity incidents that compromise, or attempt to compromise, a responsible entity’s Electronic Security Perimeter or associated Electronic Access Control or Monitoring Systems (EACMS), FERC said.
In addition, FERC said that the proposal would require NERC to modify the CIP Reliability Standards to:
- Specify the required information in cybersecurity incident reports to improve the quality of reporting and allow for ease of comparison by ensuring that each report includes specified fields of information
- Establish a deadline for filing a report once a compromise or disruption, or an attempted compromise or disruption, is identified by a responsible entity
FERC said that the NOPR would require that incident reports continue to go to the Electricity Information Sharing and Analysis Center (E-ISAC), but also would require that the reports be sent to the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), and that NERC file an annual, public, and anonymized summary of the reports with FERC.
According to the NOPR, the Foundation for Resilient Societies (referred to by FERC as Resilient Societies) filed a petition asking FERC to require additional measures for malware detection, mitigation, removal, and reporting.
Resilient Societies cited NERC’s State of Reliability Reports for 2014 and 2015, noting that NERC identified only three Reportable Cyber Security Incidents in 2014, and zero Reportable Cyber Security Incidents in 2015. Furthermore, FERC added, Resilient Societies observed that according to U.S. Department of Energy (DOE) Disturbance Reports (OE-417), there were three reported cybersecurity incidents in 2014, zero in 2015, and two in 2016. FERC noted that according to Resilient Societies, in contrast to the number of cybersecurity incidents reported through NERC and DOE Form OE-417, ICS-CERT responded to 79 cybersecurity incidents in 2014, and 46 cybersecurity incidents in 2015.
Among other things, FERC noted that NERC opposed Resilient Societies’ petition, asserting that existing CIP Reliability Standards, current standard development activity, and other cybersecurity efforts adequately address the threats, vulnerabilities, and risks associated with malware detailed in the Resilient Societies’ petition.
FERC said that it declines to propose additional Reliability Standard measures at this time for malware detection, mitigation, and removal, based on the scope of existing Reliability Standards, FERC-directed improvements already being developed, and other ongoing efforts.
However, FERC said that it proposes to direct broader reporting requirements.
“Currently, incidents must be reported only if they have ‘compromised or disrupted one or more reliability tasks,’ and we propose to require reporting of certain incidents even before they have caused such harm or if they did not themselves cause any harm,” FERC said.
FERC said in its statement that comments on the NOPR are due 60 days after publication in the Federal Register.