Federal agencies dealing in everything from consumer protection to securities have made moves in recent years to address cybersecurity standards. The watchdog for energy suppliers can be counted among them.
Amid rising concerns over cyber attacks on critical infrastructure, the Federal Energy Regulatory Commission issued a rule last month on cyber incident reporting for critical infrastructure protection. FERC, which regulates the sale of energy resources including electricity and natural gas, is looking to gather more information from utilities in order to gauge the threat of hacking that could compromise the U.S. power grid.
For those following FERC’s policy announcements in recent years, the emphasis on cybersecurity has seemed a familiar refrain from the agency.
“It’s kind of the next frontier of concern” for natural gas and electricity suppliers, said Raymond Gifford, a utilities attorney and partner at Wilkinson Barker Knauer in Denver and former chair of the Colorado Public Utilities Commission. Gifford said the interconnectedness of modern utilities “is both a strength and a concern,” the latter being exposed when a weak link in the power grid fails, causing a cascade of outages or other service failures.
A Northwestern University study found that only about 10 percent of all transmission lines in the U.S.-South Canada power grid could, if they fail, trigger a cascading outage that goes beyond local networks. But a hack could target those vulnerable lines specifically.
“There’s been more focus on what some sort of cyber event could do because the way the grid operates is you can get these cascading events if the attacks are not stopped timely,” Gifford said.
When it comes to making and enforcing standards to ensure power grids are secure, FERC often delegates to the North American Electric Reliability Corporation, a nonprofit that oversees entities that own and run the continent’s power systems.
At FERC’s direction in its July rule, NERC will require utilities providers to report hacking attempts at their perimeter defenses or their Electronic Access Control or Monitoring Systems. Utilities providers will have to report even “zero consequence” attacks that fail to breach their frontline defenses or cause discernible issues. Currently they are only required to report a cyber incident if it has successfully disrupted or compromised a “reliability-related task.” It’s up to NERC to define the reporting thresholds and timelines that utilities will have to meet. But it’s supposed to consider “the function” of the EACMS and the nature of the attempted hack when determining what the threat level should be for the reporting threshold.
One can expect utilities to be filing more frequent reports under the new rule. But the FERC rule also calls for the reports to be standardized so that the data can be more easily compared in aggregate.
Currently, utilities report cyber incidents to the Electricity Information Sharing and Analysis Center, or E-ISAC. Under the new rules, they will also be sending those reports to a division of the Department of Homeland Security.
Each year, NERC would summarize the data in a public report that makes the utilities anonymous.
NERC must make these tweaks to its Critical Infrastructure Reliability Standards by April 2019. The rule takes effect 60 days from its July 31 publication in the Federal Register, and NERC’s deadline is six months after that.
“Cyber threats to the bulk power system are ever changing, and they are a matter that commands constant vigilance,” said FERC Chair Kevin McIntyre in a press release announcing the final rule. “Industry must be alert to developing and emerging threats, and a modified standard will improve awareness of existing and future cyber security threats.”
The Department of Homeland Security and the FBI issued an alert in March that the Russian government has been using hackers to compromise critical infrastructure in the U.S. since at least March 2016.
The methods hackers used to breach power grids, power plants and other infrastructure included spear phishing and attempting to install malware. Last July, Bloomberg reported that hackers, which U.S. officials believed to be sponsored by the Russian government, infiltrated more than a dozen U.S. power plants.
In a statement, FERC Commissioner Neil Chatterjee noted the DHS and FBI reports of numerous cyber intrusions of the electric grid by the Russian government. “While thankfully none of these intrusions have resulted in an actual power outage, they do represent an unsettling uptick in attempts to undermine America’s critical infrastructure systems,” he said.
Before the rule was finalized, some utilities and trade association aired misgivings in public comments. The Edison Electric Institute and National Rural Electric Cooperative Association urged FERC to rely on existing reporting requirements instead of requiring cyber incident reporting through the CIP Standards.
Such requirements, EEI and NRECA said, “may weaken the ability of electric companies to participate in these [voluntary reporting] programs by shifting their focus to compliance activity.”
New England energy provider Eversource came out against the proposed rule saying the increased reporting would create “undue administrative burdens.” Idaho Power contended that the additional reporting would “reduce the finite resources that entities have to monitor and defend their critical infrastructure.”
But FERC pressed on with the reporting requirements, citing “emerging threats” to the nations critical infrastructure.
Chatterjee acknowledged that the risk that reporting requirements, “if not done properly,” could overburden the industry. But the rule “provides NERC an appropriate measure of flexibility to work with industry stakeholders to ensure that it and DHS receive the timely, accurate, and actionable information they need without dictating an overly prescriptive and burdensome approach,” he said.
— Doug Chartier