The Federal Energy Regulatory Commission (FERC) recently bolstered the cybersecurity of the nation’s bulk electric system by expanding the reporting requirements for incidents involving attempts to compromise operation of the grid. The action closes a gap in the prior Critical Infrastructure Protection Reliability Standards that required entities to report only when an incident has compromised or disrupted one or more reliability tasks.
The FERC previously directed the North American Electric Reliability Corp. (NERC) to enhance the reporting of cybersecurity incidents, out of concern that the existing standards may understate the true scope of threats by disregarding reporting incidents that could facilitate subsequent efforts to harm the reliable operation of the grid.
“Defending our nation’s electric grid against cybersecurity threats is one of the commission’s most pressing challenges,” Chairman Neil Chatterjee said. “It is vital that we ensure that the NERC and the Department of Homeland Security have all the information needed to understand the evolving threat landscape for industrial control systems.”
The approved new Critical Infrastructure Protection Reliability Standard CIP-008-6 (Cyber Security – Incident Reporting and Response Planning) now requires reporting of cybersecurity incidents that either compromise or attempt to compromise electronic security perimeters, electronic access control or monitoring systems, and physical security perimeters associated cyber systems. The new reliability standard also encompasses disruptions or attempts to disrupt the operation of a bulk electric cyber system.
Each responsible entity will be required to develop criteria for identifying an attempt to compromise a cyber asset, and then apply those criteria during its cybersecurity incident identification process. This approach provides responsible entities the flexibility to develop criteria appropriate to their systems.
The revised standard also addresses the information to be included in cybersecurity incident reports, their dissemination, and deadlines for filing. Reports and updates will be sent to the Electricity Information Sharing and Analysis Center and the Department of Homeland Security’s National Cybersecurity and Communications Integration Center.