FERC Aims to Broaden Cyber Incident Reporting Requirements
The proposal follows a Federal Energy Regulatory Commission finding that existing cyber threats to electric utilities are underreported.
On December 21, the Federal Energy Regulatory Commission (FERC or the Commission) proposed to direct the North American Electric Reliability Corporation (NERC) to augment the mandatory cyber incident reporting requirements under the Critical Infrastructure Protection (CIP) reliability standards. If adopted, the proposal would require electric utilities to report all cyberattacks on the electric security perimeters (ESPs) surrounding their key electric infrastructure as well as the associated electronic access control and monitoring (EACMS) devices, which include firewalls, authentication services, security event monitoring systems, and intrusion detection and alerting systems, that protect those perimeters.
Critically, reporting would be mandatory even for unsuccessful attacks and attacks that have no impact on utility operations, which markedly expands the existing reporting requirement. Depending on the level of detail required by the reports and the deadline for submitting those reports, FERC’s proposal could also require electric utilities to conduct a fast and in-depth investigation of each suspected incident.
Comments on FERC’s proposal will be due February 26, 2018.
Cyber-related event reporting is currently addressed in Reliability Standard CIP-008-5, which requires electric utilities to determine whether a malicious act or suspicious cyber incident should be reported to NERC. The utility meets its obligation by notifying the Electricity Information Sharing and Analysis Center (E-ISAC), run by NERC.
Electric utilities are required to notify E-ISAC only if the detected cyber incident successfully compromises or disrupts the utility’s functional reliability tasks. Thus, “zero consequence” incidents need not be reported, even though they may already be tracked by the utility. For example, Reliability Standard CIP-007-6 requires electric utilities to track all login attempts to a protected network, regardless of whether those attempts are successful.
Because such “zero consequence” incidents are not reported, the Commission concluded that the event reporting threshold under CIP-008-5 does not paint an accurate picture of the current cyber threat landscape, and “may understate the true scope of cyber-related threats facing the Bulk-Power System.” For example, as the Commission observed, the Department of Energy’s 2016 annual summary of Electric Disturbance Reporting Form OE-417 contained four cybersecurity incidents reported in 2016: two suspected cyberattacks and two actual cyberattacks. In addition, the Commission noted that the Department of Homeland Security’s (“DHS’s”) multisector incident response team─the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)─responded to 59 cybersecurity incidents within the energy sector in 2016. In contrast, the results of NERC’s latest annual “State of Reliability” performance report concluded that despite the pervasive and growing cyber threat landscape, there were no reportable cyber incidents in 2016. Based on those latest findings, and even though the reporting thresholds and mechanisms for OE-417 and ICS-CERT differ significantly from those under the CIP reliability standards, NERC concluded that “the mandatory reporting process does not create an accurate picture of cyber security risk,” and recommended that the scope of reportable incidents be redefined to include “zero consequence” incidents. The Commission agreed with NERC’s assessment, and proposed to direct NERC to revise the CIP reliability standards to enhance the cyber incident reporting requirements. The “reporting gap” under the existing standards, FERC explained, “results in a lack of awareness” for NERC, electric utilities, and FERC itself.
FERC’s proposal aims to improve cyber incident reporting under the CIP reliability standards by directing NERC to make the following changes:
- Lower the threshold for mandatory incident reports
- Standardize the content in incident reports
- Establish new timelines for filing those reports
Lower Reporting Threshold
FERC proposed to direct NERC to lower the mandatory reporting threshold to include all cyberattacks on an electric utility’s ESP or associated EACMS. Because ESPs and their associated EACMSs are the primary defensive systems protecting the most critical BES Cyber Systems (those considered High and Medium Impact under the CIP reliability standards), FERC proposed that even unsuccessful attempts to compromise those systems or successful attacks without any apparent impact should be reported, including those that did not themselves cause harm but could “facilitate subsequent efforts to harm the reliable operation of the bulk electric system.”
FERC requested comment on whether reporting for EACMS attacks should be excluded as well as whether reporting mechanisms under NERC’s rules, rather than revisions to the reliability standards, could be employed instead.
Incident Report Content
Although electric utilities are required to report certain cyber incidents to E-ISAC under CIP-008-5, the standard does not specify the type or amount of information contained in the report. FERC’s proposal would require NERC to modify the existing CIP reliability standards to require cyber incident reports to contain, at a minimum:
- “the functional impact, when identifiable, that the cyber incident achieved or attempted to achieve” (i.e., a measure of actual, ongoing impact);
- “the attack vector that was used to achieve or attempted to achieve” the cyber incident (i.e., the method used by the attacker); and
- “the level of intrusion that was achieved or attempted” through the attack (i.e., the level of penetration into the electric utility’s protected systems).
FERC explained that these are the same categories of information collected and published by DHS in its annual ICS-CERT report. By standardizing some of the content in cyber incident reports, FERC hopes to facilitate better comparisons across reports, thereby improving awareness of existing and future cybersecurity threats and potential vulnerabilities.
Changes to Reporting Timeline
Under CIP-008-5, an electric utility is required to submit to E-ISAC a report of a cyber incident within one hour after the utility determines that the incident is reportable. However, FERC noted that the current requirement does not establish a specific timeframe for completing the full report. In the notice of proposed rulemaking, FERC proposed to direct NERC to establish a specific reporting timeline for when a utility identifies an actual or attempted compromise or disruption to reliable BES operation. FERC’s proposed change would establish timelines for both attempted and successful breaches, and require that those timelines reflect the actual or potential threat to grid reliability. Under this proposal, the expediency of the mandatory report would turn on the severity of the potential incident, which FERC believes will minimize the burden on reporting entities. FERC also proposed to require that incident reports be submitted to ICS-CERT as well as E-ISAC.
Finally, FERC proposed to direct NERC to file an annual, publicly available, anonymized report containing an aggregated summary of cybersecurity incidents reported to NERC during the previous year, similar to the ICS-CERT annual report issued by DHS.