While 2018 has been a year of unprecedented and escalating cyber-related threats generally, such has certainly been the case with respect to attacks on the nation’s domestic energy facilities. For example, a media report from earlier this year describes hackers’ successful infiltration of the control rooms of multiple electric utilities. According to the article, and many others like it, attacks by both independent and state-sponsored hackers pose an on-going and constant threat to the security of the nation’s bulk power system. Agency oversight of the industry has focused on fortifying infrastructure against physical intrusion, erecting firewalls and other barriers to prevent electronic entry, and developing effective detection, monitoring, and reporting systems.
In response to the rising number of cyberattacks, the Federal Energy Regulatory Commission (“FERC”), pursuant to its authority under the Federal Power Act, issued a final rule earlier this year directing the North American Electric Reliability Corporation (“NERC”) to develop modifications to NERC’s Reliability Standards related to cyber security incidents. FERC’s new rule requires NERC to “augment the mandatory reporting of cyber security incidents, including incidents that might facilitate subsequent efforts to harm the reliable operation of the bulk electric system.” In a statement accompanying the new rule, then FERC Chairman Kevin McIntyre voiced FERC’s growing concern with respect to cyber threats stating, “Industry must be alert to developing and emerging threats, and a modified standard will improve awareness of existing and future cyber security threats…Cyber threats to the bulk power system are ever changing, and they are a matter that commands constant vigilance.”
FERC’s new rule addresses NERC’s Critical Infrastructure Protection Standards, which apply to responsible entities comprising the nation’s bulk power system, including large utilities, transmission systems and generation facilities. Importantly, the new rule lowers the threshold for a “reportable cyber event.” Not only is this change aimed at creating consistency in reporting, but also will ultimately result in better data collection for assessing the true scope and scale of cyber-related threats. These minimum reporting attributes include: 1) the functional impact of the attempted or achieved incident; 2) the attack vector of the attempted or achieved incident; and 3) the level of intrusion of the attempted or achieved incident. FERC expressly left to NERC the discretion to augment the list “should it determine that additional information would benefit situational awareness of cyber threats.” Moreover, whereas NERC’s current standards obligate responsible entities to report a cyber incident only when it has successfully “compromised or disrupted” one or more “reliability tasks,” FERC’s new rule requires NERC to adopt standards that include not only successful incidents, but also any “attempt to compromise” an entity’s electronic security perimeter or associated electronic access control systems.
Perhaps equally as important, however, the rule directs NERC to change its current reporting requirements to ensure that information related to cyber events is also shared with the Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). In discussing the reporting discrepancies and deficits in information sharing by various federal agencies, FERC noted that in December of 2017, NERC reported zero reportable cyber security incidents in 2016, the Department of Energy reported four cyber security incidents for the same period, and ICS-CERT reported that it had responded to 59 incidents in the energy sector in 2016. Based on this data, FERC correctly concluded that, “the current reporting threshold in [the NERC Reliability Standard] may not reflect the true scope and scale of cyber-related threats facing responsible entities.”
FERC’s rule change mandating a lower reporting threshold and greater information sharing should help eliminate at least some of the reporting disparities highlighted by FERC. While this may shed some additional light on the true extent of cyber threats on energy facilities, all indications already demonstrate that the bulk power system is and will remain vulnerable to cyberattacks. Both the energy industry and the federal government, however, have taken a proactive approach to dealing with current and emerging threats by taking critical steps towards identifying and reducing vulnerability. Continued vigilance and a commitment to sharing information can only help to insulate the country’s domestic energy resources from a successful cyberattack.