FERC pushes new reporting rules for utilities
- By Mark Rockwell
The Federal Energy Regulatory Commission has ordered the group that ensures the safety and reliability of North American power grids to tighten up rules for power companies' cybersecurity incident reporting.
Under FERC's final rule issued on July 19, the North American Electric Reliability Corporation (NERC) will require reporting of cyber-intrusions that bump up against electrical providers' perimeter cyber defenses or associated Electronic Access Control or Monitoring Systems, but don't actually get into providers' primary systems.
Current rules for electrical providers require reporting cyber incidents only if they have actually compromised or disrupted "one or more reliability tasks" at provider facilities, on the grounds that such attempts could be precursors of future incursions.
The rule would require providers to send reports to the Electricity Information Sharing and Analysis Center, as well as the Department of Homeland Security's Industrial Control Emergency Response Team. It would also require NERC to file an annual, anonymized summary of the incident reports with FERC.
FERC said it believes current threshold reporting requirements can understate the scope of the threat to bulk power systems. According to the agency, that understatement may have been reinforced because there were no reportable incidents in 2015 and 2016.
FERC Commissioner Neil Chatterjee said reports from federal law enforcement describing Russian government-backed cyber campaigns "represent an unsettling uptick in attempts to undermine America’s critical infrastructure systems."
FERC began drafting the new reporting requirements in a notice of proposed rulemaking begun last December. NERC has six months to develop and submit the modifications to its standards.
Chatterjee said he supported the new rule because it provides NERC with flexibility to work with industry "to ensure that it and DHS receive the timely, accurate, and actionable information they need without dictating an overly prescriptive and burdensome approach."